FIN7 Hackers Change Attack Techniques

总有人抱怨说国内的商业环境尤其是信任问题导致安全外包产业受阻,的确,要改变人们对安全就是上系统设备的错误认知需要一些时间。
安泰科技(000969):关于12安泰债公司债券跟踪评级结果的公
The financially-motivated FIN7 hacking group recently switched to a new delivery technique and has been employing a different malware obfuscation method, ICEBRG security researchers reveal.
Highly active since the beginning of 2017, FIN7 (also known as Anunak, or Carbanak) started distributing malware via LNK files embedded in Word documents using the Object Linking and Embedding (OLE) technology. The attack employed a fileless infection method, with no files being written to disk.
The hackers have since switched to using CMD files instead of LNK ones, most probably in an attempt to evade detection. The CMD, the researchers explain, would write JScript to “tt.txt” under the current user’s home directory.
Next, the batch script copies itself to “pp.txt” under the same directory, and then runs WScript using the JScript engine on the file. According to ICEBRG, the JScript code then reads from the “pp.txt” file, evaluating anything after the first character for each line in the file. However, it skips the first four lines, which represent the CMD code itself.

The same as with the LNK files, however, the use of OLE embedded CMD files results in code execution on the victim’s machine. The use of commented out code isn’t new either, and has been previously associated with FIN7.
The security researchers also observed a series of changes to the obfuscation strategy the hackers are using for their unique backdoor, HALFBAKED, which has been continuously morphing over the past year.
Until now, different stages of the HALFBAKED codebase used base64 encoding, stored in a string array variable called “srcTxt,” the researchers explain. Now, the name is obfuscated and the base64 string is broken down into multiple strings within an array.
Furthermore, the backdoor now includes a built-in command called “getNK2”which is meant to retrieve the victim’s Microsoft Outlook email client auto-complete list. The command was likely named after the NK2 file that contains a list of auto-complete addresses for Microsoft Outlook 2007 and 2010.
“This may suggest the actor’s desire to obtain new phishing targets within a victim organization. If any of these new targets fell victim to the phishing lure, it would allow FIN7 to increase their foothold within a victim organization’s network and potentially pivot to new areas,” the researchers note.
Although newer versions of Outlook no longer use the NK2 file, the backdoor targets them as well, because the hackers also wrote functionality to handle them within the same “getNK2” command.
“Detection authors must make trade-offs to optimize signature performance; narrow signatures lead to high fidelity detections, but risk missing changes in actor behaviors, meanwhile broader detection patterns provide better coverage, at the risk of more false positives. Combatting a well-resourced and adaptive adversary requires a layered approach of both signature styles,” ICEBRG concludes.
Related: FIN7 Hackers Use LNK Embedded Objects in Fileless Attacks
Related: FIN7 Hackers Change Phishing Techniques
网络安全、信息安全,最终的目的是保护业务安全,所以信息安全管理人员们,要学习和了解公司的业务流程、审计和内部控制等,方能更好地为公司做出更大的贡献。

猜您喜欢

钱秀槟:建立切实有效的预案体系 全面提升网络安全事件应急处置能力
漫谈保险业信息安全管理
网络安全法学习课堂
古巴举行集会纪念切·格瓦拉牺牲50周年
SIDTECH TA
网络信息安全小曲