The financially motivated threat group known as FIN7 launched a phishing attack against a major U.S. automobile manufacturer, specifically targeting employees in the company’s IT department in an attempt to infect systems with the Anunak backdoor malware.
As reported by researchers at BlackBerry, the attack occurred towards the end of last year and utilized living-off-the-land binaries, scripts, and libraries (LoLBas) to evade detection. FIN7 focused their efforts on high-level privileged employees and used a malicious URL disguised as the legitimate Advanced IP Scanner tool to lure their victims.
BlackBerry has attributed this attack to FIN7 with a high level of confidence due to the use of unique PowerShell scripts containing the group’s signature ‘PowerTrash’ obfuscated shellcode invoker, which was initially seen during a campaign in 2022.
Prior to this attack, FIN7 has been observed targeting exposed Veeam backup and Microsoft Exchange servers, as well as deploying Black Basta and Clop ransomware payloads on corporate networks.
The Attack Process
FIN7’s attack began with phishing emails targeting employees with high levels of privilege in the IT department of a major U.S. automobile manufacturer.
The emails contained links that directed to a typosquat of the legitimate scanner project at “advanced-ip-scanner.com” called “advanced-ip-sccanner[.]com.”
Further investigation revealed that the fake site redirected to “myipscanner[.]com” (now offline), which then directed visitors to a Dropbox page offering a malicious executable file (‘WsTaskLoad.exe’) disguised as the legitimate installer for Advanced IP Scanner.
Once executed, the file initiates a multi-stage process involving DLL, WAV files, and shellcode execution, ultimately resulting in the loading and decryption of a file containing the Anunak backdoor payload, which is also known as Carbanak and is one of several malware tools used by FIN7.
The ‘WsTaskLoad.exe’ file also installs OpenSSH for persistent access and creates a scheduled task. While FIN7 has previously leveraged OpenSSH for lateral movement, BlackBerry did not observe this during the analyzed attack campaign.
As for the victim organization, BlackBerry did not disclose its name but did mention that it is a large multinational automotive manufacturer based in the U.S.
FIN7 has been active since 2013, but in recent years has shifted their focus to larger targets and typically deploys ransomware as their final payload. This switch to targeting larger organizations for ransomware attacks makes sense as these entities are more likely to pay a higher ransom.
While the attack was unsuccessful in spreading beyond the initial infected system, BlackBerry recommends that companies defend against phishing attacks, which are the most common intrusion vector, by training employees to recognize and avoid malicious lures.
Implementing multi-factor authentication (MFA) for all user accounts can also make it more difficult for attackers to gain access even if they obtain stolen credentials.
In addition, implementing baseline defenses such as using strong and unique passwords, regularly updating software, monitoring the network for suspicious activity, and deploying advanced email filtering solutions can further mitigate the risk of falling victim to various types of attacks.