Researchers named the new malware dropper that affects memory, BOOSTWRITE. Found that it can load more than one payload. One of them is Carbanak backdoor, also affiliated with the FIN7 group.
Hackers first use BOOSTWRITE and then infect the machines with the new one RAT, called RDFSNIFFER.
BOOSTWRITE uses a hijacking technique to load its own malware archives DLL in the memory of the infected system. These allow for download of initialization vector (IV) and decryption key, which are necessary to decrypt embedded payloads.
“Once the key and IV are downloaded, the malicious one software decrypts built-in payloads and performs checks, ”the researchers said. "Payloads are expected to be PE32.DLLs that are loaded into memory without disturbing the system of files ”.
Researchers analyzed BOOSTWRITE and found that the hackers were using the loader to install two payloads: Carbanak backdoor and RDFSNIFFER.
In addition, in one of the BOOSTWRITE samples analyzed, the researchers noted that a code signing certificate from MANGO ENTERPRISE LIMITED was used.
The RDFSNIFFER function is transferred as a payload to the targeted machines. As we said above this is one RAT. Allows remote access to the ATM developer Aloha Command Center Client application, NCR. Through it, hackers "can interact with victims through existing legal 2FA sessions."
Whenever legitimate software runs on the infringed machinery, RDFSNIFFER affects NCR Corporation's RDFClient process.
In this way, hackers are able to track or even modify the connections made through RDFClient, having in their hands a tool for making a man-in-the-middle attack.
"RDFSNIFFER also contains a backdoor that allows an attacker to load, download, execute and / or delete files."
Η The FIN7 hacking team is constantly evolving its methods
The team was discovered by them researchers in the middle of 2015. It is also known by its names Carbanak and Cobalt. Its main targets are banks and POS machines, and it has also attacked various European and American companies. Companies through the backdoor Carbanak.
Last year, some members of the FIN7 team were arrested. However, its malicious activities continue. Hackers are using even more sophisticated tools, such as those found by FireEye's Mandiant researchers.
Arbor Networks, after arresting the team members, identified one Phishing a campaign by Russian and Romanian banks from the FIN7 team.
In May, other attacks were discovered that, according to the researchers, used the same tactics and techniques as the FIN7 hackers.
"These attacks have taken advantage of the standard and well-known tools of FIN7, such as CARBANAK and BABYMETAL, however, the introduction of new tools and techniques provides further evidence that FIN7 continues to evolve in response to improved security practices. ”, the researchers say.
How useful was this post?
Average rating / 5. Vote count:
No votes so far! Be the first to rate this post.