The Fin7 cybercrime group has ramped up its offensive capabilities by adding new malicious code to its malware arsenal. Researchers said that this is evidence that Fin7 is still a growing threat despite the arrest of several Fin7 members in 2018.
The notorious group has adopted a new dropper sample called Boostwrite, which uses new detection evasion tactics, such as the adoption of valid certificates, to distribute malware onto victims’ systems. Researchers have also discovered the group using a new payload, Rdfsniffer. The payload has been developed to tamper with a remote IT administration tool used in tech support for payment processing applications. This, researchers said, suggests a continued targeting of point-of-sale systems at restaurants, casinos and hotels.
“While these incidents have also included FIN7’s typical and long-used toolsets, such as Carbanak and Babymetal, the introduction of new tools and techniques provides further evidence FIN7 is continuing to evolve in response to security enhancements,” researchers with FireEye said in a Thursday analysis.
Fin7’s Lengthy Past
Since 2015, Fin7 has gone after point-of-sale systems at casual-dining restaurants, casinos and hotels. The group typically uses malware-laced phishing attacks against victims in hopes they will be able to infiltrate systems to steal bank-card data and sell it. Fin7 has also used a backdoor linked to Carbanak (another prolific cybercrime outfit responsible for billions in losses in the financial services industry) and has stolen more than 15 million payment-card records from American businesses by infiltrating more than 6,500 individual point-of-sale terminals at more than 3,600 business locations, according to the Department of Justice (DoJ).
In August 2018, the DoJ announced it had arrested three Fin7 members, who were identified as Ukrainian nationals and charged them with 26 felony counts of alleged conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft.
However, the group’s new malware samples and modus operandi indicate that Fin7 doesn’t appear to be going anywhere. In 2019, the cybercrime group launched widespread campaigns hitting businesses with two never-before-seen malware samples – including a new administrative panel and two previously unseen malware samples, dubbed SQLRat and DNSBot.
Now, the newest malicious code samples – the Boostwrite dropper and Rdfsniffer payload – shows Fin7 expanding its cyber-weaponry.
New Dropper, Payload
Researchers said they came across the new tools during “several recent incident response engagements.” While Fin7 has typically hit victims with malware-laced emails, researchers but did not detail the initial attack vector for Fin7’s campaigns that touted the new malicious code (Threatpost has reached out for further comment).
Once launched, the Boostwrite dropper decrypts embedded payloads using an encryption key retrieved from a remote server. 
In order to avoid detection, the dropper has also uses valid certificates: “FIN7 has been observed making small changes to this malware family using multiple methods to avoid traditional antivirus detection, including a Boostwrite sample where the dropper was signed by a valid Certificate Authority,” said researchers.
Boostwrite contains two payloads: the previously-used Carbanak and a brand-new payload, Rdfsniffer. Rdfsniffer appears to have been developed to tamper with an IT remote administration tool used by NCR Corporation, an American technology company that makes self-service kiosks, point-of-sale terminals, automated teller machines, check processing systems and more.
The legitimate remote admin toolset, Aloha Command Center client, is designed to manage and troubleshoot systems within payment card processing sectors running the Command Center Agent.
“The malware loads into the same process as the Command Center process by abusing the DLL load order of the legitimate Aloha utility,” researchers said. From there, it allows an attacker to monitor and tamper with legitimate connections made through the toolset.
That includes capabilities to launch man-in-the-middle attacks against SSL sessions and socket connections, as well as hijacking the utility’s user interface (UI). The payload can also upload files, execute commands and retrieve files from remote systems that connect to the admin toolset.
Researchers said they provided this information to NCR. Threatpost has also reached out to NCR. Looking ahead, researchers say that they expect FIN7 to continue developing new tools and launching cyberattacks on organizations.
“Barring any further law enforcement actions, we expect at least a portion of the actors who comprise the FIN7 criminal organization to continue conducting campaigns,” they said. “As a result, organizations need to remain vigilant and continue to monitor for changes in methods employed by the FIN7 actors.”
What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.
