SECURITY

FIN7 Tools Resurface in the Field – Splinter or Copycat?

This blog is part 1 and covers FIN7, a highly-skilled group, and the two tools. To find a walkthrough of Remcos executed via Splunk's Attack Range Local, check out part 2, Detecting Remcos Tool Used by FIN7 with Splunk.


FIN7 is a well-organized criminal group composed of highly-skilled individuals that target financial institutions, hospitality, restaurant, and gambling industries. Until recently, it was known that high-level individuals of this criminal enterprise were arrested — specifically 3 of them — and extradited to the United States. 

 

This criminal group performed highly technical malicious campaigns which included effective compromise, exfiltration and fraud using stolen payment cards. Another heist related to the history of this group and actors includes withdrawing money from ATMs, bypassing all controls as seen in the video linked below. 
 

Source: Mario Mazzochi ATM Carbanak Attack


Carbanak and FIN7 are usually referred to as the same group, although some security researchers believe they might be two groups using the same malware and should be tracked separately. Without delving deeper into the assumptions of being two different groups, however, we can take a look at their tools which is what we can measure via payload samples and research from the community.  

FIN7 is a particular group highly specialized in targeting specific verticals. These individuals carefully and thoroughly pretexted and pursued their victims in some cases to establish rapport via conversations in order to lure their victims into clicking on their malicious payloads. 
 

Source: DOJ


According to the Department of Justice, FIN7 group stole approximately 15 million cards in the United States. This group was significantly successful in its criminal enterprise, including the creation of an apparent Information Security Technology company where they kept track of their victims using off-the-shelf software like Atlassian JIRA. 
 


Due to the notoriety, extent and sophistication of this group and the tools they use, we are going to particularly focus on FIN7 tools, techniques and procedures. Recently, a specific tool which is a signature of this group known as the JSS loader has apparently resurfaced, indicated by reports from some security research sites and mentioned in some security publications

Based on previous arrests of what was thought to be some of the main characters of this organization, we need to ask ourselves: is this a splinter from a former group trying to get business back online, or is this a copycat using the former tools, rewriting them and even attempting to reuse former infrastructure from past campaigns? Or basically, the group was indeed not affected by arrests and decided to lay low and then reappear as reported recently by Recorded Future.

We do not have enough information to respond to the above questions, however, we can prepare ourselves to defend against this group by looking at their tools.

In this two-part blog we are going to address two tools used by this group — JSS Loader and Remcos.

FIN7 Javascript

FIN7 is well known to use a spear-phishing campaign to compromise a machine by downloading or executing an obfuscated javascript as the first stage. We analyze old and the latest script found in the wild to summarize all possible behavior it may execute in the targeted machine.

Javascript Execution Using .XSL File

One interesting behavior we saw in one of these variants is how it executes the malicious javascript. First it will create a copy of legitimate wmic.exe in “user\public” folder, as well as the .xsl file that will be executed using command “wmic os get /format:”<malicious>.xsl”. Then the .xsl will execute the actual malicious javascript in the .txt file extension. Below is the screenshot of that .XSL file.
 


We can also see how it uses the cscript.exe application to execute the malicious javascript by using the command “cscript //e:jscript ibivigi.txt”

This JS is capable of gathering information to the compromised host by executing several WMI query commands. Below is the WMI query we saw during our analysis.
 

WMI Query and Shell CMD

Information It Gather and Checks

select * from Win32_NetworkAdapterConfiguration where ipenabled = true

MACAddress, DNSHostName

SELECT * FROM Win32_BIOS

SMBIOSBIOSVersion, BIOS SerialNumber, check virtualization

Win32_process.Handle

Process Handle

cmd /c whoami /groups | find "12288"

Check elevated privilege cmd instance

Select * from Win32_ComputerSystem

Check if part of the domain, PC model, DNS hostname

select * from Win32_DesktopMonitor

Check Screen size, and Monitor Type

select * from win32_process

Enumerate process, check virtualization


Aside from the table above, it queries wmi “Win32_OperatingSystem” to check several items like in the screenshot below.
 


It checks if the host has an enabled UAC by querying the “EnableLua” Registry and saves the output as part of its data gathering.
 


