RDFSNIFFER
The Carbanak Group continues to be very active in their attacks against retail businesses and companies working in the restaurant and hospitality sectors. These group's attacks are financially-motivated almost exclusively, and they often go after financial data – they are responsible for the Carbanak backdoor Trojan that caused hundreds of millions of dollars of damages worldwide. One of the recent tools being employed in their attacks is RDFSNIFFER, a Remote Access Trojan (RAT) that appears to be deployed by the BOOSTWRITE loader, another new tool that the Carbanak Group (also known as FIN7) has been using recently.
FIN7 (a.k.a the Carbanak Group) Uses the RDSNIFFER RAT on Systems Linked to Payment Processing
The RDFSNIFFER is a pretty unique RAT since the infected host must meet certain requirements to enable RDFSNIFFER's execution. This Trojan will only work on machines equipped with the NCR Aloha Commander Toolset software suite – a Remote Assistance Tool that is often used by support technicians. The RDFSNIFFER hijacks the legitimate DLLS and processes of the toolset and injects its corrupted code in the memory as soon as the Aloha Command Center Client is launched. Then, the RDFSNIFFER will attempt to hijack sessions and elements of the NCR Aloha Command Center Client, therefore allowing the evil-minded operator to perform unauthorized actions on the compromised host.
The threat actors behind the RDFSNIFFER can command the threat to download files on the infected host or upload files from the control server. Naturally, the RDFSNIFFER also is able to run the files it obtains, and its operators also can initialize commands on the remote host. Last but not least, the RDFSNIFFER can work with the infected machine's file system to delete files.
While the exact companies targeted by FIN7's RDFSNIFFER and BOOSTWRITE malware cannot be named, it is almost certain that they work with financial data. It seems that the threat actors continue with their financially-motivated attacks, and are not afraid to experiment with new malware families that may enable them to maximize the efficiency of their operations.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.