On August 1, 2018, the US Department of Justice had arrested several individuals who were suspected to be the members of the FIN7 cybercrime group. The famous crime group is known for its malicious & illegal activities. Many of which include activities such as: stealing financial assets from companies, such as debit cards, or get access to financial data or computers of finance department employees in order to conduct wire transfers to offshore accounts. Most of the times members of the FIN7 group target companies and corporate enterprises. Some of the attacks conducted by them started from as early as 2015. FIN7 group continued its tailored spear phishing campaigns throughout last year. Still in many cases, the operators exchanged numerous messages with their victims for weeks before sending their malicious documents. The domains used by the attackers in their 2018 campaign of phishing contained more than 130 email aliases.
Basically the group uses malware-laced phishing attacks against victims in hopes they will be able to infiltrate systems to steal bank-card data and sell it. They have also used a backdoor which was linked to Carbanak (another prolific cybercrime outfit responsible for billions in losses in the financial services industry). After which they stole more than 15 million payment-card records from American businesses. This was done by infiltrating more than 6,500 individual point-of-sale terminals at more than 3,600 business locations, according to the Department of Justice (DOJ).
In August 2018, three Fin7 members were arrested, who were identified as Ukrainian nationals. They were charged with 26 felony counts of alleged conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft. However, the group’s new malware samples indicate that Fin7 doesn’t appear to be going anywhere soon. In 2019, the FIN7 group launched widespread campaigns hitting businesses with two never-before-seen malware samples. These included a new administrative panel and two previously unseen malware samples, dubbed SQLRat and DNSBot.
The companies were targeted through emails in majority of the cases. There have been seen two types of documents sent to victims in these spear phishing campaigns. The first one exploits Microsoft Word to get context information about the victim’s computer, and the version number of Microsoft Word. The second one, is an Office document protected with a trivial password, such as ‘12345’ which uses macros to execute a GRIFFON implant on the target’s computer. In many other cases, the associated macro also scheduled tasks to make GRIFFON persistent. The Fin7 cybercrime group has ramped up its offensive capabilities by adding new malicious code to its malware arsenal. Researchers conclude this is as evidence, that Fin7 is still a growing threat despite the arrest of several Fin7 members in 2018.
The notorious group has adopted a new dropper sample called Boostwrite, which uses new detection evasion tactics, such as the adoption of valid certificates, to distribute malware onto victims’ systems. Researchers have also discovered the group using a new payload, Rdf-sniffer. The payload was developed to tamper with a remote IT administration tool. This tool is used in tech support for payment processing applications. The, researchers dictated that a continued targeting of point-of-sale systems at restaurants, casinos and hotels is extablished. While these incidents have also included FIN7’s typical and long-used toolsets, such as Carbanak and Babymetal. Due to this introduction of new tools and techniques provided further evidence FIN7 is continuing to evolve in response to security enhancements,” researchers with FireEye said in a Thursday analysis.
During 2018, the leader of the FIN7 and another such cybercrime group Carbanak/CobaltGoblin were arrested. It was believed that the arrest of the group leader would have an impact on the group’s operations. However, the attacks still have continued without significant reduction. Some cyber experts say that CobaltGoblin and FIN7 have even extended the number of groups operating under their umbrella.
The FIN7, specializes in attacking various companies to get access to financial data or PoS infrastructure. They rely on a Griffon JS backdoor and Cobalt/Meterpreter. The second one is CobaltGoblin which uses the same toolkit, techniques and similar infrastructure but targets only financial institutions and associated software providers. All of the groups mentioned here greatly benefit from unpatched systems in corporate environments. Hence they continue to use effective spear-phishing campaigns in conjunction with well-known MS Office exploits generated by the framework. FIN7/Cobalt phishing documents may seem basic, but when combined with their extensive social engineering and focused targeting, they are quite successful. As with their previous fake company, “Combi Security”, it is assumed that they might continue to create new personas for use in either targeting or recruiting under a “new” brand, “IPC”.
Now, the newest malicious code samples: the Boostwrite dropper and Rdfsniffer payload, shows Fin7 expanding its cyber-weaponry. Researchers said they came across new tools during analyzation of several recent incident that took place, while Fin7 has typically hit victims with malware-laced emails. Researchers not able to spot detail in the initial attack vector for Fin7’s campaigns that touted the new malicious code (Threatpost has reached out for further comment). Once launched, the Boostwrite dropper decrypts embedded payloads using an encryption key retrieved from a remote server. To avoid detection, the dropper uses valid certificates. Researchers said FIN7 has been observed making small changes to this malware family using multiple methods to avoid traditional antivirus detection, including a Boostwrite sample where the dropper was signed by a valid Certificate Authority.
Boostwrite contains two payloads: the previously-used Carbanak and a brand-new payload, Rdfsniffer. Rdfsniffer appears to have been developed to tamper with an IT remote administration tool used by NCR Corporation, an American technology company that makes self-service kiosks, point-of-sale terminals, automated teller machines, check processing systems and more.The legitimate remote admin toolset, Aloha Command Center client, is designed to manage and troubleshoot systems within payment card processing sectors running the Command Center Agent. Researchers say that the malware loads into the same process as the Command Center process by abusing the DLL load order of the legitimate Aloha utility’. This also allows an attacker to monitor and tamper with legitimate connections made through the toolset. This also includes capabilities to launch attacks against SSL sessions and socket connections. Along with that hijacking the utility’s user interface (UI). The payload is also capable to upload files, execute commands and retrieve files from remote systems that connect to the admin toolset.
Researchers said they provided this information to NCR. Moving forward, researchers also say that they expect FIN7 to continue developing new tools and launching cyberattacks on organizations. They expect at least a portion of the actors who comprise the FIN7 criminal organization to continue conducting campaigns in order to take further law enforcement actions. Due to which as a result, organizations need to remain vigilant and continue to monitor for changes in methods employed by the FIN7 actors.