It will also try to gather AD information by running ActiveXObject “ADSystemInfo” to check if the host is part of the domain or not.
 


Data Exfiltration

After gathering all that information, it will be encrypted and sent to its C2 server using the HTTP POST Request command.
 


We also found some variants where it uses DNS exfiltration of data. With this feature, it will encrypt first all the gathered data, encode it to base64, then query the C2 DNS server using nslookup application with the encoded data to it. The command is shown in the figure below.
 


JSSLoader

FIN7 also has some binary backdoor tools that will do a collection of data from the compromised host and send it to its C2 server. Some variants of JSSloader are compiled to .NET and some are in C++. 

C2 Server Communication

In both JSSloader samples, we've seen that it is capable of communicating to its C2 server to request for commands and exfiltrate collected data from the compromised machine. Below is the user-agent it uses in those samples:
 


.NET compiled of JSSloader



JSSloader compiled C++


Collection of Data 

Like the obfuscated JScript it is also capable of collecting data by using WMI query in  “Win32_ComputerSystem”, “Win32_Product” and “Win32_Process”.

Additionally, both variants have a function that will list all the files on the desktop of the compromised host that will also send to its C2 server.
 


JSSloader Compiled .NET 



C++ compiled JSSloader


There is also a feature in the .net version of JSSloader where it runs Windows command-line tools like ipconfig.exe and systeminfo.exe then pipe the output to another function that collects and exfiltrates data.
 


Taking a Screenshot 

Another feature identified is taking a screenshot of the compromised host. The screenshot image will not be dropped on the disk; rather, it will be saved in a memory stream that will be encoded to base64 and sent to its C2 server.
 


Parsing Browser Databases

It also has some functions that parse the browser information like history and URL visits of users in both Chrome and Firefox applications. This is done by accessing the SQLite database of those browsers and executing SQL queries to its database.
 


Parsing Chrome history



Parsing Firefox URL visited 


Detections

Jscript Execution Using Cscript App (New)

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes 
  where (Processes.parent_process_name = "cscript.exe" AND Processes.parent_process = "*//e:jscript*") OR (Processes.process_name = "cscript.exe" AND Processes.process = "*//e:jscript*")
  by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user 
  | `drop_dm_object_name(Processes)` 
  | `security_content_ctime(firstTime)`
 | `security_content_ctime(lastTime)`



XSL Script Execution With WMIC (New)

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes 
  where Processes.process = "*os get*" Processes.process="*/format:*" Processes.process = "*.xsl*"
  by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user 
  | `drop_dm_object_name(Processes)` 
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`



Non-Chrome Process Accessing Chrome Default Dir (New)

`wineventlog_security` EventCode=4663 NOT (process_name IN ("*\\chrome.exe", "*\\explorer.exe", "*sql*")) Object_Name="*\\Google\\Chrome\\User Data\\Default*" 
| stats count min(_time) as firstTime max(_time) as lastTime by Object_Name Object_Type process_name Access_Mask Accesses process_id EventCode dest user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 



Non-Firefox Process Access Firefox Profile Dir (New)

`wineventlog_security` EventCode=4663 
  NOT (process_name IN ("*\\firefox.exe", "*\\explorer.exe", "*sql*")) Object_Name="*\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles*" 
  | stats count min(_time) as firstTime max(_time) as lastTime 
  by Object_Name Object_Type process_name Access_Mask Accesses process_id EventCode dest user
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)` 



Office Application Drop Executable Unit Test (New)

`sysmon` EventCode=11 Image IN ("*\\winword.exe","*\\excel.exe","*\\powerpnt.exe","*\\mspub.exe","*\\visio.exe","*\\wordpad.exe","*\\wordview.exe")
  TargetFilename IN ("*.exe","*.dll","*.pif","*.scr","*.js","*.vbs","*.vbe","*.ps1") AND NOT(TargetFilename IN ("*\\program files*","*\\windows\\*"))
  | stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename ProcessGuid dest user_id 
  | `security_content_ctime(firstTime)` 
  |`security_content_ctime(lastTime)`



Cmdline Tool Not Executed In CMD Shell (New)

