U.S. Automotive Manufacturer Thwarts FIN7 Attack, Prevents Ransomware Deployment

In late 2023, the Russian cybercriminal group FIN7, also known by aliases such as Carbon Spider and Sangria Tempest, targeted a major U.S.-based automotive manufacturer. The group employed spear-phishing tactics aimed at the company's IT department, leveraging employees' access privileges to facilitate the breach. As detailed in a report by the BlackBerry Research & Intelligence Team, the attack was confidently attributed to FIN7, as the perpetrators used a deceptive domain mimicking the Advanced IP Scanning tool as the lure, leading employees to the counterfeit website. This site initiated the download of the Anunak backdoor malware, granting the attackers initial access to the network.

The mechanics of the attack were multi-layered, as observed in the BlackBerry Research & Intelligence Team's findings involving the use of living-off-the-land binaries, scripts, and libraries (LOLBAS) to maintain a low profile while executing the attack. The primary executable deployed was WsTaskLoad.exe, which progressed through several stages, its execution flow begins with jutil.dll to execute a function that then decrypts and reads a WAV file, extracting a shellcode. This shellcode is then implanted into another DLL (mspdf.dll) and executed, which reads and decrypts another part of the WAV file to extract a loader. The loader then searches the directory for specific markers in files, identifying, decrypting, and executing the Anunak payload. A POWERTRASH PowerShell script is launched, to establish persistence and perform system reconnaissance by gathering user and network information. The use of csvde.exe is meant to extract information about computer and user objects from the directory environment, which can provide attackers with valuable network intelligence.

Additional activities focused on persistence and network manipulation involve the installation and configuration of OpenSSH on a Windows system, to enable encrypted communication and may be used by an attacker to maintain remote access. Scheduled tasks were created for persistence and evasion tactics were seen with "attrib" and "icacls" commands used by threat actors to manipulate file attributes and access control lists, essentially altering security settings to maintain persistence or to execute files stealthily. For instance, "attrib +h" was used to hide the ssh directory while "icacls" was used to modify permissions, potentially granting the attacker unrestricted access to sensitive files or system areas. Modifications were also seen with the Windows firewall with the addition of new rules to allow all incoming TCP traffic on local port 59999 and another inbound rule was set up to allow incoming TCP traffic specifically for the OpenSSH daemon (sshd.exe) on local port 9898.

Throughout the attack, FIN7 demonstrated methods to ensure persistence in the network, such as the installation of OpenSSH for potential lateral movement and various evasion techniques to operate under the radar. Fortunately, this specific campaign was detected by BlackBerry and prevented before further escalation. The attack did not just highlight FIN7's continuing focus on high-value targets but also demonstrated their evolving tactics that combine direct malware attacks with sophisticated social engineering. The group's use of typosquatting domains and disguised malware downloads point to a high level of planning and customization in their operations aimed at maximizing the success of their intrusions.