13. The Hurt Locker
Here are a few highlights from each article we discussed:
- In August 2018, several individuals associated with FIN7 were arrested. However, recent activity using the same TTPs indicates that the arrests didn’t put a damper on their operations.
- The recent operations used spear phishing emails and may have targeted over 130 companies. Interestingly, they also noted that the group seems to be using a fake pentest company to trick unwitting infosec employees into doing criminal work for the group.
- It looks like Fin7 developed a homemade builder for malicious Office documents, likely to avoid detection from their old docs after the IOCs had been published. According to Kaspersky, they used ideas from ThreadKit. The new builder inserts random values in the Author and Company metadata fields and allows these to modify different IOCs, such as the filenames of wscript.exe or sctasks.exe copies, etc. The report by Kaspersky referenced Griffon, which is what the malicious word documents are delivering to the victims. Kaspersky identified four modules associated with this implant: a reconnaissance module used to gain information about the infected machine, a meterpreter module that downloads Tinymet, a screenshot module, and a persistence module.
- CopyPaste is the temporary name that Kaspersky gave to a campaign that they now think may have been associated with FIN7. They list a few overlaps between CopyPaste and FIN7 – they both use the same PowerShell argument obfuscation order, they both used decoy 302 HTTP redirections, and both typosquatted the company “Digicert.” However, Kaspersky admits these are not very strong connections and that it’s possible the two groups aren’t connected.
- It’s widely believed that Hidden Cobra is a North Korean group, and they’ve been given other names like Lazarus Group or Guardians of Peace. Lazarus is the name I’ve heard the most, and has been associated with some super high profile crimes like WannaCry, the Bangladesh bank heist that compromised the SWIFT network to the tune of around $80m, and several other similar ones also at the level of tens of millions. The other super high-profile attack was the Sony breach in 2014.
- The malware mentioned in the article, ELECTRICFISH, seems to be specifically oriented around data exfiltration—it’s a dynamic tunneling protocol that is designed for efficient/fast transfer. There are a couple of things that seem strange to me about this, however—the biggest one being that it SEEMS like it might use arbitrary ports—which seems weird to me because why wouldn’t you just use 80 or 443? because a lot of orgs are doing pretty locked-down egress filtering, which would defeat this thing; but it’s harder to detect stuff like this on port 443 when it’s encrypted.
- It is not known which US organizations have already been infected with this new malware.
- TOR is a masking service that people can access via a special browser (the TOR browser), which encrypts your internet traffic. It’s used by a lot of legitimate groups that conduct research, but it’s also used by a lot of criminals.
- Other legitimate organizations have created dedicated versions of their websites. The article specifically mentions Facebook and the New York Times. From a Law Enforcement standpoint, the National Police of the Netherlands also has a dedicated onion site.
- Everything from the regular site is available on the CIA’s onion site. However, it seems at this point that the main uses for this site are to give anonymous tips to the CIA and potentially apply for jobs.
- There have been mixed reactions about this news —some people seem to think they’ve set this up for more spying purposes, which I suppose is entirely possible but I think that more than likely, they really did create this for the reasons they stated: that they want to bring themselves to TOR in order to get more contact.
This Week’s Hoodie Scale
Fin7 Leverages (enabled) Macro Economics
[Tim]: 6/10 Hoodies
[Emily]: 6.5/10 Hoodies
Holy Mackerel, Hidden Cobra is at it Again
[Tim]: 5/10 Hoodies
[Emily]: 6/10 Hoodies
The CIA Sets Up Chop on TOR
[Tim]: 0.5/10 Hoodies
[Emily]: 0/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included in our blog. Catch us next Wednesday at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!