Since the start of 2017, security researchers have observed a cybergang known as FIN7 spreading malware by using LNK files embedded in Word documents via the standard Object Linking and Embedding (OLE) technology. The malware spread is usually the group’s own custom backdoor called HALFBAKED.

However, security firm ICEBRG reported that FIN7 has gone beyond messing with its payload to slip under the security radar and has adopted new attack methods. Notably, the threat group started using OLE command (CMD) files in phishing attacks to spread and execute its malware.

FIN7 Makes Sweeping Changes

When triggered, the CMD file writes JScript to “tt.tx” under the user’s home directory. It then self-replicates and runs WScript using the file’s JScript engine, which performs the code execution.

The resultant malware has gone through some changes as well. Stages of the malware were stored in a string array, which used base64 encoding, while it was being assembled. The name of the array is now obfuscated to prevent defenders from directly searching for it. Additionally, the base64-encoded string it contained is now broken down into multiple strings within an array.

“FIN7 has demonstrated that they are highly adaptable, evading detection mechanisms while impacting a number of large U.S. retail companies over an extended period of time,” the ICEBRG report noted.

Enterprise Users Are Shark Bait for Phishing Attacks

FIN7 also added a new command, getNK2, to the malware’s arsenal. According to ICEBRG, this command targets the victim’s Microsoft Outlook email client autocomplete list in an effort to gain new potential phishing targets. As with most phishing attacks, all it takes is one user to fall victim for the threat to spread throughout an enterprise.

The threat group’s changing tactics and fluid adaptability means that security professionals must find the right balance between broad detection approaches that can generate false positives and more detailed, narrow signatures that may costs more to process.