Facebook Tracking
April 20, 2020

Fingerprinting FIN7

Category: Blog

This is a new blog post on the work we are doing at AttackIQ to help our customers to emulate known threats and test the performance of their security controls against them. While in a previous post we focused on APT29, here we will be focusing on FIN7, a financially motivated group that has been recurrently hitting the news for the last few years. 

First of all, we will give some context on this threat actor: motivations, known campaigns, some events of its recent history, as well as a short overview of the kind of tools they use. Next, we will present the Assessment Template that we have built to emulate this group, and later we will explain some of their TTPs and the corresponding scenarios you will be able to find in this Assessment Template. Finally, we will showcase how we can investigate the results of one of these scenarios to check that your security tools are acting as you expect.

 

FIN7 in a Nutshell

As the name indicates, FIN7 is a group whose main objective is to obtain financial gain directly from their campaigns. To that aim, the group targets businesses from a wide range of industries (although primarily the hospitality, restaurant and gaming sectors) mainly in the US and Europe. Usually, their goal is dropping point-of-sale (PoS) malware to steal financial information, such as credit card data, that they can later sell in online fraud bazaars.

With its first known activity dating back to 2015, in only a few years FIN7 has been allegedly involved in many breaches that would have represented large financial gains. Indeed, according to the US Department of Justice (DoJ), in 2018 this group had already stolen more than 15 million credit card records from more than 6500 PoS terminals of 3600 different businesses in the United States alone. It was in that same press release that the DoJ announced that three of their top members had been arrested as well as that this group maintained a front company named Combi Security that purportedly offered Penetration Testing services. In reality, this company would have served as a means of recruiting staff to conduct their activities and disguise the group with a legitimate appearance. 

 

combi security logo
Logo of FIN7’s front company Combi Security

 

These arrests and the dismantling of their front company, however, do not seem to have been enough to stop the activity of the group, which continues to be operative, possibly targeting more than 130 different companies during 2018. Another example has been published in a recent report, in which apparently FIN7 would have delivered malicious USB drives that were supposed to contain a gift card for a well-known American electronics retailer.

FIN7’s toolset has been a mix of publicly available tools (such as DNS_TXT_Pwnage, Tinymet, or Cobalt Strike stagers), often obfuscated to avoid detections, and custom-developed malware. Their most known tool of this latter class is perhaps the Carbanak backdoor, a custom malware (whose source code was found in VirusTotal) that has also been used by the so-called Carbanak Group. This fact has led to the confusion between the two groups, though it is commonly accepted that these are actually separate groups using the same tool. In the case of FIN7, they have used modified versions of this backdoor as well as versions signed with legally purchased certificates. Other custom tools include loaders and backdoors developed in JScript, Powershell or even as SQL scripts.

As a final note, we can also highlight the fact that this group (unlike other FIN groups and APTs) does not frequently use exploits, nor are there any known cases where they have used a zero-day exploit. However, they do not lack technical expertise since they are continually adapting and modifying their payloads to avoid being detected.


The FIN7 Assessment Template

You might be wondering what characteristic behavior has defined FIN7 past campaigns, and how you can test your security controls to be sure that you would be able to prevent or detect similar intrusions. To facilitate this, we have created an Assessment Template that contains a total of 17 scenarios that emulate FIN7 known behavior, with possible new scenarios being added in the future. This assessment does not need any kind of extra configuration, so you can just run it as it is.

To create this template we took into account that it is important to not only produce specific Indicators of Compromise (IOCs), but to also replicate a similar behavior that, based on known facts, the desired group could exhibit. The MITRE ATT&CK Framework is a great tool that can help structure such an emulation, always taking into account how the threat actor has implemented each technique. For this reason, we have created this Assessment Template based on the MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) that have been linked to this group

To be a little bit more specific, in the following paragraphs we will show a few examples of  techniques that have been used by FIN7, as well as what AttackIQ scenarios you can use to test them. The Assessment Template contains a lot more scenarios and techniques, but this can serve as an appetizer of all the content that you will be able to find.

