Going Behind the Scenes of Cybercrime Group FIN6’s Attack On Retail and Hospitality

See how ReversingLabs delivers the actionable insights needed for threat hunters to find attacks related to a FIN6 reverse shell

Going Behind the Scenes of Cybercrime Group FIN6’s Attack On Retail and Hospitality

A step that an adversary takes during the post exploitation phase of an attack is to establish a command line interface (CLI) with a computer inside the victim’s network. One recent incident demonstrates the entire intrusion set operated by FIN6[1], a financially motivated threat actor group. This incident shows the phishing email used to gain initial access to the various attack chain components including a reverse shell DLL to provide a command line interface to the adversary.[2] The use of the More_eggs[3] Javascript backdoor in this intrusion set links this incident to FIN6.[4] Companies in the retail and hospitality sectors have been targeted by this group with a specific interest in attacking point of sale (PoS) systems.[5]  What follows is a focused examination of the reverse shell DLL[6] used by FIN6 in this particular incident. Incident responders or threat hunters can take the insights learned here and apply them to similar threats to speed up their investigations.

Identifying the Sample Using Static and Dynamic Analysis

Starting with static analysis of the DLL, one export is found: DllRegisterServer. This is important later on during dynamic analysis in a debugger and in an automated malware analysis environment. This export is how the DLL must be executed when analyzing it via rundll32.exe. This export can be found using the Titanium Platform as seen in Figure 1.

DllRegisterServer Export

Figure 1: DllRegisterServer Export


Next, looking at the assembly code of the DLL in a disassembler, the procedure immediately after the entry point is a form of execution dispatcher. This particular procedure matches a publicly available YARA rule, “PureBasicDLLNeilHodgson”.[7] The instructions matched by this rule are are highlighted in Figure 2.

Instructions Immediately After Entry Point

Figure 2: Instructions Immediately After Entry Point


The byte string shown here hones in on the first instructions in this procedure:

83 7C 24 08 01 75 ?? 8B 44 24 04 A3 ?? ?? ?? 10 E8

This rule is effective, but does not cover the entire procedure. Depending on inclusion or exclusion of certain PureBasic options in the source code itself, this procedure can change. Therefore, to write a rule which is resilient to any of this type of change, a reference set of benign DLLs compiled using PureBasic must be used. Starting with the source code for a sample DLL which has no user code, a set of “hello world” DLLs were compiled using PureBasic versions 4.10 to 5.71. By analyzing the reference DLLs created by this process, an improved YARA rule for detecting PureBasic DLLs was developed. This new YARA signature is provided at the end of the blog.

The next step is to execute the DLL in an analysis environment and observe the execution in a debugger. By placing a breakpoint on the DllRegisterServer export location in Figure 3, the malicious code in the DLL may be examined.

DllRegisterServer Export Location

Figure 3: DllRegisterServer Export Location

The IP address and port used to communicate with the command and control infrastructure are both obfuscated in an identical manner as shown in Figures 4 and 5. This obfuscation is a type of defensive evasion meant to prevent these indicators from being extracted during static analysis.[8] This same obfuscation technique is seen throughout the sample to hide various strings that are important for the malware’s execution.

C2 IP Address 185.204.2[.]182

Figure 4: C2 IP Address 185.204.2[.]182

C2 Port 443

Figure 5: C2 Port 443

During dynamic analysis, the sample connects out to this IP address over HTTPS. It presents a cmd.exe shell for the adversary to use in the directory that the DLL is located. This allows the adversary to run arbitrary commands on the victim’s computer. This SSL traffic can be decrypted and observed as seen in Figure 6 showing the command prompt.

Decrypted Command Shell C2 Traffic

Figure 6: Decrypted Command Shell C2 Traffic


Finding Related Malware Using the Titanium Platform

This particular sample is cryptographically signed using a software signing certificate. The organization name for this certificate is “D Bacte Ltd”. The details of the software signing certificate can be seen in Figure 7.

Software Signing Certificate

Figure 7: Software Signing Certificate

By using the search feature in the Titanium Platform, two additional related malicious DLLs are found that have the same serial number. [10] [11] Both of them are related to the FIN6 DLL and were signed using the same certificate.[12] The specific search index used to find them is the “cert-serial” query keyword. Details from these two files is shown in Figure 8.

Files Related via Signing Certificate

Figure 8: Files Related via Signing Certificate

In addition to these two files related via signing certificate, one additional file is found to be related via the ReversingLabs Hash Algorithm (RHA). This algorithm finds files with similar functionality and features, often leveraged by threat hunters to pivot during their analysis.[13] This additional file can be seen in Figure 9.[14]

Malware Related via RHA

Figure 9: Malware Related via RHA

In addition to these three related malware files, a cluster of five more files can be found by focusing on the specific bytes of the obfuscation algorithm used throughout the sample. These additional files are quite interesting in that there is no other clear relationship between them and the main sample in question. According to information about the More_eggs javascript backdoor found on the open source, it is being peddled as malware-as-a-service (MaaS) in the underground.[15] The source code for the obfuscator found in this reverse shell DLL is probably being reused by the MaaS provider in other malware files. A full set of identifying hashes of these additional files all related by code reuse is provided at the end of the blog. A YARA rule for detecting this obfuscation technique is provided at the end of the blog.

