A cybercrime group tracked by FireEye as FIN7 has been observed targeting nearly a dozen organizations in the United States, focusing on personnel that handles filings to the Securities and Exchange Commission (SEC).
The attack starts with a spear phishing email coming from a spoofed sec.gov email address, which carries a document apparently containing "important" information. Once the document is opened, a VBS script installs a new PowerShell backdoor dubbed POWERSOURCE.
POWERSOURCE has also been used to download a second-stage PowerShell backdoor named TEXTMATE, which provides a reverse shell to the attacker. POWERSOURCE is an obfuscated and modified version of the publicly available DNS_TXT_Pwnage tool, while TEXTMATE is a fileless malware. Both rely on DNS TXT requests for command and control (C&C) communications.
POWERSOURCE has also been spotted delivering Cobalt Strike's Beacon post-exploitation tool, which had been used in previous FIN7 operations as well. FireEye noted that the domain serving the Beacon payload had also hosted a Carbanak backdoor sample compiled in February 2017. FIN7 has been known to rely heavily on Carbanak malware.
Source: http://www.securityweek.com/cybercriminals-target-employees-involved-sec-filings
(Score: 2) by looorg on Friday March 10 2017, @05:46PM (1 child)
Why do you rob banks? It's where the money are. Getting data and info from people that deal with filings for stocks and securities just cuts down on the risk, guns and violence while maximizing the potential profit. Plus if you get caught the sentences are not as severe and you might get sent to the nicer white collar prisons.
(Score: -1, Troll) by Anonymous Coward on Friday March 10 2017, @07:24PM
"nicer white collar prisons"
Yes, but if the criminals are jewish (which they mostly are), then they get rewarded with government contracts for their deep knowledge of how to infiltrate into secure systems and exfiltrate data that could be used to incriminate innocents, start wars and so on.
(Score: 1, Insightful) by Anonymous Coward on Friday March 10 2017, @07:03PM
You did include this in your Total Cost of Ownership (TCO) calculations, right?
(Score: 2) by DeathMonkey on Friday March 10 2017, @07:11PM (1 child)
Never heard of a "Reverse Shell" before...
Reverse shell [infosecinstitute.com]
A reverse shell is a type of shell in which the target machine communicates back to the attacking machine. The attacking machine has a listener port on which it receives the connection, which by using, code or command execution is achieved.
Interesting... Basically, providing a shell account to your zombie.
(Score: 2) by tibman on Friday March 10 2017, @07:31PM
It's mostly for bypassing firewalls. You can't reach a listening port on the compromised machine because a firewall appliance is blocking that port. Outgoing requests are usually a free-for-all so a compromised machine can connect to you without hassle.
SN won't survive on lurkers alone. Write comments.
(Score: 2) by FatPhil on Friday March 10 2017, @11:22PM (2 children)
No, no, no, no, no, no, no. That's how trojans worked in the 1990s. Melissa (a pure trojan version of the idea)? Bubbleboy (a wormier version)? Why haven't we fixed this yet?
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by FatPhil on Friday March 10 2017, @11:23PM (1 child)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 1) by charon on Saturday March 11 2017, @12:48AM