This is a new blog post on the work we are doing at AttackIQ to help our customers to emulate known threats and test the performance of their security controls against them. While in a previous post we focused on APT29, here we will be focusing on FIN7, a financially motivated group that has been recurrently hitting the news for the last few years.
First of all, we will give some context on this threat actor: motivations, known campaigns, some events of its recent history, as well as a short overview of the kind of tools they use. Next, we will present the Assessment Template that we have built to emulate this group, and later we will explain some of their TTPs and the corresponding scenarios you will be able to find in this Assessment Template. Finally, we will showcase how we can investigate the results of one of these scenarios to check that your security tools are acting as you expect.
As the name indicates, FIN7 is a group whose main objective is to obtain financial gain directly from their campaigns. To that aim, the group targets businesses from a wide range of industries (although primarily the hospitality, restaurant and gaming sectors) mainly in the US and Europe. Usually, their goal is dropping point-of-sale (PoS) malware to steal financial information, such as credit card data, that they can later sell in online fraud bazaars.
With its first known activity dating back to 2015, in only a few years FIN7 has been allegedly involved in many breaches that would have represented large financial gains. Indeed, according to the US Department of Justice (DoJ), in 2018 this group had already stolen more than 15 million credit card records from more than 6500 PoS terminals of 3600 different businesses in the United States alone. It was in that same press release that the DoJ announced that three of their top members had been arrested as well as that this group maintained a front company named Combi Security that purportedly offered Penetration Testing services. In reality, this company would have served as a means of recruiting staff to conduct their activities and disguise the group with a legitimate appearance.
These arrests and the dismantling of their front company, however, do not seem to have been enough to stop the activity of the group, which continues to be operative, possibly targeting more than 130 different companies during 2018. Another example has been published in a recent report, in which apparently FIN7 would have delivered malicious USB drives that were supposed to contain a gift card for a well-known American electronics retailer.
FIN7’s toolset has been a mix of publicly available tools (such as DNS_TXT_Pwnage, Tinymet, or Cobalt Strike stagers), often obfuscated to avoid detections, and custom-developed malware. Their most known tool of this latter class is perhaps the Carbanak backdoor, a custom malware (whose source code was found in VirusTotal) that has also been used by the so-called Carbanak Group. This fact has led to the confusion between the two groups, though it is commonly accepted that these are actually separate groups using the same tool. In the case of FIN7, they have used modified versions of this backdoor as well as versions signed with legally purchased certificates. Other custom tools include loaders and backdoors developed in JScript, Powershell or even as SQL scripts.
As a final note, we can also highlight the fact that this group (unlike other FIN groups and APTs) does not frequently use exploits, nor are there any known cases where they have used a zero-day exploit. However, they do not lack technical expertise since they are continually adapting and modifying their payloads to avoid being detected.
You might be wondering what characteristic behavior has defined FIN7 past campaigns, and how you can test your security controls to be sure that you would be able to prevent or detect similar intrusions. To facilitate this, we have created an Assessment Template that contains a total of 17 scenarios that emulate FIN7 known behavior, with possible new scenarios being added in the future. This assessment does not need any kind of extra configuration, so you can just run it as it is.
To create this template we took into account that it is important to not only produce specific Indicators of Compromise (IOCs), but to also replicate a similar behavior that, based on known facts, the desired group could exhibit. The MITRE ATT&CK Framework is a great tool that can help structure such an emulation, always taking into account how the threat actor has implemented each technique. For this reason, we have created this Assessment Template based on the MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) that have been linked to this group.
To be a little bit more specific, in the following paragraphs we will show a few examples of techniques that have been used by FIN7, as well as what AttackIQ scenarios you can use to test them. The Assessment Template contains a lot more scenarios and techniques, but this can serve as an appetizer of all the content that you will be able to find.
When it comes to spreading malware for an initial infection, spear-phishing attachments are one of the most common vectors used by threat actors, and FIN7 is no exception. They have used this technique many times, for instance, as many other threat actors, they have sent malicious MS Word documents containing macros. However, in other cases they have sent MS Word documents with an image that created a malicious shortcut when clicked, which is not so common. With AttackIQ, you can test your network security controls against this type of attacks using the Download FIN7 Phishing Word Document to Memory scenario, and your endpoint security controls with the Save FIN7 Phishing Word Document to File System scenario.
A quite distinctive technique that FIN7 has used to achieve persistence is Application Shimming. This feature, originally designed to allow backward compatibility in Windows without needing to rewrite application code, can be abused to modify parameters, inject DLLs or patch code of the desired processes before they are launched, for instance. This is precisely what FIN7 has done, patching the process services.exe to load a Carbanak DLL. Our Application Shimming Script scenario will allow you to test this technique.
Finally, another example of FIN7’s techniques is the use of DNS for Command and Control communication, for instance using Powershell to download shellcode from TXT records. If you want to see how this would change your typical network traffic, you can try the DNSMessenger PowerShell Communication scenario.
To finish this post, we will show an example of a detection of the Mshta Script scenario with Microsoft Defender ATP, and see how we can infer what the scenario has executed from the information provided by it.
After running the FIN7 assessment in our lab, in the Results Summary section we see that the Mshta Script scenario has been detected by Microsoft Defender ATP:
This serves as a first input to know that the security tool has worked as expected without needing to access the dozens of security controls in place to obtain this information. However, if we want to dig deeper we can go to the tool’s interface. Indeed, when logging into Microsoft Defender Security Center, we see that an alert has been triggered for running a living-off-the-land binary:
Checking all the information provided in the alert will help us understand what has happened. For instance, in the attached process tree, we see that
cmd.exe has been used to run a script named
mshta.bat, and that later the binary
mshta.exe has been executed, which spawned a new process from the
We can even see the exact command line that was used for
cmd.exe and determine where the script was located:
More interestingly, we can also see the command line of the
mshta.exe process, in which we can clearly see the VBScript code that has been used:
In this case, we can see that some VBScript code has been executed to launch the binary
Finally, if we want to see the whole contents of the script
mshta.bat or the
binary.exe file (for example, to reverse engineer it and understand its functionality), we can download them just by clicking on the “Download file” button:
After this analysis, we have a clear idea of the steps the scenario has taken under the hood without needing to see the actual code of the scenario (which, by the way, is available to all our users). If this was a real security incident, we could understand the extent of the malicious action, pull additional information, and take proper actions to eradicate any traces of malicious activity.
In this post, we have given an overview of the threat group known as FIN7, as well as presented a new AttackIQ Assessment Template that you can use to test your security controls with scenarios that replicate the behavior reported in previous reports on this group.
We have also given some examples of techniques and scenarios that you will find in this template. Last but not least, we showcased how security platforms such as MD ATP (Microsoft Defender Advanced Threat Protection) can assist a blue team member in the triaging and analysis of a complex attack. Indeed, after reviewing the detection results of one scenario, we have been able to reconstruct the actions that the scenario has taken just from the data provided by the security tool.
This is an example of how running scenarios can be useful not only to test your security controls but to train and keep in shape your Incident Response teams.