Threat Group FIN7 Targets the U.S. Automotive Industry

Summary

In late 2023, BlackBerry analysts identified a spear-phishing campaign by threat group FIN7 that targeted a large automotive manufacturer based in the United States. FIN7 identified employees at the company who worked in the IT department and had higher levels of administrative rights. They used the lure of a free IP scanning tool to run their well-known Anunak backdoor and gain an initial foothold utilizing living off the land binaries, scripts, and libraries (lolbas). We also found evidence that this attack was part of a wider campaign by FIN7.

In this blog, we’ll examine the mechanisms behind this attack, and discuss active steps you can take to prevent your organization falling victim to phishing attacks.

Brief MITRE ATT&CK® Information

TacticTechnique
TA0001 – Initial AccessT1566.002
TA0002 – ExecutionT1204.002, T1059.001, T1569.002
TA0003 – PersistenceT1053.005, T1543.003
TA0005 – Defense EvasionT1027, T1564.001, T1222.001, T1562.004
TA0007 – DiscoveryT1124, T1057, T1087.002, T1069.002, T1082, T1033
TA0008 – Lateral MovementT1021.004
TA0011 – Command-and-ControlT1571, T1090
TA0042 – Resource DevelopmentT1608.005, T1583.001


Weaponization and Technical Overview

WeaponsAnunak, POWERTRASH, OpenSSH
Attack VectorSpear-phishing
Network InfrastructureSSH Tunnels
TargetsAutomotive Industry


Technical Analysis

Who is FIN7?

FIN7 is a Russian advanced persistent threat (APT) group that has been active since 2013. The group is financially motivated; in the past has targeted primarily the U.S. retail, restaurant, and hospitality sectors, although recently it has branched out into attacking the transportation, insurance, and defense sectors.

Also tracked as Carbon Spider, ELBRUS and Sangria Tempest, FIN7 is closely associated with other cybercriminal groups including GOLD NIAGARA, ALPHV and BlackCat. In 2020, the FBI issued a warning that FIN7 had begun using the infamous REvil ransomware in their attacks, as well as their own ransomware-as-a-service (RaaS) known as DarkSide, which is believed to be a rebrand of the BlackMatter ransomware.

In recent years, FIN7 has shifted their efforts from targeting the masses to the more precise targeting of large entities, a practice known as big game hunting. The group usually deploys ransomware as the end payload. Detection of a FIN7 intrusion early in the infection process can mitigate full network compromise and the typically large financial losses that ransomware can inflict.

In the case documented in this report, the BlackBerry Threat Research and Intelligence team detected the compromise and successfully stopped the intrusion before the threat group had a chance to launch a ransomware attack.

Attack Vector

So why did FIN7 shift to big game hunting? The reason for an attacker to put more resources into targeting a large entity is due to its presumed ability to pay a much larger ransom. Such an attack is usually very carefully orchestrated to ensure maximum effectiveness. The threat actors will first select and study their target company, searching for weaknesses and identifying employees who may have higher access privileges in the corporate network, before launching their attack.

In this case, employees with a high level of access privileges were targeted with spear-phishing emails that linked to “advanced-ip-sccanner[.]com”, a malicious URL masquerading (a.k.a typosquatting) as the legitimate website “advanced-ip-scanner[.]com”, a free online scanner.

This fake site redirected to “myipscanner[.]com”, which in turn redirected to an attacker-owned Dropbox that downloaded the malicious executable WsTaskLoad.exe onto the victim’s machine.

Figure 1: Attack chain used to compromise the target company

Hashes (md5, sha-256)87aa5f3f514af2b9ef28db9f092f3249ff4c287c60ede1990442115bddd68201d25a735458f76786a938a0aa881d14ef
ITW File NameAdvanced_Ip_Scanner_setup.exe
Compilation Stamp2022-04-14 16:10:23 UTC
File Type/
Signature
Win32 EXE
File Size18155592
Compiler Name/VersionEmbarcadero Delphi (10.3 Rio) [Professional]
Installer NameInno Setup Module (6.1.0) [Unicode]
Hashes (md5, sha-256)bb23dde1e3ecef7d93a39e77e32ef96cd63060e61c98074c58926a6239185e8128fd0fbc2a45ccf60f3c831bb18ffc93
ITW File Name WsTaskLoad.exe
Compilation Stamp2018-10-10 03:56:59 UTC
File Type/SignatureWin32 EXE
File Size2234880
Compiler Name/VersionEmbarcadero Delphi (2009)


