Threat Group FIN7 Targets the U.S. Automotive Industry

Threat Group FIN7 Targets the U.S. Automotive Industry

RESEARCH & INTELLIGENCE / 04.17.24 / The BlackBerry Research & Intelligence Team

• Share on Twitter
• Share on Facebook
• Share on Linked In
• Email

Summary

In late 2023, BlackBerry analysts identified a spear-phishing campaign by threat group FIN7 that targeted a large automotive manufacturer based in the United States. FIN7 identified employees at the company who worked in the IT department and had higher levels of administrative rights. They used the lure of a free IP scanning tool to run their well-known Anunak backdoor and gain an initial foothold utilizing living off the land binaries, scripts, and libraries (lolbas). We also found evidence that this attack was part of a wider campaign by FIN7.

In this blog, we'll examine the mechanisms behind this attack, and discuss active steps you can take to prevent your organization falling victim to phishing attacks.

Brief MITRE ATT&CK® Information

Tactic	Technique
TA0001 - Initial Access	T1566.002
TA0002 - Execution	T1204.002, T1059.001, T1569.002
TA0003 - Persistence	T1053.005, T1543.003
TA0005 - Defense Evasion	T1027, T1564.001, T1222.001, T1562.004
TA0007 - Discovery	T1124, T1057, T1087.002, T1069.002, T1082, T1033
TA0008 - Lateral Movement	T1021.004
TA0011 - Command-and-Control	T1571, T1090
TA0042 - Resource Development	T1608.005, T1583.001

Weaponization and Technical Overview

Weapons	Anunak, POWERTRASH, OpenSSH
Attack Vector	Spear-phishing
Network Infrastructure	SSH Tunnels
Targets	Automotive Industry

Technical Analysis

Who is FIN7?

FIN7 is a Russian advanced persistent threat (APT) group that has been active since 2013. The group is financially motivated; in the past has targeted primarily the U.S. retail, restaurant, and hospitality sectors, although recently it has branched out into attacking the transportation, insurance, and defense sectors.

Also tracked as Carbon Spider, ELBRUS and Sangria Tempest, FIN7 is closely associated with other cybercriminal groups including GOLD NIAGARA, ALPHV and BlackCat. In 2020, the FBI issued a warning that FIN7 had begun using the infamous REvil ransomware in their attacks, as well as their own ransomware-as-a-service (RaaS) known as DarkSide, which is believed to be a rebrand of the BlackMatter ransomware.

In recent years, FIN7 has shifted their efforts from targeting the masses to the more precise targeting of large entities, a practice known as big game hunting. The group usually deploys ransomware as the end payload. Detection of a FIN7 intrusion early in the infection process can mitigate full network compromise and the typically large financial losses that ransomware can inflict.

In the case documented in this report, the BlackBerry Threat Research and Intelligence team detected the compromise and successfully stopped the intrusion before the threat group had a chance to launch a ransomware attack.

Attack Vector

So why did FIN7 shift to big game hunting? The reason for an attacker to put more resources into targeting a large entity is due to its presumed ability to pay a much larger ransom. Such an attack is usually very carefully orchestrated to ensure maximum effectiveness. The threat actors will first select and study their target company, searching for weaknesses and identifying employees who may have higher access privileges in the corporate network, before launching their attack.

In this case, employees with a high level of access privileges were targeted with spear-phishing emails that linked to "advanced-ip-sccanner[.]com", a malicious URL masquerading (a.k.a typosquatting) as the legitimate website "advanced-ip-scanner[.]com", a free online scanner.

This fake site redirected to "myipscanner[.]com", which in turn redirected to an attacker-owned Dropbox that downloaded the malicious executable WsTaskLoad.exe onto the victim's machine.

