Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

FIN7 Hackers Change Attack Techniques

The financially-motivated FIN7 hacking group recently switched to a new delivery technique and has been employing a different malware obfuscation method, ICEBRG security researchers reveal.

The financially-motivated FIN7 hacking group recently switched to a new delivery technique and has been employing a different malware obfuscation method, ICEBRG security researchers reveal.

Highly active since the beginning of 2017, FIN7 (also known as Anunak, or Carbanak) started distributing malware via LNK files embedded in Word documents using the Object Linking and Embedding (OLE) technology. The attack employed a fileless infection method, with no files being written to disk.

The hackers have since switched to using CMD files instead of LNK ones, most probably in an attempt to evade detection. The CMD, the researchers explain, would write JScript to “tt.txt” under the current user’s home directory.

Next, the batch script copies itself to “pp.txt” under the same directory, and then runs WScript using the JScript engine on the file. According to ICEBRG, the JScript code then reads from the “pp.txt” file, evaluating anything after the first character for each line in the file. However, it skips the first four lines, which represent the CMD code itself.

The same as with the LNK files, however, the use of OLE embedded CMD files results in code execution on the victim’s machine. The use of commented out code isn’t new either, and has been previously associated with FIN7.

The security researchers also observed a series of changes to the obfuscation strategy the hackers are using for their unique backdoor, HALFBAKED, which has been continuously morphing over the past year.

Until now, different stages of the HALFBAKED codebase used base64 encoding, stored in a string array variable called “srcTxt,” the researchers explain. Now, the name is obfuscated and the base64 string is broken down into multiple strings within an array.

Furthermore, the backdoor now includes a built-in command called “getNK2”which is meant to retrieve the victim’s Microsoft Outlook email client auto-complete list. The command was likely named after the NK2 file that contains a list of auto-complete addresses for Microsoft Outlook 2007 and 2010.

Advertisement. Scroll to continue reading.

“This may suggest the actor’s desire to obtain new phishing targets within a victim organization. If any of these new targets fell victim to the phishing lure, it would allow FIN7 to increase their foothold within a victim organization’s network and potentially pivot to new areas,” the researchers note.

Although newer versions of Outlook no longer use the NK2 file, the backdoor targets them as well, because the hackers also wrote functionality to handle them within the same “getNK2” command.

“Detection authors must make trade-offs to optimize signature performance; narrow signatures lead to high fidelity detections, but risk missing changes in actor behaviors, meanwhile broader detection patterns provide better coverage, at the risk of more false positives. Combatting a well-resourced and adaptive adversary requires a layered approach of both signature styles,” ICEBRG concludes.

Related: FIN7 Hackers Use LNK Embedded Objects in Fileless Attacks

Related: FIN7 Hackers Change Phishing Techniques

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Madhu Gottumukkala has been named Deputy Director of the cybersecurity agency CISA.

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.