Researchers Identify Financially Motivated 'FIN10' Threat Group
Security experts from FireEye managed to link a series of attacks aimed at Canadian mining and gambling companies to a previously unknown group of hackers called FIN10. Attribution, a difficult task in the best of times, was made even harder by the threat actors' attempts to false flag themselves as "TeslaTeam," Anonymous Threat Agent," and "Angels_of_Truth." However, linguistic examination of the victim-attacker communication revealed that FIN10 is a separate group which has no ties to the aforementioned names. The crew is financially motivated, and its goal is trivial – extorting money from victim organizations. Curiously enough, however, no use of ransomware has been reported. Here's what FIN10 does instead.
FireEye refused to say how many organizations have been affected, but they did note that because of the large number of attacks, they couldn't definitively identify the initial point of infection. They did find spearphishing emails at two of the victim companies, though. One of the messages contained a link which led to an HTA file while the other redirected victims to a Macro-laced Word document. The emails were well socially engineered and apparently contained references to LinkedIn as well as other social networks.
Once the links were opened, the hackers used either Meterpreter or the Splinter Remote Access Trojan (or RAT) to establish a foothold on the victim system. Both tools were developed by the penetration testing community and are publicly available. Another phishing tool called PowerShell Empire was used during the next stage of the attack.
PowerShell Empire would create a randomly named service which would execute a Meterpreter PowerShell script. The script would, in turn, run some batch files. The use of PowerShell gave FIN10 greater flexibility, and because all the code is executed from within powershell.exe, a trusted process, it helped them evade detection.
Scheduled tasks were used for persistence. The malware would create a task in %WinDir%\system32\Tasks which would execute a script encoded in the registry. From there it would try to move laterally within the network.
The researchers saw different ways of infecting neighboring computers. In some cases, FIN10 used the Remote Desktop Protocol (RDP), and in others, they compromised other systems by abusing Local Administrator accounts and poorly protected VPN profiles, or by activating some of Meterpreter's features.
The whole point of the attack was to establish a backdoor which scrapes valuable information from the network and sends it to the hackers' server. FIN10 did manage to steal a lot of data during the attacks which started in 2013 and continued all the way through to at least 2016. According to FireEye's report, the threat actors exfiltrated corporate documents, records, and correspondence as well as personally identifiable information related to the victims' customers. Then, FIN10 would get in touch with the victims and would tell them that if they don't pay between 100 and 500 bitcoins, the stolen data would be uploaded to the Internet. The hackers would even provide snippets of the information as proof that they mean business.
To put additional pressure on the compromised companies, FIN10 would get in touch with infosec bloggers and local media in order to make the whole story public. DataBreaches.net, for example, reported on the attack on Detour Gold Corporation back in 2015.
The threats didn't end there. FIN10 promised its victims that if they refuse to cooperate, their system would be brought down. While there's no information on whether or not the threat was materialized, FireEye's researchers did confirm that one of the malware's components can delete the system32 folder of an infected computer and make it completely inoperable.
Although they relied mostly on free and publicly available tools, FIN10's attacks proved to be quite disruptive which goes to show that in this day and age, you don't need an especially sophisticated piece of malware to cause massive amounts of damage. Organizations should bear this in mind when they're setting up their networks.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.