Recently, the hacker group FIN7 sent spear-phishing emails to employees of the IT department of a large American automaker and used the Anunak backdoor to infect the system.
According to BlackBerry researchers, the attack occurred late last year and relied on Binaries, Scripts and Libraries (LoLBas). The hackers targeted employees with advanced privileges and lured them in by linking to malicious URLs posing as legitimate advanced IP scanner tools.
BlackBerry is convinced that these attacks are the work of FIN7 based on the use of unique PowerShell scripts that use the other party's signature “PowerTrash” obfuscated shellcode caller, which was first seen in an attack campaign in 2022.
FIN7 was previously targeted at exposing Veeam backups and Microsoft Exchange servers while deploying Black Basta and Clop ransomware within the enterprise's network.
FIN7 launches attack using spear phishing emails
FIN7 sent spear phishing emails to multiple high-level employees in the IT department of a large U.S. automaker. The email contains a link to “advanced-ip-sccanner(.)com”, but in fact it is a fake “advanced-ip-scanner.com” legitimate scanner project.
Researchers discovered that the fake website redirected to “myipscanner(.)com” (now offline). Visitors are then taken to a Dropbox page that serves a malicious executable file ('WsTaskLoad.exe'), which is disguised as a legitimate installer of Advanced IP Scanner.
Once executed, this file triggers a multi-stage process involving DLL, WAV file, and shellcode execution to load and decrypt a file named “dmxl.bin” that contains the Anunak backdoor payload.
Attack chain diagram source: BlackBerry
Anunak/Carbanak is a commonly used malware tool for FIN7. Other commonly used malware tools include Loadout, Griffon, PowerPlant and Diceloader.
At the same time, WsTaskLoad.exe installs OpenSSH for persistent access and creates a scheduled task. FIN7 has previously used OpenSSH for lateral movement, but BlackBerry says it did not detect this in the campaigns they analyzed.
Create a scheduled task for persistence Image source: BlackBerry
The researchers did not name the victim organization, describing it only as “a large multinational automaker based in the United States.” FIN7 has been around since 2013, but has only shifted to larger targets in the past few years, with the typical final payload being ransomware. In the context of ransomware, it makes sense to move to attacking larger organizations because they can pay larger ransoms.
BlackBerry said the FIN7 attack failed to spread beyond the system it initially infected and instead entered a lateral movement phase. It is recommended that the company provide appropriate security training on phishing to employees to reduce security risks.
At the same time, multi-factor authentication (MFA) should be implemented on all user accounts to make it difficult for an attacker to access employee accounts even if they successfully steal access credentials. In addition, basic defense measures such as using strong, unique passwords, keeping all software updated, monitoring the network for suspicious behavior, and adding advanced email filtering solutions can also help prevent various types of attacks.
Phishing is increasing in number and taking various forms
A new report from Egress mentions that among the many cybersecurity issues, phishing attacks are taking off. In particular, impersonation attacks are common, with 77% of them pretending to be well-known platforms to conduct fraud attacks, especially DocuSign and Microsoft. Social engineering tactics have intensified, accounting for 16.8% of phishing attacks, while the length of phishing emails has tripled since 2021, likely due to the use of generative AI.
Multi-channel attacks exploit the popularity of work messaging apps, specifically Microsoft Teams and Slack. Collectively, these applications account for half of the second step in such attacks. Microsoft Teams alone will grow significantly by 104.4% in 2024 compared to the previous quarter.
Today's rapidly developing artificial intelligence has also become a powerful tool for cybercrime, penetrating into all stages of attacks. The report predicts a surge in the use of deepfakes in video and audio formats, amplifying the sophistication of cyberattacks.
Despite technological advancements, Secure Email Gateways (SEGs) are still lagging behind, with attacks that evade detection increasing by 52.2% in early 2024. This highlights the need for adaptive cybersecurity measures in the face of evolving threats.
According to statistics, Millennials have become the main target of cybercriminals, with 37.5% of phishing emails targeting them. This is particularly true in areas such as finance, law and healthcare. At the same time, social engineering attack strategies are also constantly changing, such as personalized attacks around events such as Valentine's Day, which further highlights the evolution of cyber threats.
References:
https://www.bleepingcomputer.com/news/security/fin7-targets-american-automakers-it-staff-in-phishing-attacks/#google_vignette
https://pages.egress.com/whitepaper-phishing-trends-threat-report-04-24.html
https://www.infosecurity-magazine.com/news/quishing-attacks-tenfold/
GIPHY App Key not set. Please check settings