Pierluigi Paganini October 12, 2019

FireEye Mandiant discovered that the FIN7 hacking group added new tools to its cyber arsenal, including a module to target remote administration software of ATM vendor.

Security experts at FireEye Mandiant discovered that the FIN7 hacking group has added new tools to its arsenal, including a new loader and a module that hooks into the legitimate remote administration software used by the ATM maker NCR Corporation.

The group that has been active since late 2015 targeted businesses worldwide to steal payment card information. Fin7 is suspected to have hit more than 100 US companies, most of them in the restaurant, hospitality, and industries.

In August 2018, three members of the notorious cybercrime gang have been indicted and charged with 26 felony counts of conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft.

The new loader is able to drop the malware directly in memory, it was dubbed BOOSTWRITE and allows threat actors to load several malicious codes, including the Carbanak backdoor.

Researchers also spotted a new RAT tracked as RDFSNIFFER that is dropped by the BOOSTWRITE loader.

“The first of FIN7’s new tools is BOOSTWRITE – an in-memory-only dropper that decrypts embedded payloads using an encryption key retrieved from a remote server at runtime. FIN7 has been observed making small changes to this malware family using multiple methods to avoid traditional antivirus detection, including a BOOSTWRITE sample where the dropper was signed by a valid Certificate Authority. One of the analyzed BOOSTWRITE variants contained two payloads: CARBANAK and RDFSNIFFER.” reads the Mandiant report. “While CARBANAK has been thoroughly analyzed and has been used maliciously by several financial attackers including FIN7, RDFSNIFFER is a newly-identified tool recovered by Mandiant investigators.”

BOOSTWRITE implements the DLL search order hijacking technique to load its DLLs into the target’s memory that allows it to download the initialization vector (IV) and the decryption two embedded payload DLLs.

Before decrypting the embedded PE32.DLLs payloads the loader performs sanity checks on the results, then load them into memory.

The researchers analyzed several samples of BOOSTWRITE, one of them that was uploaded to VirusTotal on October 3 was signed with a code signing certificate issued by MANGO ENTERPRISE LIMITED.

The loader was observed delivering the RDFSNIFFER DLL which allows an attacker to hijack instances of the NCR Aloha Command Center Client application and interact with victim systems via existing legitimate 2FA sessions.

RDFSNIFFER hooks the process of NCR Corporation’s RDFClient, it runs every time the legitimate software for remote administration is executed on the compromised machines.

The malicious code is designed to run man-in-the-middle attacks on connections made using RDFClient, it also allows attackers to upload, download, execute and/or delete arbitrary files.

Below the list of supported commands:

In March, the group carried out attacks delivering a previously unseen malware tracked as SQLRat that drops files and executes SQL scripts on the host. The messages sent to the victims were also dropping the backdoor DNSbot that primarily operates over DNS traffic.

In April 2018, FIN7 hackers stole credit and debit card information from millions of consumers who have purchased goods at Saks Fifth Avenue and Lord & Taylor stores.

“While these incidents have also included FIN7’s typical and long-used toolsets, such as CARBANAK and BABYMETAL, the introduction of new tools and techniques provides further evidence FIN7 is continuing to evolve in response to security enhancements.” concludes the report.

“Barring any further law enforcement actions, we expect at least a portion of the actors who comprise the FIN7 criminal organization to continue conducting campaigns.”

Pierluigi Paganini

(SecurityAffairs – FIN7, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]