Threat advisories

Top Middle East Cyber Threat- 12 November 2019

Nov-2019 7 min to read

At Help AG, our Managed Security Services (MSS) team offers 24x7x365 monitoring of complex IT security infrastructures to some of the largest enterprises in the region. As a result, we have our eyes keenly fixed on the cybersecurity threat landscape and are among the first in the region to learn and act upon new threats.
In this blog, I share the top cybersecurity threat our MSS team has recently come across. So, read on to learn about what you need to look out for in the weeks ahead:
Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques
On Aug. 1, 2018, the United States District Attorney’s Office for the Western District of Washington unlocked prosecutions and declared the captures of three people inside the authority positions of a criminal association that lines up with action researchers from FireEye have followed since 2015 as FIN7. These malevolent entertainers are individuals from one of the prolific financial threat groups of this decade, having carefully crafted attacks targeted at more than 100 organizations. FIN7 is alluded to by numerous vendors as “Carbanak Group,” although researchers do not equate all usage of the CARBANAK backdoor with FIN7.
This advisory investigates the scope of FIN7’s criminal endeavors, the specialized development and social designing resourcefulness that controlled their prosperity, a look into their ongoing efforts, their obvious utilization of a security organization as a front for criminal activities, and what their prosperity implies for the danger scene pushing ahead. With this analysis, researchers from FireEye additionally recommend specialized setting, recorded markers, and strategies that associations can use to chase for FIN7 conduct endeavor wide.
During a few late occurrence reaction commitment, FireEye Mandiant specialists revealed new apparatuses in FIN7’s malware munitions stockpile and kept pace as the worldwide criminal administrators endeavored new evasion techniques. This warning’s objective is revealing two of FIN7’s new assemblies that analysts called BOOSTWRITE and RDFSNIFFER.
Attack Description
The first of FIN7’s new tools is BOOSTWRITE – an in-memory-only dropper that decrypts embedded payloads using an encryption key retrieved from a remote server at runtime. FIN7 has been seen to be rolling out little improvements to this malware family utilizing different techniques to stay away from customary antivirus identification, including a BOOSTWRITE test where the dropper was marked by a legitimate certificate authority. One of the analyzed BOOSTWRITE variations contained two payloads: CARBANAK and RDFSNIFFER.
RDFSNIFFER, a payload of BOOSTWRITE, appears to have been developed to tamper with NCR Corporation’s “Aloha Command Center” client. NCR Aloha Command Center is a remote administration toolset designed to manage and troubleshoot systems within payment card processing sectors running the Command Center Agent. The malware loads into the same process as the Command Center process by abusing the DLL load order of the legitimate Aloha utility.
BOOSTWRITE is a loader made to be propelled by means of maltreatment of the DLL search order of application which loads the legitimate ‘Dwrite.dll’ provided by the Microsoft DirectX Typography Services. The application loads the ‘gdi’ library, which loads the ‘gdiplus’ library, which ultimately loads ‘Dwrite’. Mandiant identified instances where BOOSTWRITE was placed on the file system alongside the RDFClient binary to force the application to import DWriteCreateFactory from it rather than the legitimate DWrite.dll.
Once loaded, `DWrite.dll` connects to a hard-coded IP and port from which it retrieves a decryption key and initialization vector (IV) to decrypt two embedded payload DLLs. To accomplish this task, the malware first generates a random file name to be used as a text log under the current user’s `%TEMP%` directory; this filename starts with ~rdf and is followed by a set of random numbers. Next, the malware scans its own image to find the location of a 32-byte long multi-XOR key which is used to decode data inside its body. Part of the decoded data is an IP address and port which are used to retrieve the key and the IV for the decryption of the embedded payloads.
Once the key and the IV are downloaded the malware decrypts the embedded payloads and performs sanity checks on the results. The payloads are expected to be PE32.DLLs which, if the tests pass, are loaded into memory without touching the filesystem.
The malware logs various plaintext messages to the previously created logfile TEMP%\~rds<rnd_numbers> which are indicative of the loader’s execution progress.
