ATRIn our initial two-part blog series on FIN7 we covered network activity patterns, payloads and defensive best practices. FIN7 is a financially-motivated threat actor targeting large organizations that process payment card data or have a significant point of sale (POS) environment.
In Part one, we documented FIN7 command and control and lateral movement behaviors that historically contained detectable patterns that defenders should deploy. In Part two, we covered specific operational tools and tactics.
In this blog, we share additional ongoing research into this actor group, their initial access methods, targeting and infrastructure for the purposes of providing to network defenders an extensive indicator set.
We have collected and analyzed more than 60 initial access payloads since early 2017. The Gigamon Applied Threat Research (ATR) team hopes these IOCs (Indicators of Compromise) will aid defenders by enabling detection and prevention of known bad phishing lures. More importantly, the Gigamon ATR team hopes that this indicator set will empower intel teams and researchers to continue tracking the group as their TTPs evolve to stay ahead of detection capabilities.
Infection Documents
FIN7 commonly infects victims with Microsoft Office document attachments to email. The documents entice users to run malicious code, usually with an image purporting to portray a document decryption service.
These infection documents often go undetected by all major mail, endpoint and network security products at the time they are authored and leveraged as part of attack campaigns. The authors of these documents appear to be monitoring detection mechanisms to continually stay one step ahead of security vendors and targeted organizations.
The recent FIN7 infection document structure is described here. Instead of VBA Macros, the documents have evolved and now contain LNK files embedded into the document with the OLE Packager. The documents from this blog have URLs for HALFBAKED command and control (C2) and sometimes include a Cobalt Strike stager.
Some samples use script-based malware leveraging Google services for command and control. This technique is documented here with samples first observed in December 2016. While infection documents recovered between March and June 2017 used the Cobalt Strike stager, those recovered after the end of June 2017 appear use Google services again. This use of third-party services for command and control is a notable deviation in tradecraft that can present challenges for detection.
The following (HTML or CSV) tables identify C2 indicators on a per-document basis collected after March 2017. Samples herein exhibit significant similarities to known FIN7 infection documents. Unique hashes, IPs, domains and Google Script URLs reside in the appendix for convenience.