Figure 1: Attack chain used to compromise the target company

Hashes (md5, sha-256)	87aa5f3f514af2b9ef28db9f092f3249 ff4c287c60ede1990442115bddd68201d25a735458f76786a938a0aa881d14ef
ITW File Name	Advanced_Ip_Scanner_setup.exe
Compilation Stamp	2022-04-14 16:10:23 UTC
File Type/ Signature	Win32 EXE
File Size	18155592
Compiler Name/Version	Embarcadero Delphi (10.3 Rio) [Professional]
Installer Name	Inno Setup Module (6.1.0) [Unicode]

Hashes (md5, sha-256)	bb23dde1e3ecef7d93a39e77e32ef96c d63060e61c98074c58926a6239185e8128fd0fbc2a45ccf60f3c831bb18ffc93
ITW File Name	WsTaskLoad.exe
Compilation Stamp	2018-10-10 03:56:59 UTC
File Type/Signature	Win32 EXE
File Size	2234880
Compiler Name/Version	Embarcadero Delphi (2009)

Execution Flow

WsTaskLoad.exe has a multi-stage execution in order to run the final Anunak/Carbanak payload:

First, it loads jutil.dll (SHA256: 5ce7b63ef05d9f5cb8e309e6b195e3acb69cc72b899f4ae07c48b85bedfb286e) which executes the exported function SizeSizeImage.

Then, jutil.dll reads and decrypts infodb\audio.wav (SHA256: c8d8d666b509afaa0ef349cc3de9a6eec6dde98cc8a0e50228f8793275fae401) at offset 0x30f21 with size 0x256e; the decrypted blob is a shellcode which is copied on previously loaded mspdf.dll (SHA256: cdc0186ff3fcb67986f4f1f54e3a2991dd73f8bde20acf3a739e0fff7c6d94a7) and executed via EnumWindows().

The shellcode reads and decrypts infodb\audio.wav at offset 0xc2bc1 with size 0x150600; the decrypted blob is a loader with SHA256 7e927e1db12c404683c9c8b232e8cecb7334eed618992e965388b0b63508509f, which is later loaded and executed by the shellcode.

Finally, the loader looks for files on the current directory checking for a specific mark: the mark matches on dmxl.bin (SHA256: d4960f3c7cc891ff2bafd0a080451e42e0a23ba4db54ae2d7d355497a3b3d81a) and dfm\open.db (SHA256: a186ea72c942232998429e0d8b1bc0e0876bdb535738eba0ed9f4be9aeaa81db); during our execution, we observed dmxl.bin being used as likely open.db for redundancy.

The decrypted dmxl.bin is the Anunak payload, with the campaign ID "rabt4201_x86".

Later, WsTaskLoad.exe (executing the Anunak payload) manages dissemination of scripts and establishes persistence. The first thing WsTaskLoad.exe runs upon installation is a POWERTRASH obfuscated PowerShell script. POWERTRASH is a custom obfuscation of the shellcode invoker in PowerSploit.

Figure 2: Execution of POWERTRASH

It then checks system and network information on the host machine, gathering user information.

Figure 3: Reconnoitering by WsTaskLoad.exe

Persistence is established by installing OpenSSH, a connectivity tool for remote login with the SSH protocol. OpenSSH is scheduled as a task, and ports in the firewall are opened. Historical intelligence shows FIN7 typically utilizes OpenSSH for lateral movement as well, but this was not observed during this investigation.

More information on the network indicators of compromise (IoCs) is given in the Network Infrastructure section below.

Figure 4: Persistence being established

WsTaskLoad then procures basic system information:

Figure 5: Checking user information after establishing persistence

Network Infrastructure

During the delivery phase of this campaign, the fake lure website "advanced-ip-sccanner[.]com" redirected to "myipscanner[.]com". We found multiple domains registered within minutes of the original on the same provider, showing this campaign was not limited to the one BlackBerry detected, but may in fact be part of a wider campaign by FIN7.

Post compromise, OpenSSH is used for external access. The SSH tunnel proxy server is utilizing the SSH sha256 fingerprint bc4ef49e904d63415ee1c810c90019e12a590ff3b6293f4b69af65713a8da9fa, which is shared by 17 other hosts on the exact same ports of 53, 80, and 443. This is particularly interesting because SSH fingerprints are generally unique to servers or services as they are based on the public key presented by the server. The identical deployment and SSH fingerprint allow us to state with high confidence that these hosts are related.

Moderate confidence is given to another 21 hosts that are set up identically: ports 53, 80, 443, and 3721 hosting SSH; identical SSH fingerprints on ports 53, 80, and 443 with a different (probably management) SSH key on port 3721. These hosts also utilize the same hosting providers as our other "high confidence" hosts.

