Twenty-Four (FIN)Seven

all right great thanks hi folks thanks for coming this talk is going to look a little bit different than it would have done if I delivered it at the back end of July and so this is an actor that we've been tracking probably since about 2015 very focused on financial crime a particularly targeted financial crime so they're not really opportunistic in any sense we've done a bunch of Investigations around the world with these guys and couple in Europe but mostly in the US and I'm is Warren kind of alluded to there are a few people have done some really good research on these guys including Tallis which I'll touch on in a little bit as well but the

reason that looks a little bit different now then it would have at the back end of July was that on the first of August and the US Department of Justice announced that in early 2018 they'd actually arrested three of the key members behind the group so this is a little extract from their indictment just to give you a feel for the scale of some of these guys or at least based on the stuff that the Department of Justice was willing to reference in the indictment so 15 million customer card records stolen most of those ended up for sale on a cybercrime forum called Joker stash and which we have a sort of half suspicion some of the fin 7 guys

might actually run and they certainly share and have access to that forum with some of the other targeted cyber crime groups like fin six which is particularly active in the UK and Europe at the minute 6500 point-of-sale terminals compromised at more than 3600 separate business locations and that's just in the US so these guys were really quite prolific and in what they did so this talk is really going to be a little bit of a run through some of the stuff that the Department of Justice called out in the indictment about how these guys operated how they targeted different organizations and then what that looked like a from a research perspective because our faretta Intel teams been

looking at these guys in 2015 as well as from an incident response perspective in terms of how we've actually dealt with these guys and some of the victim networks as well and then how they've reacted to some of the stuff that's been in the press so by them as well so hopefully it'll be a bit of a rapid-fire run-through and try and cover some of the more interesting points about how they they actually behave so I'm not expecting everybody read this the key points on this were basically that these guys typically fish their way and they typically crafted some stuff that was really quite relevant to the companies so they're their primary target this was

retail hospitality and leisure sothank food retailers like Chipotle which is one of the big big breaches that was in the public domain and basically anybody in a kind of retail leisure sort of sector so anybody that's collecting massive amounts of credit card data or personal information and where they find occasionally they were targeting environments that didn't have big pause terminal deployments they would then actually switch the theme to target individuals that would know a bit about that upcoming like SEC filings around and our profitability and market results those sorts of things so that they could probably then front-run some of the market activity whenever those announcements came out and there that the the tailoring of some of the lures

was always quite interesting for the retail outlets this was so fonts North Korea miss Missy says my name is Adrian Clark and I want to make a catering order for tomorrow 11:00 a.m. it's a big one for 14 people I've composed a list of what we'll need in closed file contains all catering information click on edit at the top of the page and then double click to unlock content and so quite specific around how you get access to this stuff and this one's pretty pretty much the same I want to make a takeout order for tomorrow at 11 a.m. includes file contains order and my personal info click on edit at the top of the page and then double click to

unlock content why change it if it works and then same thing this contains all necessary information and order in our website and click Edit anyway at the top of the page and then double click to unlock content and the ones which were slightly more amusing for about a six to nine month period whenever they were targeting restaurants and one of their consistent themes was to send an email pretending that they had dined at the restaurant the previous day they were part of like a local company and they had really bad diarrhea and so there was home saying like we were filing a formal complaint please open this file and write up click at the top etc but that actually

got them into some of their highest profile victims and it became quite a strong indicator of these guys and some of their targeting of the retail and hospitality sectors for about a good six to nine month window and but one of the key ways of tracking them and this was an almost flawless way of doing it for almost a year was that the document was they actually had two versions of it this is a docx lure and an RTF lure every single one of them had this image in it and it was basically exactly the same thing as the instruction set it's like double click on and enable macros and so on but if you remember Custance

talk about yara and some of the cool things that you can do with it you can actually track embedded images in RTF files and docx files and you might think docx is a bit of a weird one because that's a compressed zip file so how do you write a euro rule for the contents it's actually the case that images are not compressed in docx files so they in the in the raw zip file and the actual image structure is exactly the same so you can create the arrow rule for the binary of the image and then track all the documents that it's used in and so until a couple of other families started stealing this lure so I think trick bot

