A rash of invisible, fileless malware is infecting banks around the globe

itman · Sep 28, 2017

FIN7 Hackers Use LNK Embedded Objects in Fileless Attacks

The infamous FIN7 hacking group has been distributing malware through a LNK file embedded in a Word document via the Object Linking and Embedding (OLE) technology, Cisco Talos security researchers say.

FIN7, also known as Anunak, or Carbanak, is a financially motivated group that has been highly active since the beginning of this year.

While analyzing the attack, the Talos researchers found that the hackers were using an RTF document containing an LNK embedded OLE object that extracted a JavaScript bot and injected an information stealer into memory using PowerShell. The tactic allowed the final payload to be executed onto the target machine without it ever touching the disk.

The use of reflective DLL injection PowerShell code in association with LNK embedded OLE objects for malware delivery shows that the sophisticated group is consistently changing techniques between attacks to avoid detection, Cisco Talos notes.

As part of the analyzed attack, the LNK file is used to execute wscript.exe with the beginning of the JavaScript chain from a Word document object.

The DLL’s analysis reveals data stealing functionality and the targeting of a multitude of applications for this purpose, namely Outlook, Firefox, Google Chrome, Chromium, and forks of Chromium and Opera browsers.

The stolen data is dumped to %APPDATA%\%USERNAME%.ini, then read and encrypted using the SimpleEncrypt function, after which it is sent to a hardcoded command and control (C&C) server using POST requests. The Google Apps Script hosting service is included among the hardcoded addresses, which is not surprising, as the Carbanak group was seen abusing Google services before.
Click to expand...

http://www.securityweek.com/fin7-hackers-use-lnk-embedded-objects-fileless-attacks

Rasheed187 · Sep 30, 2017

Quite sneaky stuff, but as I mentioned before, also quite easy to block. This one is more sneaky, especially because I don't believe a lot of HIPS are monitoring code injection via shims. I do believe MRG mentioned this method in one of their online-banking tests.

http://www.securityweek.com/carbanak-hackers-use-shims-process-injection-persistence

itman · Sep 30, 2017

Rasheed187 said: ↑

Quite sneaky stuff, but as I mentioned before, also quite easy to block. This one is more sneaky, especially because I don't believe a lot of HIPS are monitoring code injection via shims. I do believe MRG mentioned this method in one of their online-banking tests.

http://www.securityweek.com/carbanak-hackers-use-shims-process-injection-persistence
Click to expand...

Good find Missed this one.

To stay protected, organizations are advised to monitor their environments for new shim database files created in the default shim database directories (C:\Windows\AppPatch\Custom and C:\Windows\AppPatch\Custom\Custom64) and for registry key creation and/or modification events for HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom and HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB. They should also monitor process execution events and command line arguments for malicious use of the sdbinst.exe utility, FireEye said.
Click to expand...

On the other hand, everyone by now is monitoring Powershell script execution locally so the attack would have to be run remotely.

Rasheed187 · Sep 30, 2017

itman said: ↑

On the other hand, everyone by now is monitoring Powershell script execution locally so the attack would have to be run remotely.
Click to expand...

I'm not sure what you mean with remotely. If you block sdbinst.exe from running, or if you block modification of the involved registry keys, the attack won't work. BTW, here are some other interesting showcases of how Barkly and Cybereason block certain file-less attacks.

https://www.cybereason.com/blog-cyb...-malware-utilizing-the-exploit-cve-2017-8759/
https://blog.barkly.com/blocking-sorebrect-ransomware-fileless-infection-technique

itman · Sep 30, 2017

@Rasheed187 after I posted previously, the "light went of in my head" in regards to app shimming in Win 10. Most of its functionality has been removed: https://reverseengineering.stackexc...shims-sdbs-no-longer-functional-in-windows-10 .

Additional ref. here: https://github.com/evil-e/sdb-explorer/issues/2

A few other points in regards to shims:

To keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to Bypass User Account Control (UAC) (RedirectEXE), inject DLLs into processes (InjectDll), and intercept memory addresses (GetProcAddress). Utilizing these shims, an adversary can perform several malicious acts, such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc.

Mitigation

There currently aren't a lot of ways to mitigate application shimming. Disabling the Shim Engine isn't recommended because Windows depends on shimming for interoperability and software may become unstable or not work. Microsoft released an optional patch update - KB3045645 - that will remove the "auto-elevate" flag within the sdbinst.exe. This will prevent use of application shimming to bypass UAC.

Changing UAC settings to "Always Notify" will give the user more visibility when UAC elevation is requested, however, this option will not be popular among users due to the constant UAC interruptions.
Click to expand...

https://attack.mitre.org/wiki/Technique/T1138

Folks using Win 7 and 8 are strongly advised to apply KB3045645 if not previously done so.

itman · Oct 9, 2017

FIN7 Hackers Change Attack Techniques

The financially-motivated FIN7 hacking group recently switched to a new delivery technique and has been employing a different malware obfuscation method, ICEBRG security researchers reveal.

Highly active since the beginning of 2017, FIN7 (also known as Anunak, or Carbanak) started distributing malware via LNK files embedded in Word documents using the Object Linking and Embedding (OLE) technology. The attack employed a fileless infection method, with no files being written to disk.

The hackers have since switched to using CMD files instead of LNK ones, most probably in an attempt to evade detection. The CMD, the researchers explain, would write JScript to “tt.txt” under the current user’s home directory.

Next, the batch script copies itself to “pp.txt” under the same directory, and then runs WScript using the JScript engine on the file. According to ICEBRG, the JScript code then reads from the “pp.txt” file, evaluating anything after the first character for each line in the file. However, it skips the first four lines, which represent the CMD code itself.

The same as with the LNK files, however, the use of OLE embedded CMD files results in code execution on the victim’s machine. The use of commented out code isn’t new either, and has been previously associated with FIN7.
Click to expand...

http://www.securityweek.com/fin7-hackers-change-attack-techniques

Log in or Sign up

A rash of invisible, fileless malware is infecting banks around the globe

itman Registered Member

Rasheed187 Registered Member

itman Registered Member

Rasheed187 Registered Member

itman Registered Member

itman Registered Member

Log in or Sign up

A rash of invisible, fileless malware is infecting banks around the globe

itman Registered Member

Rasheed187 Registered Member

itman Registered Member

Rasheed187 Registered Member

itman Registered Member

itman Registered Member

Useful Searches