Domain Name	String	Samples' Hashes
IP	String	Samples' hashes (md5, sha-256)
Domain	advanced-ip-sccanner[.]com	Delivery
Domain	myipscanner[.]com	Delivery
Domain	theipscanner[.]com	Delivery
Domain	ipscanneronline[.]com	Delivery
Domain	ipscannershop[.]com	Delivery
Domain	myscannappo[.]com	Delivery
Domain	myscannappo[.]info	Delivery
Domain	myscannappo[.]online	Delivery
IP	181[.]215.69[.]24	C2
IP	166[.]1.160[.]118	C2
IP	185[.]39.204[.]179	C2
IP	109[.]107.171[.]62	C2
IP	38[.]180.1[.]17	C2
IP	109[.]107.170[.]47	SSH Proxy
IP	162[.]248.224[.]79	SSH Proxy
IP	166[.]1.190[.]171	SSH Proxy
IP	166[.]1.190[.]186	SSH Proxy
IP	172[.]82.87[.]69	SSH Proxy
IP	185[.]161.210[.]18	SSH Proxy
IP	185[.]72[.]8.6	SSH Proxy
IP	185[.]72.8[.]70	SSH Proxy
IP	193[.]233.206[.]146	SSH Proxy
IP	207[.]174.31[.]205	SSH Proxy
IP	207[.]174.31[.]206	SSH Proxy
IP	209[.]209.113[.]91	SSH Proxy
IP	217[.]196.101[.]116	SSH Proxy
IP	38[.]180.14[.]240	SSH Proxy
IP	38[.]180.40[.]23	SSH Proxy
IP	46[.]246.98[.]196	SSH Proxy
IP	5[.]181.159[.]11	SSH Proxy
IP	62[.]233.57[.]98	SSH Proxy
IP	104[.]166.127[.]197	SSH Proxy - Moderate Confidence Relation
IP	104[.]166.127[.]200	SSH Proxy - Moderate Confidence Relation
IP	155[.]254.192[.]66	SSH Proxy - Moderate Confidence Relation
IP	166[.]1.190[.]48	SSH Proxy - Moderate Confidence Relation
IP	185[.]72.8[.]147	SSH Proxy - Moderate Confidence Relation
IP	193[.]233.22[.]136	SSH Proxy - Moderate Confidence Relation
IP	193[.]233.22[.]28	SSH Proxy - Moderate Confidence Relation
IP	193[.]233.22[.]36	SSH Proxy - Moderate Confidence Relation
IP	193[.]233.22[.]43	SSH Proxy - Moderate Confidence Relation
IP	193[.]233.23[.]177	SSH Proxy - Moderate Confidence Relation
IP	207[.]174.31[.]253	SSH Proxy - Moderate Confidence Relation
IP	23[.]133.88[.]52	SSH Proxy - Moderate Confidence Relation
IP	38[.]180.1[.]103	SSH Proxy - Moderate Confidence Relation
IP	38[.]180.20[.]94	SSH Proxy - Moderate Confidence Relation
IP	5[.]61.39[.]157	SSH Proxy - Moderate Confidence Relation
IP	5[.]8.63[.]105	SSH Proxy - Moderate Confidence Relation
IP	5[.]8.63[.]108	SSH Proxy - Moderate Confidence Relation
IP	5[.]8.63[.]139	SSH Proxy - Moderate Confidence Relation
IP	5[.]8.63[.]245	SSH Proxy - Moderate Confidence Relation
IP	62[.]233.57[.]195	SSH Proxy - Moderate Confidence Relation
IP	91[.]149.254[.]85	SSH Proxy - Moderate Confidence Relation

Targets

The target of this attack was a large multinational automotive manufacturer based in the U.S. This is in line with the big game hunting that FIN7 has participated in for the last few years. The individuals targeted with spear-phishing attacks worked in the IT department, making them the most likely workers to have administrative rights and domain credentials.

Attribution

The obfuscation on PowerShell script 3CF9.ps1 is identical to that used in other FIN7 POWERTRASH scripts. The script utilizes the shellcode invoker from PowerSploit, as do previously verified POWERTRASH samples. This leads us to state with a high level of confidence that the attacker was indeed FIN7.

Conclusions

While the tactics, techniques, and procedures (TTPs) involved in this campaign have been well documented over the past year, the OpenSSH proxy servers utilized by the attackers have not been disseminated. BlackBerry thinks it prudent to enable individuals and entities to also identify these hosts and protect themselves.

