FIN7 Gang Returns With New Malicious Tools: ResearchersFireEye Says Financial Hacking Group Is Deploying New Dropper and Payload
Despite a major law enforcement crackdown on some of its members in 2018, the FIN7 financial hacking gang has returned with new malicious tools, including a revamped dropper and payload, as part of a new campaign, according to a recent analysis from FireEye.
For several years, FIN7 hackers targeted a wide variety of businesses, including fast-food and casual dining restaurants, hotels and casinos. In most cases, the group used spear-phishing techniques to either plant malware in a company's IT network or target point-of-sale machines with the goal of stealing credit card and other payment data, researchers say.
Once that data was collected, it was packaged up and sold on dark net sites, security researchers say (see: Feds Announce Arrests of 3 'FIN7' Cybercrime Gang Members).
And although the U.S. Justice Department arrested three leaders of the group in 2018, it appears that other hackers associated with FIN7 persisted and revamped their toolbox, according to FireEye researchers.
New Malicious Tools
In recent incident responses, FireEye analysts uncovered new FIN7 activity as well as the presence of the new malicious tools. These include Boostwrite, the dropper, and Rdfsniffer, the payload.
These two malicious tools work together. Boostwrite uses valid certification to avoid detection and then plants itself in the network. This dropper delivers malicious payloads straight into memory. It uses an encryption key from the remote server to decrypt the malware when it is activated, the report says.
"FIN7 has been observed making small changes to this malware family using multiple methods to avoid traditional anti-virus detection, including a [Boostwrite] sample where the dropper was signed by a valid certificate authority," the FireEye researchers say.
Boostwrite then delivers Rdfsniffer, which is designed to tamper with a remote IT administration tool of the payment processing system, FireEye says.
Rdfsniffer, which is described as a remote access Trojan, or RAT, is designed to target NCR Corp.'s Aloha Command Center client - a remote administrative tool used to troubleshoot certain payment systems and point-of-sale machines, according to FireEye.
The Rdfsniffer malware has the ability to launch man-in-the-middle attacks, hijacking the user interface, uploading files, executing commands and retrieving files from remote systems. The malware can also alter the last user log to ensure there is no session time out, according to the researchers.
The FireEye researchers provided a copy of their report to NCR before publishing their findings.
The FireEye researchers found that the Boostwrite dropper also delivers a backdoor known as Carbanak, which has previously been tied to FIN7 activity (see: Sophisticated Carbanak Banking Malware Returns, With Upgrades).
Previously, FIN7 hackers used phishing emails as the initial attack vector. But in its latest update, FireEye researchers do not specify how the latest FIN7 attacks begin. The report also does not specify what business sectors FIN7 is targeting with these new tools, although the NCR Corp.'s Aloha Command Center is used within the hospitality and restaurant industries. The report also does not mention if any of these attacks have led to the theft of data.
Researchers Warn of New Campaigns
FireEye researchers told Information Security Media Group that the newly discovered malicious tools and techniques provide evidence that FIN7 is continuing to evolve in response to security enhancements, despite the arrests of some members, including the guilty plea of one man in a leadership role with the group (see: Credit Card Theft Ringleader Pleads Guilty).
FIN7 likely will further modify and evolve its methods over the next several months, FireEye researchers say.
"Barring any further law enforcement actions, we expect at least a portion of the actors who comprise the FIN7 criminal organization to continue conducting campaigns," the researchers say.