Execution Flow

WsTaskLoad.exe has a multi-stage execution in order to run the final Anunak/Carbanak payload:

First, it loads jutil.dll (SHA256: 5ce7b63ef05d9f5cb8e309e6b195e3acb69cc72b899f4ae07c48b85bedfb286e) which executes the exported function SizeSizeImage.

Then, jutil.dll reads and decrypts infodb\audio.wav (SHA256: c8d8d666b509afaa0ef349cc3de9a6eec6dde98cc8a0e50228f8793275fae401) at offset 0x30f21 with size 0x256e; the decrypted blob is a shellcode which is copied on previously loaded mspdf.dll (SHA256: cdc0186ff3fcb67986f4f1f54e3a2991dd73f8bde20acf3a739e0fff7c6d94a7) and executed via EnumWindows().

The shellcode reads and decrypts infodb\audio.wav at offset 0xc2bc1 with size 0x150600; the decrypted blob is a loader with SHA256 7e927e1db12c404683c9c8b232e8cecb7334eed618992e965388b0b63508509f, which is later loaded and executed by the shellcode.

Finally, the loader looks for files on the current directory checking for a specific mark: the mark matches on dmxl.bin (SHA256: d4960f3c7cc891ff2bafd0a080451e42e0a23ba4db54ae2d7d355497a3b3d81a) and dfm\open.db (SHA256: a186ea72c942232998429e0d8b1bc0e0876bdb535738eba0ed9f4be9aeaa81db); during our execution, we observed dmxl.bin being used as likely open.db for redundancy.

The decrypted dmxl.bin is the Anunak payload, with the campaign ID “rabt4201_x86“.

Later, WsTaskLoad.exe (executing the Anunak payload) manages dissemination of scripts and establishes persistence. The first thing WsTaskLoad.exe runs upon installation is a POWERTRASH obfuscated PowerShell script. POWERTRASH is a custom obfuscation of the shellcode invoker in PowerSploit.

Figure 2: Execution of POWERTRASH

It then checks system and network information on the host machine, gathering user information.

Figure 3: Reconnoitering by WsTaskLoad.exe

Persistence is established by installing OpenSSH, a connectivity tool for remote login with the SSH protocol. OpenSSH is scheduled as a task, and ports in the firewall are opened. Historical intelligence shows FIN7 typically utilizes OpenSSH for lateral movement as well, but this was not observed during this investigation.

More information on the network indicators of compromise (IoCs) is given in the Network Infrastructure section below.

Figure 4: Persistence being established

WsTaskLoad then procures basic system information:

Figure 5:  Checking user information after establishing persistence

Network Infrastructure

During the delivery phase of this campaign, the fake lure website “advanced-ip-sccanner[.]com” redirected to “myipscanner[.]com”. We found multiple domains registered within minutes of the original on the same provider, showing this campaign was not limited to the one BlackBerry detected, but may in fact be part of a wider campaign by FIN7.

Post compromise, OpenSSH is used for external access. The SSH tunnel proxy server is utilizing the SSH sha256 fingerprint bc4ef49e904d63415ee1c810c90019e12a590ff3b6293f4b69af65713a8da9fa, which is shared by 17 other hosts on the exact same ports of 53, 80, and 443. This is particularly interesting because SSH fingerprints are generally unique to servers or services as they are based on the public key presented by the server. The identical deployment and SSH fingerprint allow us to state with high confidence that these hosts are related.

Moderate confidence is given to another 21 hosts that are set up identically: ports 53, 80, 443, and 3721 hosting SSH; identical SSH fingerprints on ports 53, 80, and 443 with a different (probably management) SSH key on port 3721. These hosts also utilize the same hosting providers as our other “high confidence” hosts.

