The FIN7 hacking group has been targeting organizations from the retail sector of late, and Security Research Team from ICEBERG was busy tracking the activities of FIN7. According to their findings, FIN7 is exploiting victims in the retail industry using various phishing techniques and continuously adapting phishing documents to evade detection.
After compromising the Point of Sale systems of the targeted company, it steals a massive amount of protected card data. FIN7 is extremely flexible when it comes to adaptability and manages to avoid detection along with affecting a large number of retail companies across the US.
In August 2017, ICEBERG published the set of IOCs/indicators of compromise for the infected document payloads. These payloads depicted similar characteristics and techniques of infection. However, recent reports from ICEBERG suggest that there is a change noticed in the techniques and presence of a modified payload, which uses a newer type of embedded file type.
Moreover, FIN7 has changed the obfuscation that was used by the HALFBAKED backdoor to avoid detection in upcoming campaigns. In previous versions of the infection documents, the actor utilizes visual basic scripts called VBE or VBS and malicious shortcut files/LNK to carry out code execution. The malicious files are embedded into the infection documents through Object Linking and Embedding/OLE framework within the Windows setup. OLE framework is used to merge two objects from different applications.
It is noted in a blog post by ICEBERG that the malicious documents observed recently don’t reflect a different or new attach mechanism while the changed payload can cause detection issues for legacy signatures and heuristic detections. Also, FIN7 has pivoted from using OLE embedded LNK files, which is evident from the new set of documents released by ICEBERG.
Now, it utilizes the OLE embedded CMD files that write JScript to “tt.txt” after the execution, and the script is written to the home directory. The batch script is then copied into “pp.txt, ” and it is also written in the home directory of the current user before running WScript. The JScript code will read from the pp.txt file while it will skip the initial four lines of the code but will evaluate everything after the first character of every single line in the file.
CMD and LNK file formats both perform code execution in the end but the shifting to CMD file indicates that the attackers are trying every trick up their sleeve to evade detection. In the previous version, there were various stages of HALFBAKED as its codebase used base4 encoding, which was saved in a string array present in srcTxt. Now the attacker is obfuscating the name, and the base64 string is broken into multiple strings within the same array.
The getNK2 command, which is named after NK2 file of Outlook, comprises a list of auto-complete addresses belonging to Microsoft Outlook 2007 and 2010 versions. Since new versions of MS Outlook don’t use the NK2 file, therefore, FIN7 has changed its functionality to control latest versions of Outlook within the same getNK2 command to execute the JScript function.
Michael Gorelik, VP of R&D, Morphisec, told HackRead that “The latest Fin7 campaign adds functionality to burrow deeper in the victim’s network by taking over some of the Outlook information. As usual, they also modified every significant tracked component in their attack chain. The group is clearly well organized with experts in every domain since the modifications of different components require different specialties.
Once again FIN7 proves that evading behavior and static pattern-based security solution comes more easily than security providers would like to admit. Their rapid ability to modify old techniques and innovate new ones is alarming and other groups are likely taking notes. I wouldn’t be surprised if these kinds of attack strategies and techniques soon become commonplace.
Until we change our approach to security, move towards prevention without reliance on known patterns, like Morphisec’s Moving Target Defense approach, security vendors and their customers will always be playing catch up.”
Morphisec’s previous coverage on FIN7 is available here.