FIN7, closely associated with the notorious Carbanak group, is behind a targeted phishing campaign singling out restaurants with fileless malware that is difficult to detect.
The recent campaign incorporates, “never before seen evasive techniques that allow (malware) to bypass most security solutions,” wrote researchers at Morphisec Lab in a report release on Friday.
They said the malware attacks “pose a severe risk to enterprises” because the malware is so hard to detect.” As of Friday, there was a zero detection rate on VirusTotal for the documents used to deliver the malware.
“This means the attackers successfully bypass static analysis by most of the security solutions,” said Michael Gorelik, vice president of research and development at Morphisec.
He said the fileless attacks are currently targeting restaurants across the United States. The objective of the FIN7 attackers is to seize system control and install a backdoor to steal financial information at will. The initial attack pattern is typical of fileless malware. First, a well-crafted phishing email is sent along with a RTF Word document attached, which if opened, launches a fileless attack based on DNS queries that delivers the shellcode stage (Meterpreter).
The twist, according to Morphisec Lab researchers, is the use of DNS queries to deliver the shellcode stage. “In this new variant, all the DNS activity is initiated and executed solely from memory–unlike previous attacks which used PowerShell commands.”
In March, FIN7’s fileless malware campaign focused on financial institutions and government agencies. The previous PowerShell script opened a backdoor and grabs commands from the command-and-control server. Today’s FIN7 attacks are different. By using DNS queries and shellcode, researchers say, attackers can more effectively evade detection, mount future attacks and be more prolific. According to an analysis of OpenDNS data, FIN7 is currently carrying out large-scale attacks with peaks of more than 10,000 DNS requests per hour.
“The shellcode phase of this attack is unique and demonstrates the constantly advancing abilities of attackers. The shellcode is the primary differentiating technique between this campaign and past attacks by FIN7 and other threat actors,” Gorelik wrote.
Malicious attachments are restaurant themed and typically named “menu.rtf”, “Olive Garden.rtf” or “Chick Fil A Order.rtf”, to name a few. “The attached RTF file uses OLE and has many similarities to previous FIN7 attacks. But this attack, instead of activating HTA files (mshta.exe) from within the link, executes obfuscated JavaScript code,” researchers said.
Once the RFT document is opened, the victim is presented with a Word file that contains a large image of an envelope that instructs “Double Click Here To Unlock Contents.” According to researchers, all the target needs to do is double-click on the envelope and then press “OK” on a dialogue box to trigger the infection process.
The warning on the dialogue box reads: “The package you are about to open will run a program contained within the package. That program could anything and may harm your computer.”
The RTF document contains the JavaScript code snippets used to compile and create a scheduled task that includes the malware’s second stage code in a delayed – one minute – timeframe.
“This delayed execution helps to bypass behavior analysis since the second stage is not directly executed by the first stage,” Gorelik explained. “Basically, FIN7 implemented a shellcode that gets the next stage shellcode using the DNS messaging technique directly from memory. This way they can successfully evade many of the behavior based solutions,” Gorelik said.
The analysis revealed that each DNS query resulted in additional snippets of shellcode until complete. The last query is to the subdomain ihc[.]stage[.]12019683[.]ns2[.]true-deals[.]com), according to the research.
Next, a second-stage encrypted shellcode is delivered. Upon decryption more obfuscation takes place. “The shellcode deletes the ‘MZ’ prefix from within a very important part of the shellcode. This prefix indicates it may be a dll, and its deletion helps the attack to evade memory scanning solutions,” the report said.
According to the analysis of the attack, the final payload is CobaltStrike Meterpreter, which is used by many attackers and pen testers, according to researchers. “Having a Meterpreter session on a compromised computer allows for full control of the computer and exfiltration of any data, and in some cases lateral movement inside the organization,” according to the report,” they said.