Domain/IPStringType
Domainadvanced-ip-sccanner[.]comDelivery
Domainmyipscanner[.]comDelivery
Domaintheipscanner[.]comDelivery
Domainipscanneronline[.]comDelivery
Domainipscannershop[.]comDelivery
Domainmyscannappo[.]comDelivery
Domainmyscannappo[.]infoDelivery
Domainmyscannappo[.]onlineDelivery
IP181[.]215.69[.]24C2
IP166[.]1.160[.]118C2
IP185[.]39.204[.]179C2
IP109[.]107.171[.]62C2
IP38[.]180.1[.]17C2
IP109[.]107.170[.]47SSH Proxy
IP162[.]248.224[.]79SSH Proxy
IP166[.]1.190[.]171SSH Proxy
IP166[.]1.190[.]186SSH Proxy
IP172[.]82.87[.]69SSH Proxy
IP185[.]161.210[.]18SSH Proxy
IP185[.]72[.]8.6SSH Proxy
IP185[.]72.8[.]70SSH Proxy
IP193[.]233.206[.]146SSH Proxy
IP207[.]174.31[.]205SSH Proxy
IP207[.]174.31[.]206SSH Proxy
IP209[.]209.113[.]91SSH Proxy
IP217[.]196.101[.]116SSH Proxy
IP38[.]180.14[.]240SSH Proxy
IP38[.]180.40[.]23SSH Proxy
IP46[.]246.98[.]196SSH Proxy
IP5[.]181.159[.]11SSH Proxy
IP62[.]233.57[.]98SSH Proxy
IP104[.]166.127[.]197SSH Proxy – Moderate Confidence Relation
IP104[.]166.127[.]200SSH Proxy – Moderate Confidence Relation
IP155[.]254.192[.]66SSH Proxy – Moderate Confidence Relation
IP166[.]1.190[.]48SSH Proxy – Moderate Confidence Relation
IP185[.]72.8[.]147SSH Proxy – Moderate Confidence Relation
IP193[.]233.22[.]136SSH Proxy – Moderate Confidence Relation
IP193[.]233.22[.]28SSH Proxy – Moderate Confidence Relation
IP193[.]233.22[.]36SSH Proxy – Moderate Confidence Relation
IP193[.]233.22[.]43SSH Proxy – Moderate Confidence Relation
IP193[.]233.23[.]177SSH Proxy – Moderate Confidence Relation
IP207[.]174.31[.]253SSH Proxy – Moderate Confidence Relation
IP23[.]133.88[.]52SSH Proxy – Moderate Confidence Relation
IP38[.]180.1[.]103SSH Proxy – Moderate Confidence Relation
IP38[.]180.20[.]94SSH Proxy – Moderate Confidence Relation
IP5[.]61.39[.]157SSH Proxy – Moderate Confidence Relation
IP5[.]8.63[.]105SSH Proxy – Moderate Confidence Relation
IP5[.]8.63[.]108SSH Proxy – Moderate Confidence Relation
IP5[.]8.63[.]139SSH Proxy – Moderate Confidence Relation
IP5[.]8.63[.]245SSH Proxy – Moderate Confidence Relation
IP62[.]233.57[.]195SSH Proxy – Moderate Confidence Relation
IP91[.]149.254[.]85SSH Proxy – Moderate Confidence Relation


Targets

The target of this attack was a large multinational automotive manufacturer based in the U.S. This is in line with the big game hunting that FIN7 has participated in for the last few years. The individuals targeted with spear-phishing attacks worked in the IT department, making them the most likely workers to have administrative rights and domain credentials.

Attribution

The obfuscation on PowerShell script 3CF9.ps1 is identical to that used in other FIN7 POWERTRASH scripts. The script utilizes the shellcode invoker from PowerSploit, as do previously verified POWERTRASH samples. This leads us to state with a high level of confidence that the attacker was indeed FIN7.

Conclusions

While the tactics, techniques, and procedures (TTPs) involved in this campaign have been well documented over the past year, the OpenSSH proxy servers utilized by the attackers have not been disseminated. BlackBerry thinks it prudent to enable individuals and entities to also identify these hosts and protect themselves.

Remediation

The good news is that BlackBerry® cybersecurity solutions detect all malicious samples involved in this campaign. Early identification of the initial infection and subsequent actions by the threat actor allowed analysts to quickly locate the infected system. It was then removed from the network prior to lateral movement, preventing ransomware installation and subsequent damage to the victimized company.

