BlackBerry Reports Recent Targeting of Automotive Manufacturer byFIN7 Group

In late 2023, BlackBerry researchers observed the financially motivated group FIN7 targeting a large US automotive manufacturer through a spear-phishing campaign.FIN7, also known as Carbanak, is a well-known Russian criminal group that has been active since 2015 and primarily targets the restaurant, gambling, and hospitality industries in the US to steal financial information.

In this recent campaign, FIN7 targeted employees in the IT department with higher administrative rights, knowing this would give them more leverage within the company's network. The attackers used a lure of a free IP scanning tool to infect the system with the Anunak backdoor, using living-off-the-land binaries, scripts, and libraries (lolbas).

FIN7 employed a PowerShell script called POWERTRASH, a custom obfuscation of the shellcode invoker in PowerSploit. The attack began with a malicious URL, "advanced-ip-sccanner[.]com," masquerading as the legitimate website "advanced-ip-scanner[.]com," which is a free online scanner.

Once victims entered the rogue site, they were redirected to "myipscanner[.]com," which then redirected them to an attacker-owned Dropbox that downloaded the malicious executable WsTaskLoad.exe onto their systems. Upon execution, WsTaskLoad.exe initiates a complex multi-stage process involving DLLs, WAV files, and shellcode execution. This process culminates in the loading and decryption of a file called "dmxl.bin," which contains the Anunak payload.

The malware then installs OpenSSH for persistence, using scheduled tasks to keep OpenSSH on the victim's machine. OpenSSH is commonly used for lateral movement and external access.

BlackBerry concludes its report by emphasizing the tactics, techniques, and procedures (TTPs) involved in the campaign, notably the use of OpenSSH proxy servers. BlackBerry believes that disseminating information on these servers will help individuals and entities protect themselves.

The report includes recommendations for mitigation and indicators of compromise (IoCs).

Pierluigi Paganini, Security Affairs https://securityaffairs.co/wordpress/69431/cybersecurity/fin7-targeting-it-departments-with-spear-phishing-attacks.html (2023, 1, 14).