Despite the arrest of several FIN7 members in 2018, the notorious hacking group still remains active and continues to expand its toolkit with new malware, says FireEye’s Mandiant threat research team. During their investigation the experts discovered a new loader and a module that exploits the legitimate remote administration software used by the ATM maker NCR Corporation.
The group has been active since late 2015 and is focused on targeting businesses worldwide in order to steal payment card information. The FIN7 group is believed to be responsible for attacks on more than 100 US companies, most of them in the restaurant, hospitality, and industries.
The new in-memory dropper sample dubbed Boostwrite uses new detection evasion tactics, such as the adoption of valid certificates, to distribute malware onto victims’ systems. One of the analysed Boostwrite variants contained two payloads: the well-known Carbanak backdoor and Rdfsniffer, a new tool designed to tamper with a remote IT administration tool called NCR Aloha Command Center used to manage and troubleshoot systems in payment processing sector running the Command Center Agent..
The Boostwrite dropper decrypts embedded payloads using an encryption key retrieved from a remote server at runtime. It uses the DLL search order hijacking technique to load its DLLs into the target’s memory that allows it to download the initialization vector (IV) and decrypt two embedded payload DLLs.
“The malware decrypts and loads two payload DLLs. One of the DLLs is an instance of the CARBANAK backdoor; the other DLL is a tool tracked by FireEye as RDFSNIFFER which allows an attacker to hijack instances of the NCR Aloha Command Center Client application and interact with victim systems via existing legitimate 2FA sessions,” the report states.
The researchers found several Boostwrite samples, one of them was uploaded to VirusTotal on October 3 and was signed with a code signing certificate issued by MANGO ENTERPRISE LIMITED. Such tactic has proved effective as the signed Boostwrite sample had a 0/68 detection ratio when it was uploaded to VirusTotal.
"Use of a code signing certificate for Boostwrite is not a completely new technique for FIN7 as the group has used digital certificates in the past to sign their phishing documents, backdoors, and later stage tools," researchers said. "By exploiting the trust inherently provided by code certificates, FIN7 increases their chances of bypassing various security controls and successfully compromising victims."
Rdfsniffer is a tool that allows the hackers to monitor and tamper with legitimate connections made via NCR Corporation’s ‘Aloha Command Center Client’ (RDFClient). It loads into the same process as the legitimate RDFClient by abusing the utility’s DLL load order, launching each time the ‘Aloha Command Center Client’ is executed on the victim’s system. The tool has a wide range of functions, including capabilities to launch man-in-the-middle attacks against SSL sessions and socket connections, as well as hijacking the utility’s user interface (UI). Rdfsniffer is also able to upload files, execute commands and retrieve files from remote systems that connect to the admin toolset.
“While these incidents have also included FIN7’s typical and long-used toolsets, such as CARBANAK and BABYMETAL, the introduction of new tools and techniques provides further evidence FIN7 is continuing to evolve in response to security enhancements,” the researchers said. “Barring any further law enforcement actions, we expect at least a portion of the actors who comprise the FIN7 criminal organization to continue conducting campaigns. As a result, organizations need to remain vigilant and continue to monitor for changes in methods employed by the FIN7 actors.”