Preventing Phishing Attacks

Just because your organization may be modest doesn’t mean your attack surface is smaller or less appealing to a threat group than a big company might be. Nearly 1.2 percent of all emails sent worldwide are phishing attempts, amounting to 3.4 billion emails daily, according to 2024 statistics. The average cost of a successful phishing attempt to an SMB resulted in losses amounting to $4.45 million USD.

Putting active security measures into place is the best way to preserve your organization’s finances and reputation, regardless of size. Phishing is becoming increasingly sophisticated and can take many forms, ranging from simple attempts to scam users, such as a malicious attachment or link in a phishing email, to more complex deceptions, such as those utilizing phone or even fake video via the use of AI-based deepfake technology.

As a recent example of this, just two months ago in February, a finance worker in a large multinational organization was tricked into paying out millions of dollars to fraudsters who used deepfake technology to pose as the company’s chief financial officer in a video conference call. The worker was initially suspicious after he received an email that was purportedly from the CFO, as it spoke of the need for a secret transaction to be carried out.

However, the employee put aside his doubts after a follow-up video call, because the CFO and other people on the call looked and sounded just like colleagues he recognized. The elaborate deepfake scam netted the fraudsters $25 million USD. With the use of generative AI on the rise, this is just the latest case in which fraudsters used deepfake technology to modify publicly available video and audio to cheat people out of money.

Recommendations for Mitigation

To thwart successful phishing attacks on your organization, there are a number of proactive steps organizations can take to protect themselves:

  • Conduct Regular Security Training. This remains one of the very best ways to protect businesses from phishing attacks. Teach employees basic red flags that are the hallmark of phishing attempts. Workers need to know how to verify the authenticity of emails and avoid clicking on links or downloading attachments from unknown or suspicious sources.
  • Social Engineering Awareness. This is the next step, but an important one.Expand your employee’s training to include sessions on how to recognize social engineering tactics, which may include the attacker attempting to engage with them via social platforms, phone, text, or even video call.
  • Phishing Report System. Put a system in place to allow employees to immediately report attempted phishing attacks to your SOC or IT security team. Adding a “Report phishing” button to your email system is a good first step. Enforce a culture of trust so that users feel comfortable reporting phishing incidents. 
  • Multi-Factor Authentication. Implement multi-factor authentication (MFA) on all user accounts. This makes it harder for an attacker to access an employee’s account and gain entry to your network, even if they steal password and login details.
  • Password hygiene: Use strong and unique passwords online, and don’t reuse the same password across multiple sites. Better yet, we strongly encourage the use of passwordless (e.g. FIDO2) authentication whenever possible.
  • Security Updates and Patch Management. Keep all employee apps, operating systems and devices updated to apply the latest security fixes.
  • Endpoint Security Solutions. Deploy endpoint security solutions such as antivirus software, endpoint detection and response (EDR) solutions, and email security gateways to detect and block phishing attempts, malware, and other threats at the endpoint.
  • Monitor Suspicious Behavior. Implement monitoring tools and processes to detect suspicious login attempts, unusual user behavior, and unauthorized access. Lock user accounts after a certain number of failed login attempts to deter attackers from guessing passwords.
  • Data Protection and Encryption. Encrypt sensitive data in transit and at rest. This can help protect data from unauthorized access following a successful phishing attack.
  • Email Filtering and Authentication. Implement advanced email filtering solutions to detect and block phishing emails before they reach users’ INBOXES. Use Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) to authenticate email senders and detect spoofed emails.
  • Incident Response. Develop and test incident response plans to mitigate security incidents quickly.
     

