Fin7 Group updated its arsenal

Fin7 group updated its arsenal
Written by Valdis Koks

Cyber group Fin7 updated its arsenal, included new tools in its malware suite, and now continues to attack commercial organizations, despite the arrest of three members in 2018.

FireEye specialists made this conclusion after analyzing several new incidents that occurred this fall.

According to analysts, cybercriminals have adopted the incorporeal dropper BOOSTWRITE, and also use a special program to hack tools for remote administration of ATMs.

During the latest attacks, the attackers delivered an installer to the target device, which decoded the payload using the encryption key received from the command server. In some cases, the program was signed with a valid security certificate to avoid detection by antivirus scanners.

“Once the key and the IV are downloaded the malware decrypts the embedded payloads and performs sanity checks on the results. The payloads are expected to be PE32.DLLs which, if the tests pass, are loaded into memory without touching the filesystem”, — states the report of FireEye.

The payload was either the Carbanak backdoor or the new RDFSNIFFLER malware. The latter is designed for implementation in the legitimate RDF tool Aloha Command Center, designed for the administration of self-service kiosks, trading terminals, ATMs and other devices of the American company NCR.

Specialists found that RDFSNIFFER is loaded into the agent process, using flaws in the execution order of the Aloha Command Center libraries. Working as part of a legitimate task, the malware can monitor SSL sessions and intercept work with the remote administration user interface. While in the middle position, cybercriminals are capable of executing commands and file operations on a compromised device.

Read also: Magecart expands infrastructure and threatens thousands of sites

The researchers did not report how the attackers got into the target machines, but earlier, Fin7 used phishing emails for this purpose. Information security experts informed NCR of their findings, but the developers have not yet announced plans to release a patch to cover the problem.

“The introduction of new tools and techniques provides further evidence FIN7 is continuing to evolve in response to security enhancements”, – say FireEye researchers.

The previous update of Fin7 malware tools was recorded in March this year. Then, analysts found in the arsenal of the group the SQLRat bootloader and the DNSBot backdoor. Programs were delivered to the victim’s computer via email and worked with the original Astra control panel.

About the author

Valdis Koks

Security engineer, reverse engineering and memory forensics

Leave a Comment