The FIN7 hacking group is attempting to enter in the ransomware business and is doing it with an interesting technique. The gang space creates fake cybersecurity companies that hire experts requesting them to carry out pen testing attacks under the guise of pentesting activities.
FIN7 is a Russian criminal group that has been active since mid-2015, it focuses on restaurants, gambling, and hospitality industries in the US to harvest financial information that was used in attacks or sold in cybercrime marketplaces.
One of the companies created by the cyber criminal organizations with this purpose is Combi Security, but researchers from Gemini Advisory discovered other similar organizations by analyzing the site of another fake cybersecurity company named Bastion Security.
The Bastion Secure website is hosted on the Russian domain registrar Beget, which is popular in the Russian cybercrime communities. Most of the submenus of the site return a Russian-language HTTP 404 error, a circumstance that suggests the site creators were Russian speakers. At the time of the report, some of the HTTP 404 errors remain unfixed.
The website is a clone of the website of Convergent Network Solutions Ltd, Bastion Secure’s ‘About’ page states that is a spinoff of the legitimate cybersecurity firm that anyway not linked to the criminal gang.
FIN7, operating under the guise of Bastion Secure, published job offers for programmers (PHP, C++, Python), system administrators, and reverse engineers. The job offers for IT specialist positions ranged between $800 and $1,200 USD a month, which is a good salary for this type of position in post-Soviet states.
The gang was looking for administrators to map out compromised companies’ networks and locate sensitive data, including backup. The initial access to the target organizations was obtained through phishing attacks or by purchasing access on dark web forums.
Once gained access to the target network, the threat actors could then drop malware and ransomware.
“Bastion Secure offered a job offer to a Gemini source and, in the process, provided the source with files that analysts later determined were for the post-exploitation tools Carbanak and Lizar/Tirion. These two tools have been previously attributed to FIN7 and establish the link between Bastion Secure and FIN7.” reads the analysis of Gemini Advisory. “The tasks that were assigned to the Gemini source by FIN7—operating under the guise of Bastion Secure—matched the steps taken to prepare a ransomware attack, providing further evidence that FIN7 has continued to expand into the ransomware sphere.”
A Gemini’s source applied for a job position and was hired, the gang gave him access to a set of post-exploitation tools known to be in the FIN7’s arsenal, such as Carbanak and Lizar/Tirion. The group, through a fake pentesting activity assigned to Bastion Secure, provided access to the network of a target company.
“The files provided to the source by Bastion Secure included files for a software component titled “Command Manager” that was, in fact, a disguised version of the client component of Carbanak (see image 12). Gemini determined this by analyzing the software’s functionality and concluded that it is an updated version of previously identified versions of Carbanak.” continues the expert. “The main functions of the Carbanak command manager are collecting information about an infected computer and obtaining remote access to the infected computer. The files contained an obfuscated PowerShell script that ultimately launches the Lizar/Tirion injector and payload. “
They requested the hired pentesters to conduct reconnaissance and gather the information that could allow them to conduct the attack, such as user and admin accounts’ credentials, and backups.
“Although cybercriminals looking for unwitting accomplices on legitimate job sites is nothing new, the sheer scale and blatancy with which FIN7 operates continue to surpass the behavior shown by other cybercriminal groups. Not only is FIN7 looking for unwitting victims on legitimate job sites, but also attempting to obfuscate its true identity as a prolific cybercriminal and ransomware group by creating a fabricated web presence through a largely legitimate-appearing website, professional job postings, and company info pages on Russian-language business development sites.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, cyber security)