started using it at the back end of 2017 it was actually a really reliable way of tracking pin 7 activity so that got them into huge amounts of their victims what that basically did was drop a very I guess comp not complex but quite heavy JavaScript framework that they used to then drop a whole lot of secondary payloads so I let them do system enumeration fingerprinting to figure out kind of what they were in what systems they were on what it had access to who the users were let them upload download files let them run screen grabs and let them drop some other payloads like tiny met and so the co tiny interpreter person which they used for quite a long

time to do something more interactive access and they also use cobalt strike for a while as well but one of the things that was quite interesting was that every single deployment they did had a different hash value so they never repeated this in JavaScript payload across victims and one of the ways even though the the core functionality remained the same one of the ways that they changed that the codebase was to basically tick junk javascript code not junk but take javascript code from open source websites drop it into their own JavaScript files but they never caught it and so this is their code on the left and narrative script file the one on the right is actually top 20 JavaScript

questions you're likely to get asked in an interview and they just would literally go to stack overflow they'd go to a bunch of sites just fine anywhere that there was public javascript code copy big chunks of it and then drop it in their own payloads and it kind of bulk they might mean it less likely that AV was going to trigger on it and those types of things so they were really trying to obfuscate this quite heavily and genuine it actually worked for them quite a bit so we saw I'll show you some of the structure of this in a bit but this actually made decoding some of these a little bit more complex and

actually over time they incrementally made a whole lot of other changes to try and actually evade the researchers that we're tracking them and so it cost them mention another blog post by this really company called Morpheus X they also published some stuff from these guys fire I did some stuff Talos did some stuff and then Proofpoint did some stuff as well and almost every single time I'll show some data points on this these guys will reacted within a few days to update some of the code to make some changes to the evasion technique so that we're trying to use for this stuff so that's a little bit about how they got in this is another snippet from the

indictment so they're frequently targeted victim companies with customers who use payment cards in those case who in those cases spent seven configured malware to extract a copy and compile a payment card data and then transmit it to see to servers controlled by fin seven kinda obvious for them to be doing and if they're targeting retail environments so from an incident response perspective this is a little bit about what some of that stuff looked like so they had a script which we always used to joke that if we ever find a deck C or a dot something on a victim that was a pretty good starting point for anything bad these guys consistently called this a dot VBS and it was

effectively a script that copied a file called DM PR dumper ps1 so a PowerShell script from one system to another but in many of the it's kind of cut off slightly at the bottom for good reasons but in many of the cases we investigated these guys already had legitimate credentials that let them move around the payment terminal network so in this case the demand was blank the user name is term user and then they had a valid password so they'd already picked this stuff up from doing some of the recon and after their initial phishing configured this script and then ran it command which can pulled out on the right hand side that basically copies it

back and forward from from some other systems to get it deployed around the environment so back to the indictment conspiracy compromised illegally accessed and had unauthorized communications with which other things are really weird phrasing exfiltrated proprietary private non-public victim data and information from the computer systems of victims three arrests a restaurant chain with thousands of locations in the yes so in this specific instance they actually they keep talking about the district of Washington because that's where the indictment was filed but thirty three restaurant chains just in Washington and thousands nationally so one of the interesting things that we figured out and in some of the incident response cases was why they were getting such broad point-of-sale malware deployments

in these victim networks we've seen thin sex do this recently as well but Finn said was the first group that we actually saw using PA exact and hijacking Altiris and so Symantec Altiris software distribution tools they managed to get onto that distribute their own script in exactly the same way that the company would push out their own software updates or patch updates etc and managed to hit 95% of the poles terminals in one go which is pretty slick so that that was one of the things they really focused on quite heavily whenever they got into an environment and we've seen in some of the recent within six cases we've investigated in the UK and Europe

