A cybercrime group tracked by FireEye as FIN7 has been observed targeting nearly a dozen organizations in the United States, focusing on personnel that handles filings to the Securities and Exchange Commission (SEC).
The attack starts with a spear phishing email coming from a spoofed sec.gov email address, which carries a document apparently containing "important" information. Once the document is opened, a VBS script installs a new PowerShell backdoor dubbed POWERSOURCE.
POWERSOURCE has also been used to download a second-stage PowerShell backdoor named TEXTMATE, which provides a reverse shell to the attacker. POWERSOURCE is an obfuscated and modified version of the publicly available DNS_TXT_Pwnage tool, while TEXTMATE is a fileless malware. Both rely on DNS TXT requests for command and control (C&C) communications.
POWERSOURCE has also been spotted delivering Cobalt Strike's Beacon post-exploitation tool, which had been used in previous FIN7 operations as well. FireEye noted that the domain serving the Beacon payload had also hosted a Carbanak backdoor sample compiled in February 2017. FIN7 has been known to rely heavily on Carbanak malware.
Source: http://www.securityweek.com/cybercriminals-target-employees-involved-sec-filings
(Score: 2) by looorg on Friday March 10 2017, @05:46PM (1 child)
Why do you rob banks? It's where the money are. Getting data and info from people that deal with filings for stocks and securities just cuts down on the risk, guns and violence while maximizing the potential profit. Plus if you get caught the sentences are not as severe and you might get sent to the nicer white collar prisons.
(Score: -1, Troll) by Anonymous Coward on Friday March 10 2017, @07:24PM
"nicer white collar prisons"
Yes, but if the criminals are jewish (which they mostly are), then they get rewarded with government contracts for their deep knowledge of how to infiltrate into secure systems and exfiltrate data that could be used to incriminate innocents, start wars and so on.