Overview
In July 2021, NSFOCUS Security Labs captured a number of phishing documents using windows 11 related topics as bait. These phishing documents show some ideas and techniques that are different from common phishing attacks. Through in-depth analysis, NSFOCUS Security Labs found that the phishing files are part of a large-scale spear attacks being carried out by FIN7, and that the Trojans it released were actually newer variants of the Griffon Trojans commonly used by the organization.
The phishing documents and technical details of subsequent attack components show that the FIN7 organization began to detect the host environment more frequently in these spear attacks, and spent more effort covering up the traces of the attacks.
These phishing documents once again prove that FIN7 did not disband as a result of the intensive arrests in 2018, but changed its business model to more carefully engage in cyber crimes focused on stealing financial assets. Security vendors should pay close attention to various types of attacks that use known attack tools from FIN7.
Introduction of Threat Group
FIN7 is an advanced, finance-oriented organization, and its activities first started in 2015.
The organization has always targeted retail, catering and hospitality companies, with an elaborate spearfishing campaign to start the infection process. Once access to the victim’s network, the organization uses behavior similar to APT to maintain and expand its foothold until they accomplish their goals or become capable of obtaining information.
It is reported that since 2015, FIN7 members have carried out highly complex malware activities targeting more than 100 companies. They invaded thousands of computer systems and stole millions of customers’ credit and debit card numbers, and then sold them for profit. In the United States alone, FIN7 managed to break through the computer networks of companies in 47 states and the District of Columbia, stealing 15 million customer card records from more than 6,500 sales points in more than 3,600 separate locations.
The organization’s organized and structured operations, as well as the scale and speed with which they adapt and change the TTP, indicate that FIN7 is a large-scale cybercriminal group.
On August 1, 2018, three leaders of FIN7 were arrested: Dmytro Fedorov, a 44-year-old Ukrainian national, Fedir Hladyr, 33, and Andrii Kolpakov, 30.
However, Kaspersky’s disclosures in 2019[1] and 2020[2] showed that FIN7 continued to engage in cybercrimes after losing its leaders, even pretending to be a penetration testing company and recruiting hackers on a large scale. The reorganized hacker group was named FIN7.5.
An analysis [3] in late 2020 showed that attacks organized by FIN7 began delivering RYUK ransomware.
Technical Analysis
There are several bait documents in the FIN7 phishing attacks, most of which use the same attack flow, but the malicious code and execution logic included were slightly different.
A sample named “CLIENTs-state-072021-4.doc” will be used for the analysis in this section.
Phishing Document
After the document is opened, the following content is displayed:
The first page contains a bait image, claiming that the document was created using the windows11 alpha version and requires the user to turn on the editing function. This is a common form of social engineering. To add credibility, the picture is accompanied by a link to a legal QR code from the official windows website.
The second page contains an invisible table of contents that will be used by the subsequent attack flow.
Malicious VBA Macro
The document contains a relatively complex malicious VBA macro code, which will be launched after the victim turns on the word editing function.
Obfuscation
The malicious macro code contains several known obfuscation techniques.
Obfuscation 1: as shown below, the Trojan contains a large amount of annotated text to combat detection. This technique is often used by some Russian APT groups:
Obfuscation 2: as shown below, all the strings used by the malicious macro are obtained through a function called UVRqb:
The function is to extract the character string at the corresponding position from the invisible table in the word document, parse the string into a decimal number sequence, and solve the text information through a simple offset algorithm IBjdq1x92.
The key for the offset algorithm is an ASCII string NY2qBrOIEllx8Br.
Function
After removing the obfuscation, you can easily see that the main function of this macro has two parts.
The main function of the macro code in the first part is named FKL6POhP:
This function is mainly used to detect the operating environment, including:
- Check whether the domain name of the host is “CLEARMIND”;
- Use LDAP to check whether the CLEARMIND/RootDSE directory exists;
- Check whether the computer name contains the string of VMware, Virtual, innotek, QEMU, Oracle, Hyper and Parallels;
- Check whether the total memory of the operating system is less than 4GB;
- Check whether the operating language of the system is one of the following:
LCID | Code | Language |
1049 | ru-RU | Russian |
1058 | uk-UA | Ukrainian |
2073 | ru_MD | Moldovan |
1070 | hsb-DE | German |
1051 | sk-SK | Slovak |
1059 | be-BY | Belarusian |
1060 | sI-SI | Slovenian |
1061 | et-EE | Estonian |
3098 | sr-Cyrl-CS | Serbian Cyrillic |
2074 | sr-Latn-CS | Serbian Latin |
- Check whether the system language preference is Russian;
- Check whether the registry key HKEY_USERS\.DEFAULT\Control Panel\International\User Profile\Languages is Russian.
If any of the above detections hits, the malicious macro will delete the table in the document and end the program.
The second part of the macro code looks for the ole stream named word_data.bin embedded in the document, releases and renames it to %TEMP%\word_data.js and executes it.
Malicious JS Script (Griffon)
The script released and executed by the vba script named word_data.js is actually a Griffon Trojan that FIN7 has frequently used in previous attacks.
Obfuscation
The js script contains similar obfuscation logic, including the use of a large amount of annotation text to fight against detection, the use of obfuscation algorithms to hide string content, and so on.
This js script uses the simple logic of the obtrusion algorithm function ri2cy, which converts the input encrypted string into a decimal number sequence, and then uses a multi-byte XOR to decrypt the corresponding string. The XOR key used by this algorithm is the ASCII string gp26vwk9.