 

A Taste of FIN7’s TTPs

When it comes to spreading malware for an initial infection, spear-phishing attachments are one of the most common vectors used by threat actors, and FIN7 is no exception. They have used this technique many times, for instance, as many other threat actors, they have sent malicious MS Word documents containing macros. However, in other cases they have sent MS Word documents with an image that created a malicious shortcut when clicked, which is not so common. With AttackIQ, you can test your network security controls against this type of attacks using the Download FIN7 Phishing Word Document to Memory scenario, and your endpoint security controls with the Save FIN7 Phishing Word Document to File System scenario.

Another technique observed in FIN7’s past campaigns, although not as common as spear-phishing, is the use of Mshta. This is a Windows native utility to execute Microsoft HTML Applications (HTA), which can be misused to execute Javascript and VBScript code. It can be helpful to go under the radar or to bypass application whitelisting policies, so it is interesting to test if your security controls have a blind spot in this regard. FIN7 has used it many times in the past, and you can try it yourself using the Mshta Script scenario.

A quite distinctive technique that FIN7 has used to achieve persistence is Application Shimming. This feature, originally designed to allow backward compatibility in Windows without needing to rewrite application code, can be abused to modify parameters, inject DLLs or patch code of the desired processes before they are launched, for instance. This is precisely what FIN7 has done, patching the process services.exe to load a Carbanak DLL. Our Application Shimming Script scenario will allow you to test this technique.

Finally, another example of FIN7’s techniques is the use of DNS for Command and Control communication, for instance using Powershell to download shellcode from TXT records. If you want to see how this would change your typical network traffic, you can try the DNSMessenger PowerShell Communication scenario.


Investigating an Alert

To finish this post, we will show an example of a detection of the Mshta Script scenario with Microsoft Defender ATP, and see how we can infer what the scenario has executed from the information provided by it. 

After running the FIN7 assessment in our lab, in the Results Summary section we see that the Mshta Script scenario has been detected by Microsoft Defender ATP:

 


Result of the Mstha Script scenario, detected by Microsoft Defender ATP

 

This serves as a first input to know that the security tool has worked as expected without needing to access the dozens of security controls in place to obtain this information. However, if we want to dig deeper we can go to the tool’s interface. Indeed, when logging into Microsoft Defender Security Center, we see that an alert has been triggered for running a living-off-the-land binary:

 


Alert triggered by the Mshta Script scenario

 

Checking all the information provided in the alert will help us understand what has happened. For instance, in the attached process tree, we see that cmd.exe has been used to run a script named mshta.bat, and that later the binary mshta.exe has been executed, which spawned a new process from the binary.exe file.

 


Process tree attached to the alert
 

We can even see the exact command line that was used for cmd.exe and determine where the script was located:


Details of the execution of the script mshta.bat via cmd.exe
 

More interestingly, we can also see the command line of the mshta.exe process, in which we can clearly see the VBScript code that has been used:


Details of process mstha.exe where we see the VBScript code that has been executed
 

In this case, we can see that some VBScript code has been executed to launch the binary binary.exe

Finally, if we want to see the whole contents of the script mshta.bat or the binary.exe file (for example, to reverse engineer it and understand its functionality), we can download them just by clicking on the “Download file” button:


We can download any artifact, such as the executable binary.exe, for further analysis
 

After this analysis, we have a clear idea of the steps the scenario has taken under the hood without needing to see the actual code of the scenario (which, by the way, is available to all our users). If this was a real security incident, we could understand the extent of the malicious action, pull additional information, and take proper actions to eradicate any traces of malicious activity.


Conclusion

In this post, we have given an overview of the threat group known as FIN7, as well as presented a new AttackIQ Assessment Template that you can use to test your security controls with scenarios that replicate the behavior reported in previous reports on this group. 

We have also given some examples of techniques and scenarios that you will find in this template. Last but not least, we showcased how security platforms such as MD ATP (Microsoft Defender Advanced Threat Protection) can assist a blue team member in the triaging and analysis of a complex attack. Indeed, after reviewing the detection results of one scenario, we have been able to reconstruct the actions that the scenario has taken just from the data provided by the security tool. 

This is an example of how running scenarios can be useful not only to test your security controls but to train and keep in shape your Incident Response teams.
 

About the Author

Oriol Castejón
Security Engineer, AttackIQ