APPENDIX 1 – IoCs (Indicators of Compromise)

Hashes (md5, sha-256)87aa5f3f514af2b9ef28db9f092f3249ff4c287c60ede1990442115bddd68201d25a735458f76786a938a0aa881d14ef
ITW File NameAdvanced_Ip_Scanner_setup.exe
Compilation Stamp2022-04-14 16:10:23 UTC
File Type/
Signature
Win32 EXE
File Size18155592
Compiler Name/VersionEmbarcadero Delphi (10.3 Rio) [Professional]
Installer NameInno Setup Module (6.1.0) [unicode]
Hashes (md5, sha-256)bb23dde1e3ecef7d93a39e77e32ef96cd63060e61c98074c58926a6239185e8128fd0fbc2a45ccf60f3c831bb18ffc93
ITW File Name WsTaskLoad.exe
Compilation Stamp2018-10-10 03:56:59 UTC
File Type/SignatureWin32 EXE
File Size2234880
Compiler Name/VersionEmbarcadero Delphi (2009)
Domain/IPStringType
Domainadvanced-ip-sccanner[.]comDelivery
Domainmyipscanner[.]comDelivery
Domaintheipscanner[.]comDelivery
Domainipscanneronline[.]comDelivery
Domainipscannershop[.]comDelivery
Domainmyscannappo[.]comDelivery
Domainmyscannappo[.]infoDelivery
Domainmyscannappo[.]onlineDelivery
IP181[.]215.69[.]24C2
IP166[.]1.160[.]118C2
IP185[.]39.204[.]179C2
IP109[.]107.171[.]62C2
IP38[.]180.1[.]17C2
IP109[.]107.170[.]47SSH Proxy
IP162[.]248.224[.]79SSH Proxy
IP166[.]1.190[.]171SSH Proxy
IP166[.]1.190[.]186SSH Proxy
IP172[.]82.87[.]69SSH Proxy
IP185[.]161.210[.]18SSH Proxy
IP185[.]72[.]8.6SSH Proxy
IP185[.]72.8[.]70SSH Proxy
IP193[.]233.206[.]146SSH Proxy
IP207[.]174.31[.]205SSH Proxy
IP207[.]174.31[.]206SSH Proxy
IP209[.]209.113[.]91SSH Proxy
IP217[.]196.101[.]116SSH Proxy
IP38[.]180.14[.]240SSH Proxy
IP38[.]180.40[.]23SSH Proxy
IP46[.]246.98[.]196SSH Proxy
IP5[.]181.159[.]11SSH Proxy
IP62[.]233.57[.]98SSH Proxy
IP104[.]166.127[.]197SSH Proxy – Moderate Confidence Relation
IP104[.]166.127[.]200SSH Proxy – Moderate Confidence Relation
IP155[.]254.192[.]66SSH Proxy – Moderate Confidence Relation
IP166[.]1.190[.]48SSH Proxy – Moderate Confidence Relation
IP185[.]72.8[.]147SSH Proxy – Moderate Confidence Relation
IP193[.]233.22[.]136SSH Proxy – Moderate Confidence Relation
IP193[.]233.22[.]28SSH Proxy – Moderate Confidence Relation
IP193[.]233.22[.]36SSH Proxy – Moderate Confidence Relation
IP193[.]233.22[.]43SSH Proxy – Moderate Confidence Relation
IP193[.]233.23[.]177SSH Proxy – Moderate Confidence Relation
IP207[.]174.31[.]253SSH Proxy – Moderate Confidence Relation
IP23[.]133.88[.]52SSH Proxy – Moderate Confidence Relation
IP38[.]180.1[.]103SSH Proxy – Moderate Confidence Relation
IP38[.]180.20[.]94SSH Proxy – Moderate Confidence Relation
IP5[.]61.39[.]157SSH Proxy – Moderate Confidence Relation
IP5[.]8.63[.]105SSH Proxy – Moderate Confidence Relation
IP5[.]8.63[.]108SSH Proxy – Moderate Confidence Relation
IP5[.]8.63[.]139SSH Proxy – Moderate Confidence Relation
IP5[.]8.63[.]245SSH Proxy – Moderate Confidence Relation
IP62[.]233.57[.]195SSH Proxy – Moderate Confidence Relation
IP91[.]149.254[.]85SSH Proxy – Moderate Confidence Relation


