Home Malware Programs Malware GRIFFON

GRIFFON

Posted: May 21, 2019

The activities of the FIN7 hacking group were first detected and researched back in 2015, and since then, this group of criminals has been involved in hundreds of attacks against companies around the world. However, it seemed that the group’s activities would cease in 2018 when the Department of Justice released a statement saying that a large number of individuals linked to the cyber attacks had been arrested.

Unfortunately, this was not the last time we got to hear from the FIN7 hacking group since some of its members appear to be still active, and they have launched a series of attacks against over 130 companies just a few months after the arrests happened. FIN7’s activities are a bit extraordinary since the hacking group appears to create fake companies that are then used to hire innocent employees that specialize in translation, penetration testing and software developers – these people may have no idea that their professional skills are being used for ill-minded purposes.

One of the malware pieces used in this recent campaign carries the name GRIFFON, and it serves as a multi-functional backdoor that is used to bring a second-stage payload to the compromised system. So far, malware researchers have observed four separate modules being delivered via GRIFFON:

  • A module used to gather information about the compromised host, therefore allowing the attackers to find out more about the system they are dealing with, and what information can be extracted from it.
  • A downloader called Tinymet that has been used in previous FIN7 campaigns.
  • A screenshot module that enables the attackers to take regular screenshots of the victim’s desktop and save the files to the %TEMP% folder. After this, it uses the GRIFFON Trojan to transmit the file back to the attacker’s server and deletes the original copy.
  • A persistence module that is only used if the attackers detect a high-value target. This enables the GRIFFON Trojan to gain persistence by modifying the Windows Registry.

The GRIFFON Trojan connects to Command & Control servers that are reached via fraudulent domains which have been given names that sound like legitimate companies – Logitech-cdn(dot)com and Servicebing-cdn(dot)com.

It seems that a few arrests are not enough to halt the activities of threatening hacking groups like FIN7. Their attacks keep evolving, and this means that the security practices employed by companies should evolve too – employees should be instructed on how to avoid potentially harmful files, and the network must be protected by a trustworthy firewall and anti-virus software suite.

Loading...