Delaware, USA – October 12, 2017 – Researchers from ICEBRG actively monitor the activities of the FIN7 hacker group and recently discovered significant changes in their techniques. One of the primary tools of FIN7, the backdoor HALFBAKED, is continuously being changed and modified by attackers. The latest detected modification is able to extract the auto-complete list from MS Outlook 2007 and 2010. Perhaps this function may be used for phishing mailings inside attacked organizations. A similar technique was recently used efficiently during an attack on government entities in Saudi Arabia. In addition, the attackers have improved the obfuscation used in this backdoor, so it became more challenging to detect HALFBAKED by antivirus solutions.
The changes also affected the infection techniques: attackers switched from fileless malware and leveraging OLE technologies to CMD files that create scripts in the user’s home directory and execute them using WScript.
The FIN7 group is known for its attacks on financial and medical institutions. Their attacks are well planned and often successfully bypass security solutions. To discover suspicious activity of executing scripts and hidden communications with command and control servers, you can leverage APT Framework SIEM use case. It will allow your ArcSight, QRadar or Splunk to notify you promptly about a possible threat and prioritize investigation of incidents.