The group that has been active since late 2015, and was recently spotted to have been targeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations with a new PowerShell backdoor dubbed POWERSOURCE.
The FIN7 group has adopted new phishing techniques, it is leveraging on Hidden Shortcut Files (LNK files) to compromise targets.
Experts from FireEye highlighted that attacks were launched by FIN7 group and not the Carbanak Group as suspected by other security experts.
“FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015. FIN7 is referred to by many vendors as “Carbanak Group”, although we do not equate all usage of the CARBANAK backdoor with FIN7.” reads the analysis published by FireEye. “FireEye recently observed a FIN7 spear phishing campaign targeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations.”
Experts from FireEye distinguish the activity associated with the FIN7 group to the one attributed to CARBANAK.
Security experts discovered a string of fileless malware attacks last month that have been powered by the same hacking framework.
The last attacks attributed to FIN7 recently spotted did not use weaponized Microsoft Office, hackers switched to hidden shortcut files (LNK files) as an attack vector to launch “mshta.exe”. Then FIN7 hackers used the VBScript functionality launched by mshta.exe to compromise the victim’s system.
“In a newly-identified campaign, FIN7 modified their phishing techniques to implement unique infection and persistence mechanisms. FIN7 has moved away from weaponized Microsoft Office macros in order to evade detection. This round of FIN7 phishing lures implements hidden shortcut files (LNK files) to initiate the infection and VBScript functionality launched by mshta.exe to infect the victim.” reads the.
Hackers leveraged on spear phishing emails using malicious DOCX or RTF files, each being a different variant of the same LNK file and VBScript technique.
The DOCX and RTF files attempt to convince the user to double-click included images.
“both the malicious DOCX and RTF attempt to convince the user to double-click on the image in the document” states the analysis.
“In this ongoing campaign, FIN7 is targeting organizations with spear phishing emails containing either a malicious DOCX or RTF file – two versions of the same LNK file and VBScript technique.”
The ongoing campaign targeted large restaurant chains, hospitality, and financial service organizations, threat actors used phishing messages themed as complaints, catering orders, or resumes. To improve the efficiency of the campaign the FIN7 hackers were also calling the targets to make sure they received the email.
According to the experts, this new phishing scheme is more effective respect previous ones.
“Overall, this is a more effective phishing tactic since the malicious content is embedded in the document content rather than packaged in the OLE object. By requiring this unique interaction – double-clicking on the image and clicking the “Open” button in the security warning popup – the phishing lure attempts to evade dynamic detection as many sandboxes are not configured to simulate that specific user action,” state the researchers.
Hackers used a multilayer obfuscated PowerShell script that once launched executes shellcode for a Cobalt Strike stager. The shellcode downloads an additional payload from a specific C&C server using DNS aaa.stage.14919005.www1.proslr3[.]com, if the reply is successful, the PowerShell executes the embedded Cobalt Strike.
The FIN7 group also used the HALFBAKED backdoor in the ongoing attacks.
FireEye researchers examined shortcut LNK files created by attackers that allowed them to reveal valuable information attackers environment.
One of the LNK files used by hackers in the last campaign revealed some specific information about the attackers, for example, that the hackers likely generated this file on a VirtualBox system with hostname “andy-pc” on March 21, 2017.