SHARE
Threat Research / August 9, 2017

Footprints of FIN7: Tracking Actor Patterns — IOCs

ATR  

In our initial two-part blog series on FIN7 we covered network activity patterns, payloads and defensive best practices. FIN7 is a financially-motivated threat actor targeting large organizations that process payment card data or have a significant point of sale (POS) environment.

In Part one, we documented FIN7 command and control and lateral movement behaviors that historically contained detectable patterns that defenders should deploy. In Part two, we covered specific operational tools and tactics.

In this blog, we share additional ongoing research into this actor group, their initial access methods, targeting and infrastructure for the purposes of providing to network defenders an extensive indicator set.

We have collected and analyzed more than 60 initial access payloads since early 2017. The Gigamon Applied Threat Research (ATR) team hopes these IOCs (Indicators of Compromise) will aid defenders by enabling detection and prevention of known bad phishing lures. More importantly, the Gigamon ATR team hopes that this indicator set will empower intel teams and researchers to continue tracking the group as their TTPs evolve to stay ahead of detection capabilities.

Infection Documents

FIN7 commonly infects victims with Microsoft Office document attachments to email. The documents entice users to run malicious code, usually with an image purporting to portray a document decryption service.

These infection documents often go undetected by all major mail, endpoint and network security products at the time they are authored and leveraged as part of attack campaigns. The authors of these documents appear to be monitoring detection mechanisms to continually stay one step ahead of security vendors and targeted organizations.

The recent FIN7 infection document structure is described here. Instead of VBA Macros, the documents have evolved and now contain LNK files embedded into the document with the OLE Packager. The documents from this blog have URLs for HALFBAKED command and control (C2) and sometimes include a Cobalt Strike stager.

Some samples use script-based malware leveraging Google services for command and control. This technique is documented here with samples first observed in December 2016. While infection documents recovered between March and June 2017 used the Cobalt Strike stager, those recovered after the end of June 2017 appear use Google services again. This use of third-party services for command and control is a notable deviation in tradecraft that can present challenges for detection.

The following (HTML or CSV) tables identify C2 indicators on a per-document basis collected after March 2017. Samples herein exhibit significant similarities to known FIN7 infection documents. Unique hashes, IPs, domains and Google Script URLs reside in the appendix for convenience.

This article was written by ATR team members Spencer Walden, Alex Sirr and Dan Caselden.

Appendix

View all sample IOCs and SHA256 hashes — (HTML) (CSV).

SHA256:

