Security Experts:

Connect with us

Hi, what are you looking for?



Cybercriminals Target Employees Involved in SEC Filings

A cybercrime group tracked by FireEye as FIN7 has been observed targeting nearly a dozen organizations in the United States, focusing on personnel that handles filings to the Securities and Exchange Commission (SEC).

A cybercrime group tracked by FireEye as FIN7 has been observed targeting nearly a dozen organizations in the United States, focusing on personnel that handles filings to the Securities and Exchange Commission (SEC).

The attack starts with a spear phishing email coming from a spoofed email address, which carries a document apparently containing “important” information. Once the document is opened, a VBS script installs a new PowerShell backdoor dubbed POWERSOURCE.

POWERSOURCE has also been used to download a second-stage PowerShell backdoor named TEXTMATE, which provides a reverse shell to the attacker. POWERSOURCE is an obfuscated and modified version of the publicly available DNS_TXT_Pwnage tool, while TEXTMATE is a fileless malware. Both rely on DNS TXT requests for command and control (C&C) communications.

POWERSOURCE has also been spotted delivering Cobalt Strike’s Beacon post-exploitation tool, which had been used in previous FIN7 operations as well. FireEye noted that the domain serving the Beacon payload had also hosted a Carbanak backdoor sample compiled in February 2017. FIN7 has been known to rely heavily on Carbanak malware.

FireEye has identified 11 targets in the financial services, transportation, education, retail, IT services, and electronics sectors. While the SEC-themed spear-phishing campaign focuses on organizations in the United States, experts believe it is possible that the cybercriminals have launched similar operations in other countries, leveraging the names of their respective regulators.

The security firm said its products and services blocked these attacks in their early stages, which prevented researchers from determining what the attackers were after.

“If the attackers are attempting to compromise persons involved in SEC filings due to their information access, they may ultimately be pursuing securities fraud or other investment abuse,” FireEye researchers said in a blog post. “Alternatively, if they are tailoring their social engineering to these individuals, but have other goals once they have established a foothold, they may intend to pursue one of many other fraud types.”

In previous attacks, FIN7 used various point-of-sale (PoS) malware families to steal sensitive financial information from targeted organizations. The Carbanak malware used by the group is known for its role in campaigns that involved fraudulent bank transactions and ATM attacks.

Related: “FIN6” Cybergang Steals Millions of Cards From PoS Systems

Related: New York Man Admits to Role in Cybercrime Operation

Related: Cyber Threat Intelligence Shows Majority of Cybercrime is NOT Sophisticated

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.