Conclusion

As we have seen, there are multiple methods one can use in the Titanium Platform to discover related malware files starting with a single malicious DLL. In addition to focusing on code reuse across malware families, checking for abused certificates used to sign other files can reveal additional campaigns from the same adversary. Finally, using multiple static features in the files, the ReversingLabs Hash Algorithm can reveal even more files that may not have any other obvious linkages to the sample in question.

IOCs

Samples

Known FIN6

MD5

3b9646bf2d791e5ef4633e802f23e305

SHA1

aeedcec7df9cf5d1241649c8066e652d688da4b3

SHA256

78a87d540c1758c6b4dcabb7b825ea3a186ef61e7439045ece3ce3205c7e85a2

ssdeep

384:a2Ln/QKEX+olUWivxFqlveUigMK6js28h:apKEJlU1Uni7Kgs28h

Import Hash

0a0a6d30a8b0852b78b5c722c5688921

Cert Serial

1d8a233cedec0e13df1bda8248dc79a5

File Type

Win32 DLL

Magic

PE32 executable (DLL) (console) Intel 80386, for MS Windows

File Size

20728

Compile Timestamp

2017-07-21 15:43:17

First Seen

2019-02-27T02:25:43Z



Related via Certificate

MD5

c6899904284c57f9ccca1b5bd26a59d8

SHA1

6a6ecefe0c79d200ba6eed19f80cf8b9e6ee4cbe

SHA256

d39f8aa90d54fd010484d7bb54c18549c3f03b02385020a35589dbe49e979bab

ssdeep

3072:L/5Xcl35B58QHis6EYr6iWEQq1TvlYWWi2lO3HgmUkYp5V+ZK:raF3S1s6EYhB1VvldWNlOwfJDX

Import Hash

d65969f77a5bbb126f5984c18adf9c0a

Cert Serial

1d8a233cedec0e13df1bda8248dc79a5

File Type

Win32 DLL

Magic

PE32 executable (DLL) (console) Intel 80386, for MS Windows

File Size

112888

Compile Timestamp

2019-02-21 12:01:42

First Seen

2019-02-27T04:45:17Z

 

 

MD5

89314a469de69addafff5b5d7a96071d

SHA1

db6293e52da21fcceb7efdc275e75ec1dd99f9e6

SHA256

511ad7705b216e7e472e496beba53856c97520eac12c83fa0d391594327e80f7

ssdeep

12288:/qKrUC3639ewCGQEbr0AC2VvpGV1OtQxd6+dxRk5aOE+Cj5TyvV01BQDpCY:/qKrUCqN9CGQEbr0AC2VvsVgwdbk5aOV

Import Hash

e9bfa7a6ac5a0973e87f28d7aab26ddd

Cert Serial

1d8a233cedec0e13df1bda8248dc79a5

File Type

Win32 DLL

Magic

PE32 executable (DLL) (console) Intel 80386, for MS Windows

File Size

487160

Compile Timestamp

2019-02-21 10:36:05

First Seen

2019-03-01T17:48:00Z

 

Related via RHA

MD5

70f299ab247519e2dda8e172ae346277

SHA1

3c7e3ecea9b4a58c3425a792cd34916a13be9f4d

SHA256

db93d7f80dddb450e0efeabb302d4e6d48a53457309a6369760007911b8f4af8

ssdeep

3072:R/5Xcl35B58QHis6EYr6iWEQq1TvlYWWi2lO3HgmUkYp+V:JaF3S1s6EYhB1VvldWNlOwfJi

Import Hash

d65969f77a5bbb126f5984c18adf9c0a

File Type

Win32 DLL

Magic

PE32 executable (DLL) (console) Intel 80386, for MS Windows

File Size

118784

Compile Timestamp

2010-08-01 10:32:37

First Seen

2019-03-02T19:06:00Z



Related via Code Reuse

MD5

ec885733d385c50954bdbb8b76e8b33d

SHA1

af2d788829c401319522de8f8cd43659137c4ed7

SHA256

06cc276d474aa6295b1034ce4ee110681fcd45a2897e6891867036bf4ecc6fd3

ssdeep

3072:IYtL4J6vafaEI/gISKDgU8JuD6A7WcCUEDTpeL9kZ6owF+5cJ2LLtUhEKNqAdy:VtLtZEIYId8k2IChD166zwF+o2Li8E

Import Hash

b293d2c7113526ce6d7caceb0f7f4012

File Type

Win32 DLL

Magic

PE32 executable (DLL) (console) Intel 80386, for MS Windows

File Size

247808

Compile Timestamp

2001-08-17 20:52:32

First Seen

2019-10-24T06:07:05Z

 

 