This article was written by ATR team members Spencer Walden, Alex Sirr and Dan Caselden.
Appendix
View all sample IOCs and SHA256 hashes — (HTML) (CSV).
SHA256:
| ffebcc4d2e851baecd89bf11103e3c9de86f428fdeaf0f8b33d9ea6f5ef56685 |
| 35096c63c0ff620eb0715c4e2bbbe38350ab54d79724d1a60ae33e08ef6b8a73 |
| a6d05539d5f79947c4c715a7138c9645eee8a8f79c0551ca020c25e86a1297a3 |
| 7cc7b0b36fd6c4af1e42931747c1e7a6f26229859f1ea7b313ce039b6aacc4c0 |
| c240d0c33d326ed49422a8106ff82125d00f452180b4e4342c406d02d0f7e3d7 |
| df22408833b2ae58f0d3e2fe87581be31972ef56e0ebf5efafc4e6e0341b5521 |
| b4568f3786936cae00632cb92a421c9d90e9a076896e64611feb6c949b414180 |
| eb6a54a0018a236c942375ee5c987e0fb01f4c3ed8b4306801084197cd0483a0 |
| 4cd86e8acd3106495ac61be242936bc6fcb55fee3fba9e2d5c93242dc6c7d86a |
| 800615c0abac4626dc531d7b14c7360d776453ed9ad47caa7c2e138e2c1594f5 |
| c61a5e8dc323fce6435b2f0ea45391893e2bb495a682862c2f101017d80ec37c |
| bf46abacce4c3b6895e4cd30156e7172598d3e3d2d45fd05bcea9160ecaf92af |
| d3d39452de3cfe44714a1805b5726b6df5c97ff1c81a1b729b29d3454c774bdd |
| 0bd55c8089d5726c94f9a98221cf2ed7723a37d281173fae7cd0865c761294cb |
| 87c8a3eb76201feb57f6ca182b6add476da7c28cdf54e86e0b83a37a742f3ba5 |
| 6049a727f96a5a089a04dc7989ad606ddfc05d08cbaca81bd9ef5be827e36a50 |
| ed680249f0a4af4001e3cb2394f222a3ee3f4ab547fefa36b058fdbcae5e208c |
| 4458b680f781358da2ab47e1cc43e5a4eb17e5d70825cf1c92a543b353d791b3 |
| f73c7ed3765fec13ffd79aef97de519cfbd6a332e81b8a247fe7d1ccb1946c9c |
| 3819baafea61af8d08709f4e9ebbbb3ffa1d9679c0673014b6cd73d788934551 |
| 09bb05993d9f6524bb081fd2f6974edca2f7a40fdd10e3466472cd04e4120577 |
| ad578311d43d3aea3a5b2908bc6e408b499cc832723225ff915d9a7bc36e0aa4 |
| 546783504ff37a8002802b982bf3f68e7d89dddcb47a5f6f0b332980c32f3bfe |
| 797580e9bc71e80395019b70d009efe1b05d32e25ebff26697fd25a2c99e7666 |
| a1e95ac1bb684186e9fb5c67f75c7c26ddc8b18ebfdaf061742ddf1675e17d55 |
| 6683c319c2c5cac885e6b888655c56c7e0d308ade6dc9ec45bcf6b1fd2dbad47 |
| bebde6f589d39ac7208afe2eecb4e8770d6feb50f88ad3491bdbd7bf95aa6bd5 |
| 037b8013b9f74282d7c20390c9a8375544e3da4f7dd5a708cd7b2632f972f4bb |
| f43fef7dbd6418ed50a1bbaa473590192817a063ae9ee186cd4972d32da9d151 |
| 3979eac974c4a7cdadb8c75a7ed4937181b3279b7c79e413fd256c0510113d77 |
| fadb57aa7a82dbcb2e40c034f52096b63801efc040dd8559a4b8fc873bc962a1 |
| 39ab32a4cafb41c05ccecda59ebb0b1fcc6e08fd94ecad0ac80914fb2ad67588 |
| 2781526f6b302da00661b9a6a625a5a6ecf4ffccafa61202e9b0e9b61b657867 |
| 6604d806eb68fdf914dfb6bbf907a4f2bd9b8757fc4da4e7c5e4de141b8d4e2c |
| 4e3998a7e9042fdf3fd5eed8cf2849355bc87bb8d21dbda5b6a841aff5a01599 |
| ebca565e21a42300e19f250f84b927fa3b32debf3fe13003a4aa5b71ed5cbee9 |
| dd7cec01b2d4df941de36f07f4be0dab9377a8a5fa7069df5a843750d12106c6 |
| fce539b59bd96538b9f2ea9af6e08df06711d6b4309b204690e54f88b5f52bed |
| f3175f366fabd0be8ed0568fa9256197259e480d505a88981a3a43b7a275ec94 |
| 74a5471c3aa6f9ce0c806e85929c2816ac39082f7fea8dbe8e4e98e986d4be78 |