and they've done exactly the same thing as well and it's definitely something to look out for if you're defending a network and make sure you've got good logging on the software distribution systems as well and so going into dumper dot ps1 and this kind of does what it says on the tin it's the credit card scraper or dumpers their main poles malware and starts off with an included and base64 array the first bits of that so the tvq string should be pretty familiar to any of you that are doing any research and that's the included PE header for a binary but this you've just decoded that and tried to elevate privileges and then run it so

the binary that it dropped out was a normal windows PE binary first thing it did was try to check if it had admin privileges and again whenever it figured out if it had admin privileges it dropped into a function or some of the more interesting stuff and then kicked off so the way that this managed to persist on systems despite reboots and was actually a method that we hadn't seen anybody do in the wild before and it was effectively creating a blob that then got loaded into a specific registry key but it was what that blob did then it was quite the interesting that there was the persistence for how that registry blob got loaded was the

interesting thing so it created a registry key that had a little Microsoft string at the start so if anybody was looking at it it probably just looked quite legitimate or something to do Microsoft DRM and then there was a shell code loading routine straight after that then another kind of string brick and then a whole bunch of encoded binary content so that in itself wasn't particularly interesting and but kind of staged that and and then it went on to build an entry in the shim cache so this was basically Microsoft's method for doing inland patching in system boots it's the way a lot of the Microsoft updates work and programmatically this is all pretty well-documented so anybody

that can it needs to develop a little inline patch for something conform with the instructions builder and shim database so this created it in the temp directory pretty random name and then ran it and with the SDB instant files so Elida patches and run quietly some notifications were popped up then looking at the code for this there's actually a little part of the Leslie drop out all of the key points of the shim databases and so this was targeting services XE and that was the the main process it was targeting and then this string table was a set options for hi it was named so any kind of shim patch that's loaded at runtime you cannot see in the application

compatibility database but you can see it in the installed update and the way this managed to hide itself wasn't it basically picked one of those names so either a Microsoft KB services fixer one services or XE Microsoft services or Microsoft Corporation and that was then what popped up in the can add remove programs as one of the pointers that was installed so this was actually quite hard to find if you were just literally looking at stuff on the system and but a really really nice way of getting persistence whenever we there mapped back how the attacker had gone about this and we thought this was something quite new I think it was twenty sixteen or seventeen and we find this or find

them doing this for the first time on an investigation we realized actually it's not new and they were literally following a playbook that somebody eyesight had written and presented at blackhat in 2014 and it's a really good kind of bit of documentation about this technique and they flagged at that point this is probably going to be used for persistence at some time so really quite nice thing to use in the wild that was a little bit about the pause malware it hired actually operated after that was pretty standard there was a regex that just looked for the card run values called them I dropped them into another log file and and the actor collected them and shifted shift them off so

moving back to the JavaScript framework these guys were incredibly active like I said they didn't redeploy the same version of the JavaScript framework into any victim and we could have pulled together a little bit of a snapshot of some of their activity so this is just an example of the development lifecycle from first of June to 30 July in 2017 and there's actually a lot of developments to start off starting off a version of one to four and so the JavaScript framework has a value called kaid built into it that basically was their version number which made actually quite easy to track whatever they were changing things and even just taking a July on its own there are 21 working

days in July these guys produced 19 different versions of the malware and so it was pretty much something every day and they were knocking on and from the visibility we have it looks like every single version was targeting a different victim so in terms of their operations if you've got a developer or doing something full-time in terms of building new versions of this you then obviously got other people doing a lot of the deployment targeting recon work and some of the expo and intrusion operations as well that was kind of a two-month and snapshot of this if we zoom out a little bit the earliest version that we have and was version 19 of this stuff the latest version was 204

if we plot those on time there's a couple of little quirks around the start when they work they were playing with some of the version numbers but broadly you can see the development lifecycle from this is March and 2017 through to basically the end of September or October and 2017 so almost with the exception of a big spike at the start a relatively linear and kind of development lifecycle and some other overlays that we can do on this as well that are quite interesting so the terms of some of the changes a lot of these micro evolutions were prompted by detection techniques not all of them were published but they kept very close eye on when some of the security

