Security experts reported that the financially-motivated FIN7 hacking group has recently changed their delivery technique and has been employing a different malware obfuscation method.
FIN7 (also known as Anunak, or Carbanak), which has been highly active since the beginning of this year, started distributing malware via LNK files embedded in Word documents using the Object Linking and Embedding (OLE) technology.
At first, the attack used a fileless infection method, with no files being written to disk. However, later on, the attackers started using CMD files instead of LNK ones in order to escape detection.
According to researchers, the CMD would write JScript to “tt.txt” under the current user’s home directory. After that, the batch script copies itself to “pp.txt” under the same directory, and then it runs WScript using the JScript engine on the file.
Then, the JScript code reads from the “pp.txt” file, evaluating anything after the first character for each line in the file. However, it skips the first four lines, which represent the CMD code itself.
It is the same as with the LNK files, however, the use of OLE embedded CMD files results in code execution on the victim’s machine.
Using a commented out code isn’t new either, and it has been related to FIN7 before.
Apart from the above-mentioned, the security experts noticed a number of changes to the obfuscation strategy the attackers are using for their unique backdoor, HALFBAKED, which has been continuously morphing during the last year.
The experts say that by now, different stages of the HALFBAKED codebase used base64 encoding, stored in a string array variable called “srcTxt”. Currently, the name is obfuscated and the base64 string is broken down into multiple strings within an array.
Also, now the backdoor includes a built-in command called “getNK2” which is meant to retrieve the victim’s Microsoft Outlook email client auto-complete list. The command was named after the NK2 file which features a list of auto-complete addresses for Microsoft Outlook 2007 and 2010.
Despite the fact that the recent versions of Outlook do not use the NK2 file anymore, the backdoor targets them as well, as the attackers wrote functionality to evade them within the “getNK2” command.
“Detection authors must make trade-offs to optimize signature performance; narrow signatures lead to high fidelity detections, but risk missing changes in actor behaviors, meanwhile broader detection patterns provide better coverage, at the risk of more false positives. Combatting a well-resourced and adaptive adversary requires a layered approach of both signature styles,” ICEBRG states.