| c357396ca82fdcd6b6f46b748f2b6941051dbc81be5326cf9548e6e95507af7c |
| 7a8c0d72dc51f92bebf28e211bf83dc49f0f46291715e9ed3156a02f1b9f03db |
| 59e01e645b398bec49b8283e08a89d58398311dd58800659689c8c83a779ab21 |
| 6bc8770206c5f2bb4079f7583615adeb4076f2e2d0c655fbafedd9669dc3a213 |
| 63e5bbd99cabf5d03fd536cf257dd9078247e4916491c3f6eb87b4dd4d1b6f91 |
| b13440aa97ace00e812610c1cb86c4da60335614b2cb673cd524224e465752f1 |
| 92116c0ccf691d382d761839ac3c1677c441a8b8be970982f1571fe74546f769 |
| 8fe94d9909fa4a018fc8fe55aca55856005917ee6ca3d4fda114d92ec453e77c |
| 2b4991b2a2792436b50404dcf6310ef2af2573505810ebac08e32f17aee3fbbe |
| 91f028b1ade885bae2e0c6c3be2f3c3dc692830b45d4cf1a070a0bd159f1f676 |
| 4b72f9bc1606d993ee114651b7dbfbb8a599641b282709609ce6b36bcbbf9dd1 |
| 5e015e3ef9d8ddfec8d01329a80cbf2da049e5c9a409bb4231d044b7caf6da68 |
| 39a3f26ff7a02c43327f457916220d542c91cd9726a3d0e7610b89c0bc96f038 |
| b964370cfdd2cff82d35a3fbc850edf865bb43f0c2aaa1bee883d8ffa628485b |
| ed4c3f2605a5619aee010b395d213a631c4a4c18a5a9a5f52234dfc4ec4e8277 |
| 6814d4df330148c790d8a2a8bc89d20f76d879efa0e5396ced581d10e38d5dd2 |
| eebbce171dab636c5ac0bf0fd14da0e216758b19c0ce2e5c572d7e6642d36d3d |
| b602057dee0dcf956481b8217eed198f1ecdc62c348a1f091ef13785bb3458cb |
| 35a7f90c6ef517756a3cef8c73ebb014d4483a5bf00f5382ead3ebe0e66ec78d |
| a7a927bd44040817ae39e15aeb3f0b69ca943d4ce5b00d12eed6fae5b1c325d0 |
| 1d510dd89581fee017c8e6ee0a3c8c6c4694d12d89b2c11b601c2811f38af759 |
IP Addresses:
| 8.28.175[.]68 |
| 204.155.31[.]167 |
| 138.201.44[.]3 |
| 104.193.252[.]167 |
| 104.232.34[.]36 |
| 195.54.162[.]237 |
| 104.232.34[.]166 |
| 5.149.253[.]126 |
| 5.149.250[.]235 |
| 185.159.80[.]123 |
| 185.180.197[.]34 |
| 5.149.250[.]241 |
| 185.180.197[.]20 |
| 204.155.31[.]174 |
| 198.100.119[.]7 |
| 198.100.119[.]6 |
| 195.54.162[.]79 |
| 31.148.219[.]18 |
Domains:
| aaa.stage.10556677.mx1.pdoklbr[.]com |
| aaa.stage.12019683.ns2.true-deals[.]com |
| aaa.stage.12463950.s1.rescsovwe[.]com |
| aaa.stage.14919005.www1.proslr3[.]com |
| aaa.stage.2384024.mx1.pdoklbr[.]com |
| aaa.stage.2940777.n1.modnernv[.]com |
| aaa.stage.3553299.s1.rescsovwe[.]com |
| aaa.stage.6317861.h1.rtopsmve[.]com |
| aaa.stage.7366653.name1.clients33-google[.]com |
Google Script URLs:
| hxxps://script.google[.]com/macros/s/AKfycbwkNc-8rk0caDWO5I4KMymvOXVinfOpR1eevZ63xiXDvcoqOE6p/exec |
| hxxps://script.google[.]com/macros/s/AKfycbxvGGF-QBkaNIWCBFgjohBtkmyfyRpvm91yCGEvzgDvAJdqfW8_/exec |
| hxxps://script.google[.]com/macros/s/AKfycbxyiIBW9SHUFV4S5JM6IW-dmVADFOrTJDM7bZspeBf2Kpf4IN0/exec |
| hxxps://script.google[.]com/macros/s/AKfycbz6dmNJfCPwFchoq6WkJsMjQu22SJTJ9pxMUeQR7bCpmJhW6Bg2/exec |
Part one and two of this blog series was a joint research post by ICEBRG and PwC. Read Part one and Part two.
This article was written by ATR team members Spencer Walden, Alex Sirr and Dan Caselden.