Before exiting, the malware resolves the location of the benign DWrite.dll library and passes the execution control to its DWriteCreateFactory method.
The malware decodes and stacks two payload DLLs. One of the DLLs is an occasion of the CARBANAK backdoor; the other DLL is a tool traced by FireEye as RDFSNIFFER which enables an attacker to hijack instances of the NCR Aloha Command Center Client application and interact with victim systems via existing legitimate 2FA sessions.
RDFSNIFFER Module: RAT
RDFSNIFFER is a module loaded by BOOSTWRITE which allows an attacker to monitor and tamper with legitimate connections made via NCR Corporation’s ‘Aloha Command Centre Client’ (RDFClient), an application designed to provide visibility and system management capabilities to remote IT techs. RDFSNIFFER loads into the same process as the legitimate RDFClient by abusing the utility’s DLL load order, launching each time the ‘Aloha Command Center Client’ is executed on an impacted system.
When the RDFSNIFFER module is loaded by BOOSTWRITE it hooks several Win32 API functions intended to enable it to tamper with NCR Aloha Command Center Client sessions or hijack elements of its user-interface. Furthermore, this enables the malware to alter the user’s last input time to ensure application sessions do not time out. This module also contains a backdoor component that enables it to inject commands into an active RDFClient session. This backdoor allows an attacker to upload, download, execute and/or delete arbitrary files.
Signed: Yours Truly, FIN7
Mandiant has identified a signed BOOSTWRITE sample used by FIN7 during a recent investigation. Following that discovery, a signed BOOSTWRITE sample was uploaded to VirusTotal on October 3. This executable uses a code signing certificate issued by MANGO ENTERPRISE LIMITED. This indicates the operators may be actively altering this malware to avoid traditional detection mechanisms. Notably, the signed BOOSTWRITE sample had a 0/68 detection ratio when it was uploaded to VirusTotal, demonstrating the effectiveness of this tactic.
While these incidents have also included FIN7’s typical and long-used toolsets, such as CARBANAK and BABYMETAL, the introduction of new tools and techniques provides further evidence that FIN7 is continuing to evolve in response to security enhancements. Further, the use of code signing in at least one case highlights the group’s judicious use of resources, potentially limiting their use of these certificates to cases where they have been attempting to bypass particular security controls. Barring any further law enforcement actions, we expect at least a portion of the actors who comprise the FIN7 criminal organization to continue conducting campaigns. As a result, organizations need to remain vigilant and continue to monitor for changes in methods employed by the FIN7 actors.
Remediation and Recommendations
While research firms like FireEye do not release production detection logic for the code families, this section does contain some identification and hunting concepts that can be adopted for multiple layered detection strategy. Below we highlight malware samples referenced in this research that FireEye could share from the larger set recovered during active investigations.
Type: BOOSTWRITE (signed)
Indicator
MD5: a67d6e87283c34459b4660f19747a306
SHA-1: a873f3417d54220e978d0ca9ceb63cf13ec71f84
SHA-256: 18cc54e2fbdad5a317b6aeb2e7db3973cc5ffb01bbf810869d79e9cb3bf02bd5
Type: BOOSTWRITE (unsigned)
Indicator
SHA256: 8773aeb53d9034dc8de339651e61d8d6ae0a895c4c89b670d501db8dc60cd2d0
MD5: af2f4142463f42548b8650a3adf5ceb2
SHA1: 09f3c9ae382fbd29fb47ecdfeb3bb149d7e961a1
C2: 109.230.199[.]227
The signed BOOSTWRITE sample has a PE Authenticode anomaly that can be detected using Yara’s PE signature module.
There are other PE Authenticode anomalies that can also be represented as Yara rules to surface similarly suspicious files. Of note, this signed BOOSTWRITE sample has no counter signature and, while the unauthenticated attributes timestamp structure is present, it is empty.
FireEye’s Advanced Practices team identified a possible issue with VirusTotal’s parsing of signed executable timestamps.

FireEye filed a bug report with Google to address the discrepancy in VirusTotal in order to remove confusion for other users.
To account for the detection weaknesses introduced by techniques like code signing, the Advanced Practices team combines the malicious confidence spectrum that comes from ML detection systems with file oddities and anomalies (weak signals) to surface highly interesting and evasive malware. This technique was recently described in Dr. Steven Miller’s Definitive Dossier of Devilish Debug Details.
As always, at Help AG, we’re here to help you protect against these any other cyber threats so please reach out to us for all your cyber security needs.
REFERENCES