FIN7 — the New Avatar
Principal Security Architect
November 2, 2017
Fin7 is a cybercrime group that employs spear phishing attacks to deliver malware that uses fileless malware techniques, sophisticated evasions and persistence. They mostly target the financial sector. In this blog, we are going to take a high-level look at one such sample seen in the wild, which employs several layers of obfuscated JScript, powershell and DLL embedded within a Microsoft Word document. The sample analyzed has the MD5 hash 29a3666cee0762fcd731fa663ebc0011. Through a series of deeply embedded base64 encoded scripts, obfuscated code and use of powershell, this strain achieves stealth and evasion.
The document arrives as an email attachment in the “docx” format. On clicking the document it shows a message to the user that entices the user to double click on the image in order to unlock the embedded content.
If the user double clicks on the image, an OLE object embedded in the document is invoked. This embedded OLE object is a “CMD” command script stored in the file “word/embeddings/oleObject1.bin” that is part of the docx package of this sample. The command script extracts a JScript embedded within it into the file “tt.txt” under “%HOMEPATH%”. Next, the command launches “tt.txt” using “wscript.exe” as can be seen from the output of “Process Explorer” in Figure 2. wscript.exe, or Windows Script Host, in Windows allows execution of VBScript or JScript. JScript is Microsoft’s version of JavaScript and can be used to run JavaScript code that is not contained within a browsers execution model. The primary method used by this malware strain to load and deliver its malicious payload is via several JScript codes which use different types of obfuscation tricks to make detection and manual analysis hard.
Running the JScript in “tt.txt” sets the stage for the remainder of the action that leads to infection. Through a series of deeply embedded JScript code, with each embedded code being base64 encoded and using code obfuscation, the sample defeats traditional detection mechanisms. In some of the nested code, it was noticed that the embedded JScript was first base64 encoded and the encoded string was split into substrings that were members of an array. These were concatenated and decoded at runtime, before passing these to obfuscated calls to “eval”, like the following, which was seen in one of the analyzed JScript that was extracted via manual analysis:
nsgOixaGDUN.MaQ8WGf0zp()[String.fromCharCode(101)+’va’+’l’](RwcOCYLSq(dalRrAqtXOJ));
The above code excerpt was taken from “db.CHM” which is a file into which the malware extracts one of its deeply embedded JScripts. Another trick seen in some of the scripts were the use of embedded scripts whose function body seem to be commented out but were uncommented at runtime, as was seen with one of the scripts named “whatis.ini” extracted at runtime. Tracing the execution of the embedded scripts using “Procmon” to track all
wscript.exe activities, it was noticed that the sample leads to wscript.exe running the following JScripts.
The script db.CHM is particularly interesting. It extracts a series of “.txt” files into “%HOMEPATH%/{2DF6ACDA-8FF7-8208-77F5-8581F0D479E9}”. This can be seen in the command terminal output in figure 4. These were base64 encoded strings within do.CHM before they were extracted. Some of these contain JScript which are launched by Wscript as seen in figure 3. And some are “.xml” files which are used by db.CHM to schedule tasks using the “schtasks.exe” command. This is seen in the fifth line of the grep output in figure 3. One of the extracted scripts started by db.CHM has an embedded powershell script, which in turn uses another powershell script to reflectively load a malicious DLL into a process. do.CHM also has embedded URL’s with which it communicates for further commands. Via a series of GET and POST requests sent to the URL’s , the JScript launched by this malware can have information exfiltrated or commands received.
In the next post of this blog series, the embedded JScripts will be analyzed in detail to understand what all the scripts do, especially the command and control part. In the final part of this series, the powershell scripts and the injected DLL will be dissected and studied to understand the malware’s activities on an infected machine. The end result of being infected by this malware is that internal information could get exfiltrated, outlook contacts can be harvested for further spear phishing attacks, machines could have more malicious code downloaded and can be controlled remotely. MS office documents were seen as primary carriers in some of the recent ransomware outbreaks. When documents contain embedded macros or command scripts,- the users are warned by MS office before they get to run it. It is important that users be careful when opening documents that arrive even from trusted sources. The anti-virus engine in Versa VOS™ (formerly FlexVNF) detects this malicious document as Trojan.MWKX-1.