Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

FIN7 Hackers Change Phishing Techniques

A recently uncovered threat group referred to as FIN7 has adopted new phishing techniques and is now using hidden shortcut files (LNK files) to compromise targets, FireEye security researchers reveal.

A recently uncovered threat group referred to as FIN7 has adopted new phishing techniques and is now using hidden shortcut files (LNK files) to compromise targets, FireEye security researchers reveal.

The financially-motivated threat group has been active since late 2015 and was recently found to have been targeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations with a new PowerShell backdoor dubbed POWERSOURCE.

While some security firms refer to the operation as the “Carbanak Group,” FireEye says that not all CARBANAK backdoor activity can be attributed to FIN7. Interestingly, the group’s recent fileless attacks were said last month to have been launched from an attack framework used in various other seemingly unrelated attacks as well.

In the recently observed campaign, FIN7 was no longer using malicious Microsoft Office macros to evade detection, but switched to hidden shortcut files (LNK files) as the initial infection vector, while using the VBScript functionality launched by mshta.exe to infect the victim, FireEye reveals.

The campaign featured spear phishing emails that contained malicious DOCX or RTF files, each being a different variant of the same LNK file and VBScript technique. The group targeted various locations of large restaurant chains, hospitality, and financial service organizations with emails themed as complaints, catering orders, or resumes. On top of that, the group was also calling the targets to make sure they received the email.

The DOCX and RTF files attempt to convince the user to double-click included images. When that happens, the hidden embedded malicious LNK file in the document launches “mshta.exe” with a specific argument. The script in the argument combines all text box contents in the document, executes them, and creates a scheduled task for persistence.

Advertisement. Scroll to continue reading.

“Overall, this is a more effective phishing tactic since the malicious content is embedded in the document content rather than packaged in the OLE object. By requiring this unique interaction – double-clicking on the image and clicking the “Open” button in the security warning popup – the phishing lure attempts to evade dynamic detection as many sandboxes are not configured to simulate that specific user action,” the researchers note.

A multilayer obfuscated PowerShell script is dropped and launched, which in turn executes shellcode for a Cobalt Strike stager. The shellcode retrieves an additional payload by connecting to a specific command and control (C&C) server using DNS, the researchers discovered. If a successful reply is received from the C&C, the PowerShell executes the embedded Cobalt Strike.

The campaign was also observed using a HALFBAKED backdoor variant, capable of performing various operations based on commands received from the server: send victim machine information (OS, Processor, BIOS and running processes) using WMI queries; take screenshots of victim machine; execute a VB script, EXE file, or PowerShell script; and delete or update a specified file.

One of the LNK files used by FIN7 in this campaign revealed some specific information about the attackers, namely that the shortcut launched within the string data, and that the actor likely generated this file on a VirtualBox system with hostname “andy-pc” on March 21, 2017, the researchers note.

Related: Cybercriminals Target Employees Involved in SEC Filings

Related: Recent Fileless Attacks Linked to Single Framework, Researchers Say

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

Mark Carter has been appointed Chief Information Security Officer at Socure.

Spektrum Labs has named Mark Cravotta Chief Operating Officer.

More People On The Move

Expert Insights

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.