FIN7 group retooling with new malware and evasion techniques

News by Rene Millman

Security researchers have said that the FIN7 cyber-criminal gang is back with two new tools that are said to have been altered to evade detection.

Security researchers have said that the FIN7 cybercriminal gang is back with two new tools that are said to have been altered to evade detection.
According to a blog post by FireEye, the hackers are using tools the researchers have dubbed Boostwrite and RDFSniffer.
Researchers said that Boostwrite is an in-memory-only dropper that decrypts embedded payloads using an encryption key retrieved from a remote server at runtime. The hackers have made mall changes to this malware family using multiple methods to avoid traditional antivirus detection. Also detected was a sample where the dropper was signed by a valid Certificate Authority.
"Use of a code signing certificate for Boostwrite is not a completely new technique for FIN7 as the group has used digital certificates in the past to sign their phishing documents, backdoors, and later stage tools," said researchers.
"By exploiting the trust inherently provided by code certificates, FIN7 increases their chances of bypassing various security controls and successfully compromising victims."
The other tool, RDFSniffer, is the payload of Boostwrite. Researchers said that this appeared to  have been developed to tamper with NCR Corporation's "Aloha Command Center" client. NCR Aloha Command Center is a remote administration toolset designed to manage and troubleshoot systems within payment card processing sectors running the Command Center Agent. They added that the  malware loads into the same process as the Command Center process by abusing the DLL load order of the legitimate Aloha utility.
"This module also contains a backdoor component that enables it to inject commands into an active RDFClient session. This backdoor allows an attacker to upload, download, execute and/or delete arbitrary files," said researchers.
Researchers said that these incidents have also included FIN7’s typical and long-used toolsets, such as Carbanak and Babymetal, the introduction of new tools and techniques provides further evidence FIN7 is continuing to evolve in response to security enhancements.
"Further, the use of code signing in at least one case highlights the group's judicious use of resources, potentially limiting their use of these certificates to cases where they have been attempting to bypass particular security controls," researchers said.
They added that barring any further law enforcement actions, they expect at least a portion of the actors who comprise the FIN7 criminal organisation to continue conducting campaigns.
"As a result, organisations need to remain vigilant and continue to monitor for changes in methods employed by the FIN7 actors," they said.
Dr Guy Bunker, CTO of cyber security company Clearswift, told SC Media UK that FIN7 has traditionally gone after financial organisations and this appears to be no exception. 
"Targeting the financial supply chain, in this case going after a very specific payment card processor system. The increase in sophistication and variability of the attack with the different payloads shows a step change in organisation and capabilities. Using code signing, which was / is used as a method to ‘prove’ the validity of an application shows (once again) that nothing can be trusted. Just because an application has been signed, doesn’t mean it can be trusted," he said.
"The cyber-attacker only has to be ‘lucky’ once, the CIO/IT department has to be ‘lucky’ all the time." Or so the saying goes. Organisations need to keep up with the latest attacks and methods used. While this one is FIN7 and around the financial sector, cyber-attack methods and tools are traded on the underground web, so it will rapidly appear, targeting other verticals and sectors."
Pascal Geenens, Radware EMEA security evangelist, told SC Media UK that the report from FireEye demonstrates the perseverance and continuous investment by advanced threat actors such as FIN7. 
"The sophistication of the evasion tactics of malware from these advanced threat actors are of such level that only can be mitigated by continuous research into the TTPs of malicious actors. Disclosing and sharing the intelligence is the way that we as a collective industry can keep ahead of their threats. Hats off to FireEye for discovering and writing up in detail their discovery and sharing it with the wider industry!" He said. 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews