FinSec is a thing. It’s rather become my thing, when I delve deeper and find the connections and patterns that emerge. This week, FireEye published a post on a campaign known as FIN7. They identified a spear phishing campaign in late February that targeted people who were filing with the US SEC. FIN7 is described as a
“financially motivated instrusion set that selectively targets victims and uses spear phishing to distribute its malware.”
Sectors identified as targets are in the US but have a global spread and include:
- Financial services
- IT services
Often they target retail and hospitality through POS malware. Here’s the play by play:
- Malicious documents drop a VBS script and install a PowerShell backdoor. No question that PowerShell is now the tool of choice for attackers. Set up your IDS to look for signs.
- The backdoor is a new malware family dubbed POWERSOURCE. It’s based on a tool that is publicly available, DNT_TXT_Pwnage. What they’ve done is modify it especially in terms of obfuscation. If you can’t find it …
- FIN7 uses DNS TXT records for the Command and Control. And this DNS TXT – it’s been trending because of how hard it makes detection and hunting for threats around command and control
- But wait! There’s a second backdoor, installed by POWERSOURCE. This second stage PowerShell backdoor is known as TEXTMATE. It’s fileless malware – yes, that’s a thing now too – that stays memory resident, so you can’t find it easily, and lets the attacker play hide and seek better.
- There have been instances of a Cobalt Strike Beacon payload.
- That same domain hosting the Cobalt Strike Beacon also hosted – get ready for it – a CARBANAK backdoor sample that was recently compiled. We know how pervasive CARBANAK is, and that it has recently made a major pivot into the hospitality sector. And, as it happens, something that FIN7 has used in past.
While FireEye says they have not yet determined the objective of FIN7 in this current campaign, I think it’s safe to say they are in it for the money.