Security experts at FireEye Mandiant discovered that the FIN7 hacking group has added new tools to its arsenal, including a new loader and a module that hooks into the legitimate remote administration software used by the ATM maker NCR Corporation.
The group that has been active since late 2015 targeted businesses worldwide to steal payment card information. Fin7 is suspected to have hit more than 100 US companies, most of them in the restaurant, hospitality, and industries.
In August 2018, three members of the notorious cybercrime gang have been indicted and charged with 26 felony counts of conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft.
The new loader is able to drop the malware directly in memory, it was dubbed BOOSTWRITE and allows threat actors to load several malicious codes, including the Carbanak backdoor.
Researchers also spotted a new RAT tracked as RDFSNIFFER that is dropped by the BOOSTWRITE loader.
“The first of FIN7’s new tools is BOOSTWRITE – an in-memory-only
BOOSTWRITE implements the DLL search order hijacking technique to load its DLLs into the target’s memory that allows it to download the initialization vector (IV) and the decryption two embedded payload DLLs.
Before decrypting the embedded PE32.DLLs payloads the loader performs sanity checks on the
The researchers analyzed several samples of BOOSTWRITE, one of them that was uploaded to VirusTotal on October 3 was signed with a code signing certificate issued by MANGO ENTERPRISE LIMITED.
The loader was observed delivering the RDFSNIFFER DLL which allows an attacker to hijack instances of the NCR Aloha Command Center Client application and interact with victim systems via existing legitimate 2FA sessions.
RDFSNIFFER hooks the process of NCR Corporation’s RDFClient, it runs every time the legitimate software for remote admi
The malicious code is designed to run
Below the list of supported commands:
|Command Name||Legit Function in RDFClient||RDFClient Command ID||Description|
|Upload||FileMgrSendFile||107||Uploads a file to the remote system|
|Download||FileMgrGetFile||108||Retrieves a file from the remote system|
|Execute||RunCommand||3001||Executes a command on the remote system|
|DeleteRemote||FileMgrDeleteFile||3019||Deletes file on remote system|
|DeleteLocal||–||–||Deletes a local file|
In March, the group carried out attacks delivering a previously unseen malware tracked as SQLRat that drops files and executes SQL scripts on the host. The messages sent to the victims were also dropping the backdoor DNSbot that primarily operates over DNS traffic.
In April 2018, FIN7 hackers stole credit and debit card information from millions of consumers who have purchased goods at Saks Fifth Avenue and Lord & Taylor stores.
“While these incidents have also included FIN7’s typical and long-used
“Barring any further law enforcement actions, we expect at least a portion of the actors who comprise the FIN7 criminal organization to continue conducting campaigns.”