ffebcc4d2e851baecd89bf11103e3c9de86f428fdeaf0f8b33d9ea6f5ef56685
35096c63c0ff620eb0715c4e2bbbe38350ab54d79724d1a60ae33e08ef6b8a73
a6d05539d5f79947c4c715a7138c9645eee8a8f79c0551ca020c25e86a1297a3
7cc7b0b36fd6c4af1e42931747c1e7a6f26229859f1ea7b313ce039b6aacc4c0
c240d0c33d326ed49422a8106ff82125d00f452180b4e4342c406d02d0f7e3d7
df22408833b2ae58f0d3e2fe87581be31972ef56e0ebf5efafc4e6e0341b5521
b4568f3786936cae00632cb92a421c9d90e9a076896e64611feb6c949b414180
eb6a54a0018a236c942375ee5c987e0fb01f4c3ed8b4306801084197cd0483a0
4cd86e8acd3106495ac61be242936bc6fcb55fee3fba9e2d5c93242dc6c7d86a
800615c0abac4626dc531d7b14c7360d776453ed9ad47caa7c2e138e2c1594f5
c61a5e8dc323fce6435b2f0ea45391893e2bb495a682862c2f101017d80ec37c
bf46abacce4c3b6895e4cd30156e7172598d3e3d2d45fd05bcea9160ecaf92af
d3d39452de3cfe44714a1805b5726b6df5c97ff1c81a1b729b29d3454c774bdd
0bd55c8089d5726c94f9a98221cf2ed7723a37d281173fae7cd0865c761294cb
87c8a3eb76201feb57f6ca182b6add476da7c28cdf54e86e0b83a37a742f3ba5
6049a727f96a5a089a04dc7989ad606ddfc05d08cbaca81bd9ef5be827e36a50
ed680249f0a4af4001e3cb2394f222a3ee3f4ab547fefa36b058fdbcae5e208c
4458b680f781358da2ab47e1cc43e5a4eb17e5d70825cf1c92a543b353d791b3
f73c7ed3765fec13ffd79aef97de519cfbd6a332e81b8a247fe7d1ccb1946c9c
3819baafea61af8d08709f4e9ebbbb3ffa1d9679c0673014b6cd73d788934551
09bb05993d9f6524bb081fd2f6974edca2f7a40fdd10e3466472cd04e4120577
ad578311d43d3aea3a5b2908bc6e408b499cc832723225ff915d9a7bc36e0aa4
546783504ff37a8002802b982bf3f68e7d89dddcb47a5f6f0b332980c32f3bfe
797580e9bc71e80395019b70d009efe1b05d32e25ebff26697fd25a2c99e7666
a1e95ac1bb684186e9fb5c67f75c7c26ddc8b18ebfdaf061742ddf1675e17d55
6683c319c2c5cac885e6b888655c56c7e0d308ade6dc9ec45bcf6b1fd2dbad47
bebde6f589d39ac7208afe2eecb4e8770d6feb50f88ad3491bdbd7bf95aa6bd5
037b8013b9f74282d7c20390c9a8375544e3da4f7dd5a708cd7b2632f972f4bb
f43fef7dbd6418ed50a1bbaa473590192817a063ae9ee186cd4972d32da9d151
3979eac974c4a7cdadb8c75a7ed4937181b3279b7c79e413fd256c0510113d77
fadb57aa7a82dbcb2e40c034f52096b63801efc040dd8559a4b8fc873bc962a1
39ab32a4cafb41c05ccecda59ebb0b1fcc6e08fd94ecad0ac80914fb2ad67588
2781526f6b302da00661b9a6a625a5a6ecf4ffccafa61202e9b0e9b61b657867
6604d806eb68fdf914dfb6bbf907a4f2bd9b8757fc4da4e7c5e4de141b8d4e2c
4e3998a7e9042fdf3fd5eed8cf2849355bc87bb8d21dbda5b6a841aff5a01599
ebca565e21a42300e19f250f84b927fa3b32debf3fe13003a4aa5b71ed5cbee9
dd7cec01b2d4df941de36f07f4be0dab9377a8a5fa7069df5a843750d12106c6
fce539b59bd96538b9f2ea9af6e08df06711d6b4309b204690e54f88b5f52bed
f3175f366fabd0be8ed0568fa9256197259e480d505a88981a3a43b7a275ec94
74a5471c3aa6f9ce0c806e85929c2816ac39082f7fea8dbe8e4e98e986d4be78
c357396ca82fdcd6b6f46b748f2b6941051dbc81be5326cf9548e6e95507af7c
7a8c0d72dc51f92bebf28e211bf83dc49f0f46291715e9ed3156a02f1b9f03db
59e01e645b398bec49b8283e08a89d58398311dd58800659689c8c83a779ab21
6bc8770206c5f2bb4079f7583615adeb4076f2e2d0c655fbafedd9669dc3a213
63e5bbd99cabf5d03fd536cf257dd9078247e4916491c3f6eb87b4dd4d1b6f91
b13440aa97ace00e812610c1cb86c4da60335614b2cb673cd524224e465752f1
92116c0ccf691d382d761839ac3c1677c441a8b8be970982f1571fe74546f769
8fe94d9909fa4a018fc8fe55aca55856005917ee6ca3d4fda114d92ec453e77c
2b4991b2a2792436b50404dcf6310ef2af2573505810ebac08e32f17aee3fbbe
91f028b1ade885bae2e0c6c3be2f3c3dc692830b45d4cf1a070a0bd159f1f676
4b72f9bc1606d993ee114651b7dbfbb8a599641b282709609ce6b36bcbbf9dd1
5e015e3ef9d8ddfec8d01329a80cbf2da049e5c9a409bb4231d044b7caf6da68
39a3f26ff7a02c43327f457916220d542c91cd9726a3d0e7610b89c0bc96f038
b964370cfdd2cff82d35a3fbc850edf865bb43f0c2aaa1bee883d8ffa628485b
ed4c3f2605a5619aee010b395d213a631c4a4c18a5a9a5f52234dfc4ec4e8277
6814d4df330148c790d8a2a8bc89d20f76d879efa0e5396ced581d10e38d5dd2
eebbce171dab636c5ac0bf0fd14da0e216758b19c0ce2e5c572d7e6642d36d3d
b602057dee0dcf956481b8217eed198f1ecdc62c348a1f091ef13785bb3458cb
35a7f90c6ef517756a3cef8c73ebb014d4483a5bf00f5382ead3ebe0e66ec78d
a7a927bd44040817ae39e15aeb3f0b69ca943d4ce5b00d12eed6fae5b1c325d0
1d510dd89581fee017c8e6ee0a3c8c6c4694d12d89b2c11b601c2811f38af759

IP Addresses:

8.28.175[.]68
204.155.31[.]167
138.201.44[.]3
104.193.252[.]167
104.232.34[.]36
195.54.162[.]237
104.232.34[.]166
5.149.253[.]126
5.149.250[.]235
185.159.80[.]123
185.180.197[.]34
5.149.250[.]241
185.180.197[.]20
204.155.31[.]174
198.100.119[.]7
198.100.119[.]6
195.54.162[.]79
31.148.219[.]18

Domains:

aaa.stage.10556677.mx1.pdoklbr[.]com
aaa.stage.12019683.ns2.true-deals[.]com
aaa.stage.12463950.s1.rescsovwe[.]com
aaa.stage.14919005.www1.proslr3[.]com
aaa.stage.2384024.mx1.pdoklbr[.]com
aaa.stage.2940777.n1.modnernv[.]com
aaa.stage.3553299.s1.rescsovwe[.]com
aaa.stage.6317861.h1.rtopsmve[.]com
aaa.stage.7366653.name1.clients33-google[.]com

Google Script URLs:

hxxps://script.google[.]com/macros/s/AKfycbwkNc-8rk0caDWO5I4KMymvOXVinfOpR1eevZ63xiXDvcoqOE6p/exec
hxxps://script.google[.]com/macros/s/AKfycbxvGGF-QBkaNIWCBFgjohBtkmyfyRpvm91yCGEvzgDvAJdqfW8_/exec
hxxps://script.google[.]com/macros/s/AKfycbxyiIBW9SHUFV4S5JM6IW-dmVADFOrTJDM7bZspeBf2Kpf4IN0/exec
hxxps://script.google[.]com/macros/s/AKfycbz6dmNJfCPwFchoq6WkJsMjQu22SJTJ9pxMUeQR7bCpmJhW6Bg2/exec

Part one and two of this blog series was a joint research post by ICEBRG and PwC. Read Part one and Part two.

This article was written by ATR team members Spencer Walden, Alex Sirr and Dan Caselden.

RELATED CONTENT

SOLUTION BRIEF
Increase the effectiveness of your cyber defenses
DEMO
See a simulated breach based on real-life customer challenges
WEBINAR
SANS: Avoiding or Minimizing Ransomware Impact to the Bottom Line
REPORT
Gigamon ThreatINSIGHT Guided-SaaS Network Detection and Response

Back to top