Like defenders and researchers, cybercrime groups constantly improve and adapt their tools and techniques, looking for the right combination for the task at hand. The infamous FIN7 attack group is a prime example of this continuous improvement and researchers have discovered a pair of new tools the group is using, one of which is specifically designed to target a remote administration client used in payment card processing environments.
FIN7, which has been operating quite successfully for many years against targets around the world, is well-known both to researchers and law enforcement agencies. Last year, the Department of Justice indicted three Ukrainian men for their alleged involvement with the group and research teams from security firms across the industry have been tracking FIN7 closely since it first emerged in 2015. FIN7 is also known as the Carbanak Group as a nod to the team’s reliance on the Carbanak backdoor in many of its operations. Carbanak is a multi-function backdoor also used by other groups, but FIN7 seems to have a particular affinity for it. The group typically targets banks as well as payment card processors and retailers.
But Carbanak is not the only tool in the group’s arsenal. In several recent incident investigations, specialists from FireEye’s Mandiant group discovered two new tools used by FIN7, including a module that targets the Aloha Command Center client from NCR. That client is used in payment card processing environments to provide remote administration and system management. The RDFSNIFFER module that Mandiant discovered has a number of capabilities and allows the operators to take actions such as intercepting SSL connections, deleting data, and running commands on the remote system.
RDFSNIFFER is loaded onto a target system by the other newly discovered tool, a malware loader the team dubbed BOOSTWRITE.
“When the RDFSNIFFER module is loaded by BOOSTWRITE it hooks several Win32 API functions intended to enable it to tamper with NCR Aloha Command Center Client sessions or hijack elements of its user-interface. Furthermore, this enables the malware to alter the user’s last input time to ensure application sessions do not time out,” a team of researchers from FireEye said in a post on the new tools.
“This module also contains a backdoor component that enables it to inject commands into an active RDFClient session. This backdoor allows an attacker to upload, download, execute and/or delete arbitrary files.”
"By exploiting the trust inherently provided by code certificates, FIN7 increases their chances of bypassing various security controls."
The BOOSTWRITE loader has its own bag of tricks, including a feature that messes with the search of applications that load a specific DLL called DWrite.dll. The malware inserts its own identically named malicious DLL instead, which starts a chain reaction of bad things, beginning with the download of an encryption key and initialization vector from a remote server.
“Once the key and the IV are downloaded the malware decrypts the embedded payloads and performs sanity checks on the results. The payloads are expected to be PE32.DLLs which, if the tests pass, are loaded into memory without touching the filesystem,” the FireEye team said.
“Before exiting, the malware resolves the location of the benign DWrite.dll library and passes the execution control to its DWriteCreateFactory method. The malware decrypts and loads two payload DLLs. One of the DLLs is an instance of the CARBANAK backdoor; the other DLL is a tool tracked by FireEye as RDFSNIFFER which allows an attacker to hijack instances of the NCR Aloha Command Center Client application and interact with victim systems via existing legitimate 2FA sessions.”
One of the variants of BOOSTWRITE that Mandiant discovered was signed with a code signing certificate, a technique that allows it to bypass many endpoint security tools that trust signed files. This is a technique that FIN7 and other attack groups have used from time to time and remains effective.
“Use of a code signing certificate for BOOSTWRITE is not a completely new technique for FIN7 as the group has used digital certificates in the past to sign their phishing documents, backdoors, and later stage tools. By exploiting the trust inherently provided by code certificates, FIN7 increases their chances of bypassing various security controls and successfully compromising victims,” the researchers said.