Stories
Slash Boxes
Comments

SoylentNews is people

posted by on Friday March 10 2017, @04:57PM   Printer-friendly
from the it-fits-Social-Engineering-Criminals dept.

A cybercrime group tracked by FireEye as FIN7 has been observed targeting nearly a dozen organizations in the United States, focusing on personnel that handles filings to the Securities and Exchange Commission (SEC).

The attack starts with a spear phishing email coming from a spoofed sec.gov email address, which carries a document apparently containing "important" information. Once the document is opened, a VBS script installs a new PowerShell backdoor dubbed POWERSOURCE.

POWERSOURCE has also been used to download a second-stage PowerShell backdoor named TEXTMATE, which provides a reverse shell to the attacker. POWERSOURCE is an obfuscated and modified version of the publicly available DNS_TXT_Pwnage tool, while TEXTMATE is a fileless malware. Both rely on DNS TXT requests for command and control (C&C) communications.

POWERSOURCE has also been spotted delivering Cobalt Strike's Beacon post-exploitation tool, which had been used in previous FIN7 operations as well. FireEye noted that the domain serving the Beacon payload had also hosted a Carbanak backdoor sample compiled in February 2017. FIN7 has been known to rely heavily on Carbanak malware.

Source: http://www.securityweek.com/cybercriminals-target-employees-involved-sec-filings


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by DeathMonkey on Friday March 10 2017, @07:11PM (1 child)

    by DeathMonkey (1380) on Friday March 10 2017, @07:11PM (#477475) Journal

    Never heard of a "Reverse Shell" before...

    Reverse shell [infosecinstitute.com]

    A reverse shell is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, which by using, code or command execution is achieved.

    Interesting... Basically, providing a shell account to your zombie.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by tibman on Friday March 10 2017, @07:31PM

    by tibman (134) Subscriber Badge on Friday March 10 2017, @07:31PM (#477482)

    It's mostly for bypassing firewalls. You can't reach a listening port on the compromised machine because a firewall appliance is blocking that port. Outgoing requests are usually a free-for-all so a compromised machine can connect to you without hassle.

    --
    SN won't survive on lurkers alone. Write comments.