solutions in the environments they were targeting we're picking them up so even if somebody hadn't released a blog about the activity what they were finding was actually as soon as AV was starting to pick up some of this stuff for and I say far I was blocking it the perimeter they would immediately make changes to it so just even across versions from one version to the next they made a bunch of changes there are a couple of interesting things in this so the one on the left they realized in the bot ID and so they had a little C UID function that created a unique identifier for that bot but it wasn't unique enough so they were

starting to get conflicts across different victims whenever they were deploying it because sometimes the hash value would wouldn't be unique enough so on the version on the right and they built in a bot suffix and so again for each piece of the framework they were deploying each of victim had its unique suffix effectively because that that version of the JavaScript would only be deployed to that victim so the combination of that plus the identifiers that made that system and that specific victim unique and then the situ arrays that they used as well and typically changed every few versions they did we use some of that but the other bit there's a specific Caesar cipher alphabet which again changed

every single version for this that handled the c2 protocol as well so not exactly strong encryption but just enough to make sure he couldn't write basic IDs signatures for it so that was just literary version diversion and some of the other things that I did where they worked out some of the researchers including us we were able to automate the decode of the entire JavaScript framework this was actually several layers deep so they had a master JavaScript file which had a whole ton of bit 64 encoded arrays in it whenever you then decode it each of those a bunch of them also contained additional bits 64 arrays in it whatever you then decoded those you dropped out the actual Drac

JavaScript payload at the end of it so it was kind of several layers deep but with the variables that they used like bot ID alpha DK k ID bot suffix and so on it was very easy to write quick shell script that kind of dropped through all of that and just decoded everything straight out what they did to try and evade that was randomly name all the variables a kind of two character things of the one on the right starts with C v CW c XC YC GCM etc and so those those things started kind of and went incrementally and then rotated whenever they got to the end of the alphabet and again those were different for every

single one so there was no way of doing a specific search for those you had to build another routine to do it so that was a little bit of like what that looked like we obviously then tried to get that on a graph I'm not expecting you to read this but whenever we started mapping I every single file name every single to me and every single URL and that they used for this stuff and it became pretty obvious that this returning is a quite big big graph but give us some pretty good stuff that we can then feed into detection techniques and actually there was a lot of video of this which I have lost

somewhere yeah don't worry about it a little video showing some of the decoding on it so one of the things that we're always quite interested in oh we've seen this with a bunch of the other actors and actually some of the ones that cost and spoke about this morning and particularly the high end espionage groups pay really close attention to when they're discovered or when anybody publishes on them to the point where some of the really high-end ones will literally tear down their entire infrastructure remove all their implants etc in a matter of minutes after being discovered or somebody publishes a blog on them so if you want any good stories of like that cost I'll have a few that

can tell you over beers these guys as well pay pretty close attention to a lot of stuff so just looking at some of the blog's that were published about them summer last year was one of their really heightened periods of activity so just a few months before they arrests and a correspond to some of the best industry publications on them as well so we have fire I in March 2017 talking about the sec themed like financially themed and spearfishing campaigns they ran more few sec and then just a few days later and i said they're discovered at what they originally described as a polymorphic fire less attack and to which a few of us pointed out and actually the thing

leaves files scattered all over disk and so polymorphic and file this or maybe overriding it slightly then did another set of blog posts in june about the restaurant targeting fire i mentioned them quite a lot in a lot of the discussion papers there's a guy called daniel Bohannon if you haven't seen this white paper on confiscation techniques it is well worth they read whether you're a blue team or red team and then a company called iceberg which designs a network sensor had responded to a few cases including one of our clients and published some of their findings and then our good friends at Talos and did one of the best posts on some of the new

