Connect with us

Hi, what are you looking for?



FIN7 Hackers Change Phishing Techniques

A recently uncovered threat group referred to as FIN7 has adopted new phishing techniques and is now using hidden shortcut files (LNK files) to compromise targets, FireEye security researchers reveal.

A recently uncovered threat group referred to as FIN7 has adopted new phishing techniques and is now using hidden shortcut files (LNK files) to compromise targets, FireEye security researchers reveal.

The financially-motivated threat group has been active since late 2015 and was recently found to have been targeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations with a new PowerShell backdoor dubbed POWERSOURCE.

While some security firms refer to the operation as the “Carbanak Group,” FireEye says that not all CARBANAK backdoor activity can be attributed to FIN7. Interestingly, the group’s recent fileless attacks were said last month to have been launched from an attack framework used in various other seemingly unrelated attacks as well.

In the recently observed campaign, FIN7 was no longer using malicious Microsoft Office macros to evade detection, but switched to hidden shortcut files (LNK files) as the initial infection vector, while using the VBScript functionality launched by mshta.exe to infect the victim, FireEye reveals.

The campaign featured spear phishing emails that contained malicious DOCX or RTF files, each being a different variant of the same LNK file and VBScript technique. The group targeted various locations of large restaurant chains, hospitality, and financial service organizations with emails themed as complaints, catering orders, or resumes. On top of that, the group was also calling the targets to make sure they received the email.

The DOCX and RTF files attempt to convince the user to double-click included images. When that happens, the hidden embedded malicious LNK file in the document launches “mshta.exe” with a specific argument. The script in the argument combines all text box contents in the document, executes them, and creates a scheduled task for persistence.

“Overall, this is a more effective phishing tactic since the malicious content is embedded in the document content rather than packaged in the OLE object. By requiring this unique interaction – double-clicking on the image and clicking the “Open” button in the security warning popup – the phishing lure attempts to evade dynamic detection as many sandboxes are not configured to simulate that specific user action,” the researchers note.

Advertisement. Scroll to continue reading.

A multilayer obfuscated PowerShell script is dropped and launched, which in turn executes shellcode for a Cobalt Strike stager. The shellcode retrieves an additional payload by connecting to a specific command and control (C&C) server using DNS, the researchers discovered. If a successful reply is received from the C&C, the PowerShell executes the embedded Cobalt Strike.

The campaign was also observed using a HALFBAKED backdoor variant, capable of performing various operations based on commands received from the server: send victim machine information (OS, Processor, BIOS and running processes) using WMI queries; take screenshots of victim machine; execute a VB script, EXE file, or PowerShell script; and delete or update a specified file.

One of the LNK files used by FIN7 in this campaign revealed some specific information about the attackers, namely that the shortcut launched within the string data, and that the actor likely generated this file on a VirtualBox system with hostname “andy-pc” on March 21, 2017, the researchers note.

Related: Cybercriminals Target Employees Involved in SEC Filings

Related: Recent Fileless Attacks Linked to Single Framework, Researchers Say

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...