NewsOctober 12, 2017 @ 2:00 PM

Cybercrime Group FIN7 Takes Phishing Attacks to the Next Level

Since the start of 2017, security researchers have observed a cybergang known as FIN7 spreading malware by using LNK files embedded in Word documents via the standard Object Linking and Embedding (OLE) technology. The malware spread is usually the group’s own custom backdoor called HALFBAKED.

However, security firm ICEBRG reported that FIN7 has gone beyond messing with its payload to slip under the security radar and has adopted new attack methods. Notably, the threat group started using OLE command (CMD) files in phishing attacks to spread and execute its malware.

FIN7 Makes Sweeping Changes

When triggered, the CMD file writes JScript to “tt.tx” under the user’s home directory. It then self-replicates and runs WScript using the file’s JScript engine, which performs the code execution.

The resultant malware has gone through some changes as well. Stages of the malware were stored in a string array, which used base64 encoding, while it was being assembled. The name of the array is now obfuscated to prevent defenders from directly searching for it. Additionally, the base64-encoded string it contained is now broken down into multiple strings within an array.

“FIN7 has demonstrated that they are highly adaptable, evading detection mechanisms while impacting a number of large U.S. retail companies over an extended period of time,” the ICEBRG report noted.

Enterprise Users Are Shark Bait for Phishing Attacks

FIN7 also added a new command, getNK2, to the malware’s arsenal. According to ICEBRG, this command targets the victim’s Microsoft Outlook email client autocomplete list in an effort to gain new potential phishing targets. As with most phishing attacks, all it takes is one user to fall victim for the threat to spread throughout an enterprise.

The threat group’s changing tactics and fluid adaptability means that security professionals must find the right balance between broad detection approaches that can generate false positives and more detailed, narrow signatures that may costs more to process.

Share this Article:
Larry Loeb

Principal, PBC Enterprises

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He wrote for IBM's DeveloperWorks site for seven years and has written a book on the Secure Electronic Transaction Internet protocol. His latest book has the commercially obligatory title of Hack Proofing XML. He's been online since uucp "bang" addressing (where the world existed relative to !decvax), serving as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange.