• Products
    Products
    • ACCESS TRAFFIC
      ACCESS TRAFFIC
      • Physical Nodes
      • Virtual Nodes
      • TAPs
      • Traffic Aggregators
    • MANAGE & AUTOMATE
      MANAGE & AUTOMATE
      • Fabric Management and Automation
    • OPTIMIZE TRAFFIC
      OPTIMIZE TRAFFIC
      • Application Intelligence
        Application Intelligence
        • Application Filtering
        • Application Metadata
      • Subscriber Intelligence
        Subscriber Intelligence
        • FlowVUE
        • GTP Correlation
      • Traffic Intelligence
        Traffic Intelligence
        • NetFlow Generation
        • SSL Decryption
    • DETECT & RESPOND
      DETECT & RESPOND
      • Gigamon ThreatINSIGHT
  • Solutions
    Solutions
    • SOLUTIONS FOR
      SOLUTIONS FOR
      • Network Operations
      • Security Operations
      • Cloud Operations
      • Service Providers
    • I WANT TO...
      I WANT TO...
      • Improve Performance
      • Optimize Network Change
      • Send Traffic to the Right Tools
      • Improve On-Premises Security
      • Secure the Public Cloud
      • Accelerate Threat Response
    • INDUSTRY
      INDUSTRY
      • Federal
      • Financial Services
  • Partners
    Partners
    • FIND A PARTNER
      FIND A PARTNER
      • Technology Partners
      • Reseller Partners
      • Support and Professional Services Partners
      • Partner Locator
    • NOT A PARTNER?
      NOT A PARTNER?
      • Become a Partner
    • ALREADY A PARTNER?
      ALREADY A PARTNER?
      • Partner Portal Login
  • Support
    Support
    • OVERVIEW
      OVERVIEW
      • Support and Services
      • Policies
      • Warranty
    • GET SUPPORT
      GET SUPPORT
      • Contact Support
      • Education Services
      • Professional Services
    • COMMUNITY
      COMMUNITY
      • Discussion Forum
      • Collaboration Groups
      • All Content
  • Customers
    Customers
    • CUSTOMERS
      CUSTOMERS
      • View All
  • Resources
    Resources
    • RESOURCES
      RESOURCES
      • Resource Library
  • Company
    Company
    • IN THE NEWS
      IN THE NEWS
      • Blog
      • Events
      • Newsroom
    • COMPANY INFORMATION
      COMPANY INFORMATION
      • About Us
      • Careers
  • Login
    Login
    • Community
    • Partner Portal
  • EN
    EN
    • English
    • Français
    • Deutsch
    • 日本語
    • 한국어
    • 简体中文
  • Contact Us
logo
Products Solutions Partners Support Customers Resources Company
Login
  • Community

  • Partner Portal

EN
Language
  • English
  • Français
  • Deutsch
  • 日本語
  • 한국어
  • 简体中文

Network Visibility & Analytics for Digital Innovators

Market-leading network visibility, analytics, and threat detection and response to solve critical performance and security needs.

ACCESS TRAFFIC

Reliably manage, aggregate and control network traffic

  • Physical Nodes
  • Virtual Nodes
  • TAPs
  • Traffic Aggregators

OPTIMIZE TRAFFIC

Automatically extract traffic intelligence and optimize data flow

  • Application Intelligence
    • Application Filtering
    • Application Metadata
  • Subscriber Intelligence
    • FlowVUE
    • GTP Correlation
  • Traffic Intelligence
    • NetFlow Generation
    • SSL Decryption

MANAGE & AUTOMATE

Easily monitor physical and virtual nodes through a single pane of glass

  • Fabric Management and Automation

DETECT & RESPOND

Quickly access real-time network data to accelerate threat investigation

  • Gigamon ThreatINSIGHT

Get Started with Visibility

The market-leading full-stack visibility solution to access and aggregate network data from a single, integrated platform.

LEARN MORE

SOLUTIONS FOR

  • Network Operations
  • Security Operations
  • Cloud Operations
  • Service Providers

I WANT TO...

  • Improve Performance
  • Optimize Network Change
  • Send Traffic to the Right Tools
  • Improve On-Premises Security
  • Secure the Public Cloud
  • Accelerate Threat Response

INDUSTRY

  • Federal
  • Financial Services
insight

Gigamon ThreatINSIGHT

Accelerate threat detection and response

A Thriving Partner Ecosystem

Gigamon reseller and integration partners design, implement and optimize best-of-breed and validated joint solutions.

FIND A PARTNER

  • Technology Partners
  • Reseller Partners
  • Support and Professional Services Partners
  • Partner Locator

NOT A PARTNER?

  • Become a Partner

ALREADY A PARTNER?

  • Partner Portal Login
app metadata

Metadata Empowered Partner Program

Deliver the power of metadata to your customers.

Proven Support and Services

Our global support team is commited to creating experiences of unmatched quality, scalability and efficiency.

MY GIGAMON

OVERVIEW

  • Support and Services
  • Policies
  • Warranty

GET SUPPORT

  • Contact Support
  • Education Services
  • Professional Services

COMMUNITY

  • Discussion Forum
  • Collaboration Groups
  • All Content

Customer Success

Our global customers are empowered to transform their businesses and innovate with the power of pervasive network visibility and analytics.

CUSTOMERS

  • View All
black-hat

BlackHat

Increase the efficiency of security tools while lowering costs.

 

black-hat

FireEye

Take troublesome tools offline with inline bypass.

black-hat

Under Armour

Visibility at scale with state-of-the-art security architecture.

Resource Library

Your one-stop hub to explore content resources to stay current on the latest in network visibility and analytics.

RESOURCES

  • Resource Library
comparison

Comparison Chart

Gigamon Products: GigaVUE TA Series and GigaVUE HC Series

 

ihs

IHS Markit Report

Gigamon is the leader for the sixth consecutive year.

webinars

Featured Webinars

Hear from our experts live or on demand.

 

WHY GIGAMON

We are the first company to deliver, in a single platform, network visibility and analytics across all seven OSI layers, solving for critical performance and security needs.

 

IN THE NEWS

  • Blog
  • Events
  • Newsroom

COMPANY INFORMATION

  • About Us
  • Careers
atr

Gigamon Applied Threat Research Team

Securing our customers with leading-edge threat research

FREE TRIALS CONTACT SALES
SORT BY CATEGORY
All
|
Case Study
|
Detection
|
Threat Research
|
Trend Reports
  • SORT BY CATEGORY
    • All
    • Case Study
    • Detection
    • Threat Research
    • Trend Reports

Home » Threat Research » Footprints of Fin7: Pushing New Techniques to Evade Detection

Footprints of Fin7: Pushing New Techniques to Evade Detection

Applied Threat Research Team, GigamonOctober 8, 2017

The Gigamon Applied Threat Research (ATR) team actively tracks threat activity associated with FIN7, a financially motivated actor targeting the retail industry. FIN7 has been constantly adapting their phishing documents in order to evade detection — their latest update has initial detections on VirusTotal of 0/59 and 1/59 for the RTF and DOCX formats, respectively.

FIN7 leverages a number of targeted phishing techniques to initially exploit victims in the retail sector. Once they have an initial foothold the actor pivots to Point of Sale systems and steals large quantities of protected card data. In August, the Gigamon ATR team released a large set of indicators of compromise (IOCs) for infected document payloads that displayed similar infection characteristics and techniques to each other. Recently, the Gigamon ATR team observed a shift in techniques including a modified payload that uses a new embedded file type. Additionally, FIN7 has modified the obfuscation utilized by their HALFBAKED backdoor — likely to avoid detection in new or ongoing campaigns.

While the newly observed malicious documents do not represent a “new” attack methodology, the change of payload may cause detection issues for legacy signatures and heuristic detections which utilize overly strict detection mechanisms, lacking in durability or layered coverage. This post details the newly observed methods and provides indicators associated with the identified infection documents. This will enable retail companies to validate their detections and leverage this intelligence to determine if they’ve been impacted by new campaigns.

Shifting Techniques

Initial Payload

In past versions of infection documents, the Gigamon ATR team observed the actor primarily utilize malicious shortcut files (LNK) or visual basic scripts (VBS or VBE) to achieve code execution from within their lure. These malicious files are embedded into the infection documents using the Object Linking and Embedding (OLE) framework within Windows, which allows objects from one application to be included in another.

In the documents released today, FIN7 appears to have pivoted from using OLE embedded LNK files to using OLE embedded CMD files. When executed, the CMD file writes JScript to “tt.txt” under the current user’s home directory. The batch script then copies itself to “pp.txt”, also under the current user’s home directory, before running WScript using the JScript engine on the file. This JScript code will read from the file “pp.txt”, skipping the first four lines (the CMD code itself), but otherwise evaluating anything after the first character for each line in the file.

Although different in implementation, this is a familiar technique, as FIN7 frequently runs commented out code that they read as a string through the use of JScript’s “eval” function.

Both CMD and LNK file formats result in code execution, but the shift towards using CMD files may indicate a desire to stay ahead of detection authors.

Halfbaked Obfuscation Change

Over the course of the past year, the actor’s unique backdoor, HALFBAKED, has continued to morph to improve capabilities and reduce detection surface. In the newest observed version, the Gigamon ATR team observed a slight tweak in the obfuscation strategy.

Previously, different stages of the HALFBAKED codebase utilized base64 encoding, stored in a string array variable called “srcTxt”. The attacker now obfuscates that name and continues to break up the base64 string into multiple strings within an array as seen in Figure 1.

Figure 1: Base64 encoded chunk of the new HALFBAKED functionality

New Halfbaked Feature

Additionally, the HALFBAKED backdoor now includes a built-in command called “getNK2”, seen here in HALFBAKED’s command list (Figure 2). “getNK2” is designed to retrieve the victim’s Microsoft Outlook email client auto-complete list. This may suggest the actor’s desire to obtain new phishing targets within a victim organization. If any of these new targets fell victim to the phishing lure, it would allow FIN7 to increase their foothold within a victim organization’s network and potentially pivot to new areas.

Figure 2: HALFBAKED commands including the recent getNK2 addition

The command “getNK2” is likely named after outlook’s NK2 file, which contains a list of auto-complete addresses for Microsoft Outlook 2007 and 2010. Newer versions of outlook no longer use the NK2 file, so FIN7 has also written functionality to handle newer versions of Outlook within the same “getNK2” command. The command will execute the JScript function in Figure 3 on the victim system.

Figure 3: getNK2 command functionality

Conclusion

Detection authors must make trade-offs to optimize signature performance; narrow signatures lead to high fidelity detections, but risk missing changes in actor behaviors, meanwhile broader detection patterns provide better coverage, at the risk of more false positives. Combatting a well-resourced and adaptive adversary requires a layered approach of both signature styles.

FIN7 has demonstrated that they are highly adaptable, evading detection mechanisms while impacting a number of large US retail companies over an extended period of time. The Gigamon ATR team will continue to remain vigilant, working to understand FIN7 and empower our customers and affected industries to defend themselves.

This article was written by ATR team members Alex Sirr and Spencer Walden.

Gigamon Insight is a network security analytics solution that offers a SaaS capability that enables customers to gain and utilize widespread network visibility for security operations. As part of its research, the Gigamon ATR team coordinates disclosure of security threats and vulnerabilities with relevant parties in order to maximize both the response and victim remediation efforts as well as working to truly improve the security of customers and other victims prior to publishing blog posts. To learn more about the Gigamon ATR team, please visit www.gigamon.com/research/applied-threat-research-team.html.

Web Page

Applied Threat Research Team

Web Page

Gigamon Insight

E-Book

A sampling of malicious email attachments

Press Release

Gigamon Deploys Research Team

Post comments, ask questions, join the discussion at the Gigamon Community's Network Detection & Response section.

Learn More

  • Get to Know the Gigamon Applied Threat Research Team
  • Accelerate Network Response and Detection with Gigamon Insight
  • Gain Insight Into Your Cloud Workloads with GigaSECURE Cloud
  • Why Gigamon Network Packet Broker Beats Software on Generic Hardware

Most Popular Posts

  • Adobe Flash Zero-Day Exploited In the Wild
  • ABADBABE 8BADF00D: Discovering BADHATCH and a Detailed Look at FIN8’s Tooling
  • Malicious Chrome Extensions Enable Criminals to Impact Half a Million Users and Global Businesses
  • Three Families in Three Days – Revisiting Prolific Crimeware To Improve Network Detection: Emotet
  • Emotet: Not your Run-of-the-mill Malware
  • Footprints of Fin7: Tracking Actor Patterns (Part 1)

Tags

Adobe Case Study conference DCOM Detection detection engineer Detection Specificity Spectrum emotet Exploitation File Analysis FIN8 Flash malware malware detection network detection network forensics threat actors threat detection Threat Research Trend Reports trickbot TTPs zero-day


COMPANY
  • About Us
  • Blogs
  • Careers HIRING!
  • Customers
  • Events
  • Leadership Team
  • Newsroom
  • Offices
GET HELP
  • Community
  • Contact Sales
  • Partner Portal
  • Support & Services
PRODUCTS & SOLUTIONS
  • Application Intelligence
  • GigaSMART
  • GigaVUE HC Series
  • NetFlow Generation
  • Network Taps
  • SSL/TLS Decryption
  • Threat Detection and Response
  • Visibility Fabric Management and Automation
POPULAR LINKS
  • 2019 Cyberthreat Defense Report
  • 2019 IHS Report
  • Crimeware Trends Report
  • Featured Webinars
  • First Step to Visibility
  • Free Trials and Demos
  • Gigamon Product Comparison
  • Network Visibility Guide

  • Terms & Agreement
  • Privacy Policy
  • Cookie Policy
  • ©Gigamon 2021