A cybercrime group tracked by FireEye as FIN7 has been observed targeting nearly a dozen organizations in the United States, focusing on personnel that handles filings to the Securities and Exchange Commission (SEC).
The attack starts with a spear phishing email coming from a spoofed sec.gov email address, which carries a document apparently containing "important" information. Once the document is opened, a VBS script installs a new PowerShell backdoor dubbed POWERSOURCE.
POWERSOURCE has also been used to download a second-stage PowerShell backdoor named TEXTMATE, which provides a reverse shell to the attacker. POWERSOURCE is an obfuscated and modified version of the publicly available DNS_TXT_Pwnage tool, while TEXTMATE is a fileless malware. Both rely on DNS TXT requests for command and control (C&C) communications.
POWERSOURCE has also been spotted delivering Cobalt Strike's Beacon post-exploitation tool, which had been used in previous FIN7 operations as well. FireEye noted that the domain serving the Beacon payload had also hosted a Carbanak backdoor sample compiled in February 2017. FIN7 has been known to rely heavily on Carbanak malware.
Source: http://www.securityweek.com/cybercriminals-target-employees-involved-sec-filings
(Score: 2) by DeathMonkey on Friday March 10 2017, @07:11PM (1 child)
Never heard of a "Reverse Shell" before...
Reverse shell [infosecinstitute.com]
A reverse shell is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, which by using, code or command execution is achieved.
Interesting... Basically, providing a shell account to your zombie.
(Score: 2) by tibman on Friday March 10 2017, @07:31PM
It's mostly for bypassing firewalls. You can't reach a listening port on the compromised machine because a firewall appliance is blocking that port. Outgoing requests are usually a free-for-all so a compromised machine can connect to you without hassle.
SN won't survive on lurkers alone. Write comments.