Function
Removing obfuscated js scripts follows the Griffon Trojans style used by FIN7. This version appears this time adds the following countermeasures:
- Running time verification: obtain system time twice in succession and compare with a fixed value for anti-debugging;
- Send a post request to the fixed domain name tnskvggujjqfcskwk.com and check whether the returned value is the skill switch of the control Trojan.
The main communication logic of the Trojan is consistent with the earlier version, which attempt to link to the following URLs:
https[:]/bypassociation.com/[path1]/[path2]?type=name
[path1] Randomly select from the following fields:
“Images”, “pictures”, “img”, “info”, “new”
[path2] Randomly select from the following fields:
“Sync”, “show”, “hide”, “add”, “new”, “renew”, “delete”
After connecting to the url, it sends a post packet with the following information:
‘group=doc700&secret=7Gjuyf39Tut383w&time=120000&uid=’ + uniq_id +’&id=’ + id +’&’ + data
Uniq_id indicates the timestamp obtained when the script is started, ID consists of MAC address and DNSHostName, and data contains a fixed string “page_id=new”.
Subsequent Attack Payload
After testing, Griffon Trojan will obtain a JS spy Trojan used to collect basic information of the system after communication with CnC mentioned above. The Trojan is presumed to be part of the framework of current Griffon.
This spy Trojan uses the same communication logic as the Griffon Trojan to communicate with bypassociation.com. Part of the data of the post request packet sent by it contains the fixed string “page_id=add_info&info=” and the following information collected from the victim host:
Prefix | Content |
username*** | username |
hostname*** | CPU name |
elevated*** | Whether it is high authority, ‘yes’ or ‘no’ |
process_owner*** | Trojan creator |
adinformation*** | Trojan running directory |
part_of_domain*** | Is it in the domain, ‘yes’ or ‘no’ |
pc_domain*** | Computer’s domain |
pc_dns_host_name*** | Computer DNS hostname |
pc_model*** | Computer model |
error0*** | Whether there was an error when getting the above content |
os_name*** | System name |
os_build_number*** | System build number |
os_version*** | System version |
os_sp*** | System sp version |
os_memory*** | Memory size |
os_free_memory*** | Free Memory size |
os_registered_user*** | System registered user name |
os_registered_org*** | System registration organization |
os_registered_key*** | System registration serial number |
os_last_boot*** | Last start time |
os_install_date*** | Installation time |
os_arch*** | System structure |
os_product_type*** | Product type |
os_language_code*** | System language |
os_timezone*** | Current time zone |
os_number_of_users*** | Number of system users |
dm_type*** | Display model |
dm_screen_size*** | Display size |
uac_level*** | Whether to enable UAC,’yes’ or ‘no’ |
outlook*** | Outlook program information |
word*** | Word program information |
excel*** | Excel program information |
acrobat*** | Acrobat program information |
error1*** | Whether there was an error when getting the above content |
process_list*** | Process list |
is_vm*** | Whether it is a virtual machine environment, ‘yes’ or ‘no’ |
error2*** | Whether there was an error when getting the above content |
This shows that the Trojan will collect very detailed information about the victim’s host.
According to the logic of previous Griffon Trojans, the CnC host will issue other JS Trojan components after confirming the host information.
Analysis of Other Documents
Among the documents using the same bait images, there is an earlier (2021-06-29 21:22:09) sample (md5: dc7c07bac0ce9d431f51e2620da93398) with a unique Trojan. The Trojan is encapsulated with a simple rc4 encryption shell, and the corresponding key is the ASCII string aeghde.
Analyzing of the decrypted Trojan, we found that it is a JSSLoader downloader Trojan rewritten in C++. The Trojan, originally a .NET program, was used by FIN7 and an organization called TA543 by security vendor Proofpoint. FIN7 mainly uses the JSSLoader Trojan to download the Carbanak Trojan and Griffon Trojan. Proofpoint [4] ‘s report provides a detailed analysis of the JSSLoader’s evolution.
The JSSLoader Trojan connected to CnC in this example is https[:]//crafterband.com, and the corresponding IP address is 109.234.37.173.
Attacker Association
The Trojan appeared in the phishing attacks is a newer version of the Griffon Trojan known to FIN7. The characteristics of the attackers in this incident, including large-scale bait placement, the use of general bait images, and a large number of countermeasures, are also in consistent with the performance of FIN7 in previous attacks. It can be judged that these bait documents using windows 11 topics are part of the recent phishing campaign launched by FIN7.
What’s interesting is that the VBA code attached to these phishing documents adds the judgment logic for German in the language detection part. This feature is easily linked to the experience of Fedir Hladyr, the former leader of FIN7. According to a recent news, this senior member was arrested in Germany in 2018 and sentenced to 10 years in prison in April 2021. The above information suggests that recent FIN7 attacks have become more cautious and have begun to deliberately evade law enforcement agencies in specific countries.
Conclusion
FIN7 is still active. The attacks show that the intensive arrest in 2018 did not wipe out the cybercrime group. After a period of reorganization, the re-emerging FIN7 began to use a new operating model and attack model to continue to carry out cybercriminal activities focusing on theft of financial assets.
Speculated from recent attacks, the organization may have begun to sell its existing attack tools, to promote the integration of its attack process with that of other hacker organizations. Therefore, defenders should actively respond to attacks that use FIN7’s existing Trojan and tools, and the focused detections should include Griffon Trojan, JSSLoader Trojan and etc, which are commonly used by the organization.
[1] https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/
[2] https://www.brighttalk.com/webcast/15591/382191/fin7-apt-how-billion-dollar-crime-ring-remains-active-after-leaders-arrest
[3] https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/
[4] https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded
[5] https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded