FIN7 hacking group is switched to new techniques to evade detection

The financially-motivated FIN7 APT group (also known as Carbanak or Anunak) recently changed attack technique again to evade detection.

The financially-motivated FIN7 APT group (also known as Carbanak or Anunak) recently changed attack technique again and has been implementing a new malware obfuscation method.

The group that has been active since late 2015, it was highly active since the beginning of 2017.

Fin7 was spotted early this year to have been targeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations with a new PowerShell backdoor dubbed POWERSOURCE.

In April, the hacking group adopted new phishing techniques, it leveraged on hidden shortcut files (LNK files) to compromise targets.

The hackers used fileless malware, but to evade detection they have since switched to using CMD files instead of LNK ones.

“In the documents released today, FIN7 appears to have pivoted from using OLE embedded LNK files to using OLE embedded CMD files. When executed, the CMD file writes JScript to “tt.txt” under the current user’s home directory. The batch script then copies itself to “pp.txt”, also under the current user’s home directory, before running WScript using the JScript engine on the file. This JScript code will read from the file “pp.txt”, skipping the first four lines (the CMD code itself), but otherwise evaluating anything after the first character for each line in the file.” reads the analysis published by security experts.

“Both CMD and LNK file formats result in code execution, but the shift towards using CMD files may indicate a desire to stay ahead of detection authors.”

The shift towards using OLE embedded CMD files results in code execution on the victim’s machine.

The FIN7 hackers also implemented a series of changes to the obfuscation technique for their unique backdoor, HALFBAKED, that was continuously improved over the years.

“Over the course of the past year, the actor’s unique backdoor, HALFBAKED, has continued to morph to improve capabilities and reduce detection surface. In the newest observed version, ICEBRG observed a slight tweak in the obfuscation strategy.” continues the analysis.

“Previously, different stages of the HALFBAKED codebase utilized base64 encoding, stored in a string array variable called “srcTxt”. The attacker now obfuscates that name and continues to break up the base64 string into multiple strings within an array”

ICEBRG discovered the HALFBAKED backdoor now includes a built-in command called “getNK2” which was designed to retrieve the target’s Microsoft Outlook email client auto-complete list. The presence of getNK2 suggests the FIN7 group aims to launch phishing attacks within a victim organization.

Experts noticed NK2 files are used only for Microsoft Outlook 2007 and 2010, newer versions of outlook no longer use them, so FIN7 hackers leveraged a custom-functionality to handle newer versions of Outlook within the same “getNK2” command.

The changes in the FIN7 attack techniques demonstrate that they are highly adaptable.

“Detection authors must make trade-offs to optimize signature performance; narrow signatures lead to high fidelity detections, but risk missing changes in actor behaviors, meanwhile broader detection patterns provide better coverage, at the risk of more false positives. Combatting a well-resourced and adaptive adversary requires a layered approach of both signature styles,” concludes ICEBRG.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – FIN7, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]