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes 
  where  (Processes.process_name = "ipconfig.exe" OR Processes.process_name = "systeminfo.exe") 
  AND NOT (Processes.parent_process_name = "cmd.exe" OR Processes.parent_process_name = "powershell*" OR Processes.parent_process_name = "explorer.exe") 
  by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processes.process Processes.dest Processes.user 
  | `drop_dm_object_name(Processes)` 
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)` 


Check Elevated CMD using whoami (New)

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes
  where  Processes.process = "*whoami*" Processes.process = "*/group*" Processes.process = "* find *" Processes.process = "*12288*" 
  by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.parent_process_id 
  | `drop_dm_object_name(Processes)`
  | `security_content_ctime(firstTime)` 
  | `security_content_ctime(lastTime)` 



MS Scripting Process Loading WMI Module (New)

`sysmon` EventCode =7 Image IN ("*\\wscript.exe", "*\\cscript.exe") ImageLoaded IN ("*\\fastprox.dll", "*\\wbemdisp.dll", "*\\wbemprox.dll", "*\\wbemsvc.dll" , "*\\wmiutils.dll", "*\\wbemcomn.dll") 
| stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as AllImageLoaded count
  by Image EventCode process_name ProcessId ProcessGuid Computer  | where count >= 5
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`



MS Scripting Process Loading Ldap Module (New)

sysmon` EventCode =7 Image IN ("*\\wscript.exe", "*\\cscript.exe") ImageLoaded IN ("*\\Wldap32.dll", "*\\adsldp.dll", "*\\adsldpc.dll") 
| stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as AllImageLoaded count
  by Image EventCode process_name ProcessId ProcessGuid Computer  | where count >= 2
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`



 

Detection

Techniques ID

Tactics

Description

Jscript Execution Using Cscript App (New)

T1059.007

Execution

Detects jscript execution using cscript application

XSL Script Execution With WMIC (New)

T1220

Defense Evasion

Detects execution of xsl script using wmic process

Non Chrome Process Accessing Chrome Default Dir (New)

T1555.003

Credential Access

Detects non-chrome process accessing Chrome user default folder

Non Firefox Process Access Firefox Profile Dir (new)

T1555.003

Credential Access

Detects non-Firefox process accessing Firefox profile folder

Office Application Drop Executable Unit Test (New)

T1566.001

Initial Access

Detects MS office application dropping executable and scripts.

Office Document Executing Macro Code (Existing)

T1566.001

Initial Access

Detects office application execute macro code

Cmdline Tool Not Executed In CMD Shell(New)

T1059.007

Execution

Detects execution of Windows commandline tools in non-cmd shell process

Check Elevated CMD using whoami(New)

T1033

Discovery

Detects whoami commandline checks if cmd instance is elevated

MS Scripting Process Loading WMI Module(New)

T1059.007

Execution

Detects ms scripting process loading wmi modules

MS Scripting Process Loading Ldap Module(New)

T1059.007

Execution

Detects ms scripting process loading ldap modules

Office Product Spawning Wmic (updated)

T1566.001

Initial Access

Detects office application spawn wmic process

DNS Exfiltration Using Nslookup App (Existing)

T1048

Exfiltration

Detects dns exfiltration using nslookup

Excessive Usage of NSLOOKUP App (Existing)

T1048

Exfiltration

Detects high usage of nslookup application


Hashes

Filename

Hashes SHA1

JSSloader 

48864921c6a905d34a413279b31d4bb719b59898

Macro contain JSSloader

895cbed43d27d42e7a021eb7a7f811f58896d8c7

Macro with JS implant

a37e708427b777cf3cd780fa611cc4983a40d7fd

Latest JS script

731828ded8ba3d0e9ba21b58620f303efd04846f

JSSloader .net 

53F92D0B56B3EADD97E77684C9C374DB08B654F8


Contributors

We would like to thank the following for their contributions to this post:

  • Teoderick Contreras
  • Rod Soto

 

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.


Read more Splunk Security Content

TAGS

FIN7 Tools Resurface in the Field – Splinter or Copycat?

Show All Tags
Show Less Tags

Join the Discussion