Connect with us

Hi, what are you looking for?



FIN7 Hackers Change Attack Techniques

The financially-motivated FIN7 hacking group recently switched to a new delivery technique and has been employing a different malware obfuscation method, ICEBRG security researchers reveal.

The financially-motivated FIN7 hacking group recently switched to a new delivery technique and has been employing a different malware obfuscation method, ICEBRG security researchers reveal.

Highly active since the beginning of 2017, FIN7 (also known as Anunak, or Carbanak) started distributing malware via LNK files embedded in Word documents using the Object Linking and Embedding (OLE) technology. The attack employed a fileless infection method, with no files being written to disk.

The hackers have since switched to using CMD files instead of LNK ones, most probably in an attempt to evade detection. The CMD, the researchers explain, would write JScript to “tt.txt” under the current user’s home directory.

Next, the batch script copies itself to “pp.txt” under the same directory, and then runs WScript using the JScript engine on the file. According to ICEBRG, the JScript code then reads from the “pp.txt” file, evaluating anything after the first character for each line in the file. However, it skips the first four lines, which represent the CMD code itself.

The same as with the LNK files, however, the use of OLE embedded CMD files results in code execution on the victim’s machine. The use of commented out code isn’t new either, and has been previously associated with FIN7.

The security researchers also observed a series of changes to the obfuscation strategy the hackers are using for their unique backdoor, HALFBAKED, which has been continuously morphing over the past year.

Until now, different stages of the HALFBAKED codebase used base64 encoding, stored in a string array variable called “srcTxt,” the researchers explain. Now, the name is obfuscated and the base64 string is broken down into multiple strings within an array.

Furthermore, the backdoor now includes a built-in command called “getNK2”which is meant to retrieve the victim’s Microsoft Outlook email client auto-complete list. The command was likely named after the NK2 file that contains a list of auto-complete addresses for Microsoft Outlook 2007 and 2010.

Advertisement. Scroll to continue reading.

“This may suggest the actor’s desire to obtain new phishing targets within a victim organization. If any of these new targets fell victim to the phishing lure, it would allow FIN7 to increase their foothold within a victim organization’s network and potentially pivot to new areas,” the researchers note.

Although newer versions of Outlook no longer use the NK2 file, the backdoor targets them as well, because the hackers also wrote functionality to handle them within the same “getNK2” command.

“Detection authors must make trade-offs to optimize signature performance; narrow signatures lead to high fidelity detections, but risk missing changes in actor behaviors, meanwhile broader detection patterns provide better coverage, at the risk of more false positives. Combatting a well-resourced and adaptive adversary requires a layered approach of both signature styles,” ICEBRG concludes.

Related: FIN7 Hackers Use LNK Embedded Objects in Fileless Attacks

Related: FIN7 Hackers Change Phishing Techniques

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.