APPENDIX 2 – Applied Countermeasures

YARA Rules

rule crimeware_fin7_powertrash {
  meta:
    description = “Identifies POWERTRASH powershell scripts”
    author = ” The BlackBerry Research & Intelligence team”
    version = “1.0”
    last_modified = “2024-03-04”  strings:
    // shellcode decompression
    $d1 = “[IO.MemoryStream][Byte[]]”
    $d2 = “New-Object IO.Compression.DeflateStream”
    $d3 = “New-Object Byte”
    $d4 = “[System.Convert]::FromBase64String(”    // shellcode invoker
    $s1 = “[sysTem.reFLECTiOn.CallingConventions]::Any, @((New-Object System.Runtime.InteropServices.HandleRef).GetType(), [string]), $null)” nocase
    $s2 = “[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(” nocase
    $s3 = “[System.Runtime.InteropServices.Marshal]::Copy(” nocase
    $s4 = “[SYStem.rEFLeCtIOn.CallingConventions]::Any, @([string]), $null)” nocase  condition:
    all of them
}


APPENDIX 3 – DETAILED MITRE ATT&CK® MAPPING

TacticTechniqueSub-Technique Name / Context
Initial AccessT1566.002 – Phishing: Spear-phishing Link User with a high level of access privileges was targeted with a spear-phishing email that linked to “advanced-ip-sccanner[.]com”.
Resource DevelopmentT1608.005 – Stage Capabilities: Link TargetA malicious URL masquerading as a legitimate URL redirected to an attacker-owned Dropbox that downloaded the malicious executable.
ExecutionT1204.002 – User Execution: Malicious FileA malicious URL masquerading as a legitimate URL redirected to an attacker-owned Dropbox that downloaded the malicious executable.
Defense EvasionT1027 – Obfuscated Files or InformationWsTaskLoad.exe executes a Powershell obfuscated script.
ExecutionT1059.001 – Command and Scripting Interpreter: PowerShellWsTaskLoad.exe executes a Powershell obfuscated script.
DiscoveryT1124 – System Time Discovery3CF9.ps1 script executes System Time Discovery using net time.
DiscoveryT1057 – Process Discovery3CF9.ps1 script performs Process Discovery executing tasklist /v command.
DiscoveryT1087.002 – Account Discovery: Domain Account3CF9.ps1 script  enumerates domain accounts executing net group “Domain Admins” /domain.
DiscoveryT1069.002 – Permission Groups Discovery: Domain GroupsDiscovery3CF9.ps1 script enumerates domain groups executing net group “Domain Admins” /domain.
DiscoveryT1082 – System Information Discoverycsvde.exe exports system information (objectClass=Computer).
DiscoveryT1087.002 – Account Discovery: Domain Accountcsvde.exe exports Active Directory data (objectClass=person).
ExecutionT1059.001 – Command and Scripting Interpreter: PowerShellPowerShell installs OpenSSH.
 OpenSSH is installed for remote login with the SSH Protocol.
Defense EvasionT1564.001 – Hide Artifacts: Hidden Files and DirectoriesAdversary uses attrib +h to make SSH hidden.
PersistenceT1053.005 – Scheduled Task/Job: Scheduled TaskAdversary has used scheduled task to persists OpenSSH on victim’s machine.
PersistenceT1543.003 – Create or Modify System Process: Windows Servicesshd services is modified -> sc config sshd start= auto.
ExecutionT569.002 – System Services: Service ExecutionSshd service is started (Sc start sshd).
Defense EvasionT1562.004 – Impair Defenses: Disable or Modify System FirewallAdversary adds a new firewall rule for a Non-Standard Port: 59999.
Command-and-ControlT1041 – Non-Standard PortAdversary adds a new firewall rule for a Non-Standard Port: 59999.
DiscoveryT1082 – System Information DiscoveryWsTaskLoad gathers system information: Hostname.
DiscoveryT1033 – System Owner/User DiscoveryWSTaksLoad collect victim username through whoami.
DiscoveryT1087.002 – Account Discovery: Domain AccountWSTaskLoad executes Domain Account Discovery using net user /domain.
DiscoveryT1057 – Process DiscoveryWSTaskLoad performs Process Discovery through Tasklist.
Resource DevelopmentT1583.001 – Acquire Infrastructure: DomainsMultiple domains were found registered within minutes of the original on the same provider.
Command-and-ControlT1090 – ProxyPost compromise, OpenSSH is used for external access.

https://blogs.blackberry.com/en/2024/04/fin7-targets-the-united-states-automotive-industry