A cybercrime group tracked by FireEye as FIN7 has been observed targeting nearly a dozen organizations in the United States, focusing on personnel that handles filings to the Securities and Exchange Commission (SEC).
The attack starts with a spear phishing email coming from a spoofed sec.gov email address, which carries a document apparently containing “important” information. Once the document is opened, a VBS script installs a new PowerShell backdoor dubbed POWERSOURCE.
POWERSOURCE has also been used to download a second-stage PowerShell backdoor named TEXTMATE, which provides a reverse shell to the attacker. POWERSOURCE is an obfuscated and modified version of the publicly available DNS_TXT_Pwnage tool, while TEXTMATE is a fileless malware. Both rely on DNS TXT requests for command and control (C&C) communications.
POWERSOURCE has also been spotted delivering Cobalt Strike’s Beacon post-exploitation tool, which had been used in previous FIN7 operations as well. FireEye noted that the domain serving the Beacon payload had also hosted a Carbanak backdoor sample compiled in February 2017. FIN7 has been known to rely heavily on Carbanak malware.
FireEye has identified 11 targets in the financial services, transportation, education, retail, IT services, and electronics sectors. While the SEC-themed spear-phishing campaign focuses on organizations in the United States, experts believe it is possible that the cybercriminals have launched similar operations in other countries, leveraging the names of their respective regulators.
The security firm said its products and services blocked these attacks in their early stages, which prevented researchers from determining what the attackers were after.
“If the attackers are attempting to compromise persons involved in SEC filings due to their information access, they may ultimately be pursuing securities fraud or other investment abuse,” FireEye researchers said in a blog post. “Alternatively, if they are tailoring their social engineering to these individuals, but have other goals once they have established a foothold, they may intend to pursue one of many other fraud types.”
In previous attacks, FIN7 used various point-of-sale (PoS) malware families to steal sensitive financial information from targeted organizations. The Carbanak malware used by the group is known for its role in campaigns that involved fraudulent bank transactions and ATM attacks.