JavaScript stuff which was known as Bethel or a battler I'm not quite sure how you pronounce it in September and then iceberg did their last public one at the very start of October in 2017 so if we go back to the timeline of when these guys were actually releasing new versions you can actually align so the development Sprint's they did where they were coming out like really frequently with new versions to some of the blog posts and so there's a little clusters of activity that overlap particularly up in the Canada somewhere last year Center about it kind of just over halfway we're almost within kind of a day or two of a blog post coming out

they would have several new versions like with a whole bunch of the the techniques to aviod however the previous researchers were or catching them and then they did a wholesale change in the entire framework on the 6th of October which was literally just a few days after Tallis's blog post their 27th of September so they obviously had somebody pretty focused on rewriting this stuff so into targeting some of their targeting unsurprising it was pretty obvious they designed a lot of infrastructure to mimic the victims they were going after or at least their sectors so everything from Waffle House two strikes with lucky through two delicious wings and dominoes you can actually tell from the demands that were

using for some of the fishing who they were targeting and the command and control infrastructure the back end was more kind of like Google service or cloud-based themes and which is why there's another little cluster associated with a stop touch all of the sec it's one of the reasons we think they're related to fin 7 and but quite a lot of their targeting was pretty obvious from the domains that were using so back to the indictment the interesting bit from this from from our perspective is that the last part of this so fin 7 often utilize various off-the-shelf software and custom malware so I've already mentioned things like me me cats or sorry I'm meterpreter

and a custom our like a pause terminals and a combination thereof to extract and transfer data to a loot folder on one or more servers control by fin seven so one of the things that we were doing particularly after the ir cases that we worked where we find the dump product ps1 scripts that unloaded the the pause malware we're going and looking for unique strings in that that we could find anywhere so across our malware repos that we've got access to and even just very simple google searches for it one of the things which we find was their command and control panel so we actually find a version of this that they had slipped up with and forgotten

to protect so a little bit sloppy from their perspective but we find this within about three weeks of them making that mistake and this was where the Department of Justice got the loots term from so the menu on the left was hosts which is what you see there so every host that was infected with a JavaScript framework and then Lutz which was all of the stuff that they were able to actually get from those systems so this was actually a pretty good insight into what these guys were doing who they've been targeting and in some of the malware they'd been using so as well as the list of the systems we were able to see the history of all of the commands

that they had run on those systems including when it was run and the hood of it so the output was stored on disk and there was a little command you can run through this a panel to actually grab the output and pull it back so you can then see what was happening so of course we would a kind of scraper that just went through it all and pulled everything back one of the more interesting things about this group was that there quite often lumped in with another group called carbonic and which actually isn't a group it's a malware family used by several groups and there was always a bit of debate as to whether fin 7 was related to those guys or

whether they were the carbonate group one in the same this kind of proved our link to the carbon act or to fin sevens use of carbon act so one of the search terms that we were running from the incident that we were looking at where we've got some of those scripts popped up here and then whenever we pulled some of the payloads back that had been run on victim systems we were able to conclusively shield one of them was indeed carbon AK so we had actually seen firsthand fin 7 deploying the carbon act malware into some of the victims and this proved quite useful in terms of just being able to see a bit about what

they were up to and some of the things they were they were testing on the other bit that we find quite interesting and their development was their build pipeline so as I mentioned they were doing a new build almost every single day we find a rather curious fact and I've liked that build process if you look at the part of me you look at the time lines of when some of this stuff was created some of it was first seen in the wild on virustotal and then first uploaded to virustotal or some quite interesting discrepancies and it was quite often the case that whenever one of their documents was uploaded to virustotal virustotal reported that had it had first seen the

hash in the wild before the document was first uploaded so digging into that a little bit more in testing it it looks like if you search for a hash from virustotal and virus tool doesn't actually have the file it will record the fact that you searched for the hash and then when the file is litter uploaded it will show that search as the first in the wild and submission so the interesting bit of like this was obviously meter data in some of the document templates is in local timezone virus totals time stamps are in UTC so we can actually see these guys creating a document and this was at 0 5:14 local time document was last

