#FIN7 Not Finished – Morphisec Spots New Attack Campaign https://t.co/cPDMQ8xNra by @smgoreli and @alongros #cybersecurity
— Morphisec (@morphisec) November 21, 2018
FIN7 group remains to be one of the most formidable financially
motivated group, which is not only known for the large point-of-sale
breaches (including the alleged latest one of Burgerville
restaurant point-of-sale network) but also for its stealthy
persistence and sophisticated and persistent approach.
In their backdoor code, they have the following hardcoded groups:
The following MITRE Enterprise Attack – Attack Patterns are observed with the FIN7 campaign:
I. Malicious Microsoft Word Document First-Stage Macro
Once it is done, the document macro runs a message box displaying “Decryption error” via MsgBox(“Decryption error”).
It is notable that the decryption message is also part of the document social engineering ruse “to decrypt document” as well as the subsequent “Decryption Error” coupled with the execution of “errors.txt” creates a plausible yet well-thought scenario of allowing possible “error” paths due to document errors.
Additionally, the second document contains the same exact reference to mysterious “cesar.exe” as detailed by Nick Carr.
#FIN7 is still active and getting in on the renamed legitimate binary trend
%𝚄𝚂𝙴𝚁𝙿𝚁𝙾𝙵𝙸𝙻𝙴%𝙲𝚘𝚗𝚝𝚊𝚌𝚝𝚜𝚌𝚎𝚜𝚊𝚛.𝚎𝚡𝚎 //𝙴:𝚓𝚜𝚌𝚛𝚒𝚙𝚝 %𝚃𝙴𝙼𝙿%𝚜𝚎𝚝𝚝𝚒𝚗𝚐𝚜.𝚝𝚡𝚝 pic.twitter.com/bYwcF3xoOj
— Nick Carr (@ItsReallyNick) November 6, 2018
|“id”||generate unique machine ID based on MAC address and DNS domain|
|“crypt_controller”||control decryptor and encryptor function|
|“get_path”||build path URL based on pre-configured paths|
|“send_data”||send data request to the server|
The “main” function initiates a variable “ncommand”, which holds the “send_data” function with the arguments
“request” and “action=get_command”, true).
If the ncommand does not equal “no,” it runs an eval command via “crypt_controller” functions with the arguments “decrypt” and ncommand.
The backdoor leverages the variables “random_knock,” which equals 120000 leveraging random * 16001 – 5000, which is used with the WScript.Sleep command then it runs the main command again.
The unique machine is generated via the command running Date with the getUTCMilliseconds() parameters. It also deletes itself via GetFile.Type == “Application and length == 10 and deleteFile via ActiveOXbject.
The decoding routine is a simple XOR loop decoding the content as follows joining the result_string via .join command.
b. If type parameter equals “encrypt”, the result_string is joined with “)*(” and passed encodeURIComponent.
An example of the decoded full path is as follows:
IV. Indicators of Compromise: Domains
Vitali Kremez | Ethical Hacker | Reverse Engineer