5.6 KiB
5.6 KiB
The campaign of FIN7 group continue
Table of Contents
- Malware analysis
- Cyber kill chain
- Indicators Of Compromise (IOC)
- References MITRE ATT&CK Matrix
- Links
Malware analysis
The initial vector is a malicious xls which a macro, this extracts the string on the document and execute it.
The first layer of the JS backdoor is a series of arrays where the second elements are used for giving the second layer of the backdoor.
The first functions executed in the second layer is encoding the data to send at the C2.
The main sends a pulse to the C2 and wait for the instructions to perform.
The backdoor performs a discover action for list the DNS host of the list active network cards. This helps to prepare the DNS extraction for sending the data in the C2.
This use after a function for randomizing (4 letters or numbers) the sub part of the URL to domain the contact and the name of file for storage temporary the data in waiting to send it(as tmp file in the disk).
In function of the hard-coded mode in backdoor, this sends the data via a DNS extraction or via HTTP.
The IP used as C2 rest the same that the samples spotted early September.
| IP | Route | ASN | Organization | Country | City | Coordinates |
|---|---|---|---|---|---|---|
| 185.231.153.21 | 185.231.153.0/24 | AS48282 | VDSINA VDS Hosting | Russia | Moscow | 55.7386,37.6068 |
Cyber kill chain
The process graphs resume all the cyber kill chains used by the attacker.
Indicators Of Compromise (IOC)
List of all the Indicators Of Compromise (IOC)
| Indicator | Description |
|---|---|
| order.xlsb | 2ba6709be053eb456c7fbe0c7e19196fefc7fe93afaea1e008c417aa6faeeeb3 |
| umyhpakixg.txt | 980b6ec3e3fc3d25af8273e8c85142c551875a472cc900e427b9c4cb87e59d39 |
| e5ac4108d02499fbdb8e04aa8c42c3dd40cc6be02b4ceb12145075c8bd32b790.xls | e5ac4108d02499fbdb8e04aa8c42c3dd40cc6be02b4ceb12145075c8bd32b790 |
| moviedvdpower.com | Domain requested |
| 31.3.232.105 | IP requested |
| 185.231.153.21 | IP C2 |
This can be exported as JSON format Export in JSON
References MITRE ATT&CK Matrix
List of all the references with MITRE ATT&CK Matrix
| Enterprise tactics | Technics used | Ref URL |
|---|---|---|
| Defense Evasion | Scripting | https://attack.mitre.org/techniques/T1064/ |
| Execution | Scripting | https://attack.mitre.org/techniques/T1064/ |
| Defense Evasion | Install Root Certificate | https://attack.mitre.org/techniques/T1130/ |
| Discovery | Query Registry | https://attack.mitre.org/techniques/T1012/ |