Keypoints
- FIN7 conducted targeted spear‑phishing against IT employees using typosquatted IP scanner domains to deliver a malicious installer.
- The initial installer chain delivered WsTaskLoad.exe which loads DLLs and decrypts embedded blobs to execute staged shellcode and a loader that unpacks the Anunak payload (campaign ID “rabt4201_x86”).
- Post‑execution included an obfuscated PowerShell script (POWERTRASH) that invokes shellcode and performs host reconnaissance (system, process, and account discovery).
- Persistence was achieved by installing and scheduling OpenSSH (sshd), modifying service configuration and firewall rules to allow remote access on nonstandard ports.
- Network infrastructure used multiple attacker‑owned domains for delivery and numerous SSH proxy hosts sharing identical SSH fingerprints, linking them to the campaign.
- BlackBerry detected and removed the infected host before lateral movement and ransomware deployment; YARA rules were provided to detect POWERTRASH samples.
MITRE Techniques
- [T1566.002] Phishing: Spearphishing Link – FIN7 targeted IT staff via spear‑phishing linking to a malicious typosquat: ’employees with a high level of access privileges were targeted with spear-phishing emails that linked to “advanced-ip-sccanner[.]com”.’
- [T1608.005] Stage Capabilities: Link Target – Malicious URL redirected to attacker Dropbox to fetch executable: ‘This fake site redirected to “myipscanner[.]com”, which in turn redirected to an attacker-owned Dropbox that downloaded the malicious executable WsTaskLoad.exe.’
- [T1204.002] User Execution: Malicious File – Victim executed the delivered installer (Advanced_Ip_Scanner_setup.exe/WsTaskLoad.exe): ‘downloaded the malicious executable WsTaskLoad.exe onto the victim’s machine.’
- [T1059.001] Command and Scripting Interpreter: PowerShell – WsTaskLoad.exe executed an obfuscated PowerShell script (POWERTRASH): ‘the first thing WsTaskLoad.exe runs upon installation is a POWERTRASH obfuscated PowerShell script.’
- [T1027] Obfuscated Files or Information – Use of POWERTRASH obfuscation to hide shellcode invoker and payload actions: ‘POWERTRASH is a custom obfuscation of the shellcode invoker in PowerSploit.’
- [T1053.005] Scheduled Task/Job – Persistence via scheduled tasks for OpenSSH: ‘OpenSSH is scheduled as a task, and ports in the firewall are opened.’
- [T1543.003] Create or Modify System Process: Windows Service – Service configuration modified to make sshd start automatically: ‘sshd services is modified -> sc config sshd start= auto.’
- [T1562.004] Impair Defenses: Disable or Modify System Firewall – Adversary created firewall rule for nonstandard port to enable access: ‘Adversary adds a new firewall rule for a Non-Standard Port: 59999.’
- [T1090] Proxy – Post‑compromise use of OpenSSH as an SSH proxy/tunnel for external access: ‘Post compromise, OpenSSH is used for external access.’
- [T1082] System Information Discovery – WsTaskLoad and scripts collect host and user information: ‘It then checks system and network information on the host machine, gathering user information.’
Indicators of Compromise
- [Domain] delivery infrastructure – advanced-ip-sccanner[.]com, myipscanner[.]com (typosquat and redirectors)
- [File name] installers/payloads – WsTaskLoad.exe, Advanced_Ip_Scanner_setup.exe
- [Hash] payload/loader examples – WsTaskLoad.exe SHA256: bb23dde1e3ecef7d93a39e77e32ef96cd63060e61c98074c58926a6239185e81, Advanced_Ip_Scanner_setup.exe SHA256: 87aa5f3f514af2b9ef28db9f092f3249ff4c287c60ede1990442115bddd68201, and other hashes for jutil.dll, mspdf.dll, dmxl.bin
- [IP] C2 and SSH proxies – example C2: 181[.]215.69[.]24, example SSH proxy: 109[.]107.170[.]47 (see appendix for many related hosts)
- [File] embedded resources – infodb/audio.wav (encrypted blobs used as shellcode/loader)
The technical attack chain began with a spear‑phishing lure directing targets to a typosquatted IP scanner domain that redirected to attacker‑controlled hosting (myipscanner[.]com and attacker Dropbox) which delivered a malicious installer (Advanced_Ip_Scanner_setup.exe → WsTaskLoad.exe). WsTaskLoad.exe performs multi‑stage execution: it loads jutil.dll, decrypts embedded audio.wav blobs to extract shellcode, uses mspdf.dll as an execution host via EnumWindows(), then decrypts and loads a secondary loader which seeks marker files (dmxl.bin / dfmopen.db) and finally unpacks the Anunak payload (campaign ID “rabt4201_x86”).
After payload execution, the implant deployed a POWERTRASH‑obfuscated PowerShell script to invoke shellcode, conduct host reconnaissance (system time, process list, domain account/group enumeration), and orchestrate persistence. Persistence steps included installing OpenSSH, configuring the sshd service to start automatically, scheduling tasks, hiding SSH files, and adding firewall rules to permit remote access on nonstandard ports (example port 59999), enabling SSH tunneling and proxying for external access and potential lateral movement.
Network and infrastructure analysis revealed numerous attacker domains registered in quick succession and multiple SSH proxy hosts that share an identical SSH sha256 fingerprint across ports 53, 80, and 443, allowing linkage between hosts with high confidence. Detection and mitigation centered on hashing and YARA signatures for POWERTRASH, removing the infected host prior to lateral movement, and blocking/monitoring the listed domains, IPs, and hashes.
Read more: https://blogs.blackberry.com/en/2024/04/fin7-targets-the-united-states-automotive-industry