modified zero five twenty five was in nine minutes litter zero to twenty five it was first seen in the wild and virus total and then a wild litter it was uploaded by a victim and so there was this discrepancy of local time of the documents and UTC being almost exactly three hours and what we worked out was there was part of the build pipeline for these guys that every time they created a new javascript file they would search for the existence of the hash of that file on virustotal and so whenever then somebody uploaded it you can actually see when the malware author had tested it because they had previously searched for the hash and so there are a whole

bunch of examples of these this is just another one so 950 local time 956 and local times last modified so it took them six minutes to create this one 656 and so within literally within the same minute the hash for search for virus total and then a while later a victim uploaded it it's a really good indication that these guys were in a UTC plus three times over which is obviously you know Ukraine or Russia so getting to some of the the real-world side of this this is where some of the the Department of Justice reporting is really quite fascinating the way these guys worked was that they actually had some core people in a group but they ran

a front company called combi security that advertised pentesting services and so they created job post on LinkedIn they hired people in Israel and Russia and elsewhere to actually help them do ten tests and they managed the whole process with JIRA and HipChat and other things and would assign tasks so these people to either do development work for them or like do week on an organization or exfil from an organization and for the most part a whole load of those contractors had no idea they were actually conducting see any operations at all and so the DOJ kind of obviously done a bit to try and figure out who these people were obviously spoken to a few of them and tried to delineate

between those guys and the core folks that were running the whole shebang but the fact that these guys publicly had a company with its own website that some job adverts and Linkedin etc was was quite prison and obviously it's pretty explicit what they were after so you've got looking for me just boy devs Ruby on Rails devs to help them customize a lot of the front-end no surprise that there are also people who have it on LinkedIn as having worked for comvee security and they're surprised as well there's some of them graduated in computer information systems security degrees from university and actually a whole lot of other ones as well that you can find have since cleaned up their LinkedIn

accounts but again cost of alluded to want something's on the internet you can't get get rid of it and so some of these ones are quite interesting as well and so full stack developer a C++ developer and for Kombi security so that might be where some of the C++ plazma and where I got developed who knows and but there's everybody in here from somebody like saying they were in a pen test rule to developers rule to JavaScript dev rules etc and just quite a nice way of doing this and so that those the the old version of their website this got torn down in at mid 2017 but it was running and pretty consistently throughout 2016

they had Russian Hebrew and English versions of it as well so pretty good for all of the the places they were trying to hire people in and yet just fascinating that this was running and that's that was their recruiting vehicle to actually get people in to conduct this stuff for them so the bit I mentioned where we think there's another related group to these guys so Cisco a proof point but both have published on the whittler a battler and JavaScript framework which we think was very closely tied to some of the fin 7 operations and the other thing that they did post the Talos and blog post about a lot of this stuff was completely to drop

the old version of the framework and there's a new one now in existence as well which I think fire I called Griffin if I remember right very very simple malware framework or sorry JavaScript framework and which literally has a basic loop that runs every 12 seconds or so and just tries to send some stuff back to the the c2 server but again it gives them the ability to just deploy any other tools down to that system whenever they they think it's a it's an interest and they actually want to go and do some more stuff on it in terms of the activity of these guys they're still really active so that the bus have not

impacted these guys at all so the arrests we're in January of the the 3 mins and seven guys these guys have continued I'm part of meet 3i and so we've got demands from April right through to literally a few days ago on the 9th of September all pretty much Clyde or API or CDN focused in terms of themes and the way that we track some of these if anybody's interested there's actually a really reliable 302 response on it which you can use shoo down to track so if you pick some of these and have a look at I should and reports on it you'll be able to find an indicator that you can then use to find and other

ones as well so it'll be interesting to see where these guys go and part of the reason we think they're linked is the targeting partly the infrastructure and the style of it and partly the JavaScript frame because well which just seems very very similar it's a highlight of the korfin seven guys originally did their operations so we'll see how successful these guys are they're certainly on a smaller scale than fen 7 was at its height and back in summer last year but it'll be pretty interesting to see where they go and I think that is pretty much all I've got