MD5

fe2d6b4511ac81221684a5f6a0634a4b

SHA1

d44f36b61ae119b1109829d8b2b2230b1d51cc6f

SHA256

09ed9ba079a9d73291aff33b654f9b92b2b277049bc908b5b2359d9b8766bd4b

ssdeep

1536:IMgAK2KE7gFlvM3gkb0tuWXOvkJtxfVpICdtJ4n/5RbOhekj:9gAKVsgFl1kApJJt1cCLJqxRb/k

Import Hash

88f82612e092beed65357b6b88dda282

File Type

Win32 DLL

Magic

PE32 executable (DLL) (console) Intel 80386, for MS Windows

File Size

125440

Compile Timestamp

2019-01-03 8:34:14

First Seen

2019-09-07T14:01:31Z

 

 

MD5

14503cc985d8a9517fa530293865dae4

SHA1

6a2320c4b2782659cdbe358f8ea348d1a7c7e010

SHA256

683ab2f2dd56486c9dcd6ee3593d2b5f69cd354713fee46abd5ab4e8e6ac3646

ssdeep

6144:SC0nhiurEfFN98UX/CXTVSWHSg/N1NiseD:SC0hHGBPEV/bN1zeD

Import Hash

887bae442dd37f1dc38db6af1a67e0ee

File Type

Win32 DLL

Magic

PE32 executable (DLL) (console) Intel 80386, for MS Windows

File Size

243712

Compile Timestamp

2001-08-17 20:52:32

First Seen

2019-09-17T21:03:25Z

 

 

MD5

39702286994d7023b3d002cf31e1a6ad

SHA1

d2c57b707099ed02e2f2a32600d5356ee2e0d1d0

SHA256

bb4346b5d92cf4b0333096c2d2da785e30893ee3c60b700a79bb26df7f349e04

ssdeep

3072:F13opWebS6mwwk0CB387bbsQoJSc8sj5fzTt/fBNC0fX:LA8Po836jjFTx7tfX

Import Hash

9f6f979fc06c9cd0b73dd25469a8ad6f

File Type

Win32 DLL

Magic

PE32 executable (DLL) (console) Intel 80386, for MS Windows

File Size

151552

Compile Timestamp

2014-02-26 1:43:53

First Seen

2018-04-17T05:35:36Z

 

 

MD5

302461e359118d3b8024dab1c75e7ff9

SHA1

eda80c82c81f7439e8221e05dc3abd59b322a5e0

SHA256

f25a4f09d8115bc7781e31356a082143182925529e7d7548ea5ff139c3b37afd

ssdeep

6144:G1C2gy43AgNoZ97WwaEkzp+bQLx64hLQD:G1C2gy596VfpZED

Import Hash

574fc17ae9337d6a0c26327a263a2a0f

File Type

Win32 DLL

Magic

PE32 executable (DLL) (console) Intel 80386, for MS Windows

File Size

243200

Compile Timestamp

2019-07-05 11:50:34

First Seen

2019-07-12T17:59:27Z



IP Address

185.204.2[.]182

YARA Rule
rule PureBasicDLL
{
meta:
author = "Malware Utkonos"
date = "2019-11-02"
strings:
$op1 = { 83 7C ( 24 | 25 ) ?? 0? 75 }
condition:
pe.DLL and all of them and
$op1[1] at pe.entry_point and
for 4 i in (1..#op1) : ( @op1[i] >= pe.entry_point and @op1[i] <= pe.entry_point + 100 )
}

rule ObfuscatorDLL
{
meta:
author = "Malware Utkonos"
date = "2019-10-05"
exemplar = "78a87d540c1758c6b4dcabb7b825ea3a186ef61e7439045ece3ce3205c7e85a2"
strings:
$op1 = /(\x8d\x15.{4}\x8d\x0d.{4}\xe8.{4}){3}/
condition:
pe.DLL and all of them and
uint32(@op1 + 13) - uint32(@op1 + 30) == uint32(@op1 + 30) - uint32(@op1 + 47)
}



[1] https://malpedia.caad.fkie.fraunhofer.de/actor/fin6

[2] https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/

[3] https://malpedia.caad.fkie.fraunhofer.de/details/js.more_eggs

[4] https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf

[5] https://attack.mitre.org/groups/G0037/

[6] 78a87d540c1758c6b4dcabb7b825ea3a186ef61e7439045ece3ce3205c7e85a2

[7] https://github.com/Yara-Rules/rules/blob/master/Packers/packer.yar

[8] https://attack.mitre.org/techniques/T1140/

[9] https://attack.mitre.org/techniques/T1116/

[10] 511ad7705b216e7e472e496beba53856c97520eac12c83fa0d391594327e80f7

[11] d39f8aa90d54fd010484d7bb54c18549c3f03b02385020a35589dbe49e979bab

[12] 1d8a233cedec0e13df1bda8248dc79a5

[13] https://www.reversinglabs.com/technology/reversinglabs-hash-algorithm

[14] db93d7f80dddb450e0efeabb302d4e6d48a53457309a6369760007911b8f4af8

[15] https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648

Back to Top