Remediation

The good news is that BlackBerry® cybersecurity solutions detect all malicious samples involved in this campaign. Early identification of the initial infection and subsequent actions by the threat actor allowed analysts to quickly locate the infected system. It was then removed from the network prior to lateral movement, preventing ransomware installation and subsequent damage to the victimized company.

Preventing Phishing Attacks

Just because your organization may be modest doesn't mean your attack surface is smaller or less appealing to a threat group than a big company might be. Nearly 1.2 percent of all emails sent worldwide are phishing attempts, amounting to 3.4 billion emails daily, according to 2024 statistics. The average cost of a successful phishing attempt to an SMB resulted in losses amounting to $4.45 million USD.

Putting active security measures into place is the best way to preserve your organization's finances and reputation, regardless of size. Phishing is becoming increasingly sophisticated and can take many forms, ranging from simple attempts to scam users, such as a malicious attachment or link in a phishing email, to more complex deceptions, such as those utilizing phone or even fake video via the use of AI-based deepfake technology.

As a recent example of this, just two months ago in February, a finance worker in a large multinational organization was tricked into paying out millions of dollars to fraudsters who used deepfake technology to pose as the company's chief financial officer in a video conference call. The worker was initially suspicious after he received an email that was purportedly from the CFO, as it spoke of the need for a secret transaction to be carried out.

However, the employee put aside his doubts after a follow-up video call, because the CFO and other people on the call looked and sounded just like colleagues he recognized. The elaborate deepfake scam netted the fraudsters $25 million USD. With the use of generative AI on the rise, this is just the latest case in which fraudsters used deepfake technology to modify publicly available video and audio to cheat people out of money.

Recommendations for Mitigation

To thwart successful phishing attacks on your organization, there are a number of proactive steps organizations can take to protect themselves:

• Conduct Regular Security Training. This remains one of the very best ways to protect businesses from phishing attacks. Teach employees basic red flags that are the hallmark of phishing attempts. Workers need to know how to verify the authenticity of emails and avoid clicking on links or downloading attachments from unknown or suspicious sources.
  
• Social Engineering Awareness. This is the next step, but an important one.Expand your employee's training to include sessions on how to recognize social engineering tactics, which may include the attacker attempting to engage with them via social platforms, phone, text, or even video call.
• Phishing Report System. Put a system in place to allow employees to immediately report attempted phishing attacks to your SOC or IT security team. Adding a "Report phishing" button to your email system is a good first step. Enforce a culture of trust so that users feel comfortable reporting phishing incidents.
  
• Multi-Factor Authentication. Implement multi-factor authentication (MFA) on all user accounts. This makes it harder for an attacker to access an employee's account and gain entry to your network, even if they steal password and login details.
  
• Password hygiene: Use strong and unique passwords online, and don't reuse the same password across multiple sites. Better yet, we strongly encourage the use of passwordless (e.g. FIDO2) authentication whenever possible.
• Security Updates and Patch Management. Keep all employee apps, operating systems and devices updated to apply the latest security fixes.
  
• Endpoint Security Solutions. Deploy endpoint security solutions such as antivirus software, endpoint detection and response (EDR) solutions, and email security gateways to detect and block phishing attempts, malware, and other threats at the endpoint.
  
• Monitor Suspicious Behavior. Implement monitoring tools and processes to detect suspicious login attempts, unusual user behavior, and unauthorized access. Lock user accounts after a certain number of failed login attempts to deter attackers from guessing passwords.
  
• Data Protection and Encryption. Encrypt sensitive data in transit and at rest. This can help protect data from unauthorized access following a successful phishing attack.
  
• Email Filtering and Authentication. Implement advanced email filtering solutions to detect and block phishing emails before they reach users' INBOXES. Use Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) to authenticate email senders and detect spoofed emails.
  
• Incident Response. Develop and test incident response plans to mitigate security incidents quickly.
  

APPENDIX 1 - IoCs (Indicators of Compromise)

Hashes (md5, sha-256)	87aa5f3f514af2b9ef28db9f092f3249 ff4c287c60ede1990442115bddd68201d25a735458f76786a938a0aa881d14ef
ITW File Name	Advanced_Ip_Scanner_setup.exe
Compilation Stamp	2022-04-14 16:10:23 UTC
File Type/ Signature	Win32 EXE
File Size	18155592
Compiler Name/Version	Embarcadero Delphi (10.3 Rio) [Professional]
Installer Name	Inno Setup Module (6.1.0) [unicode]

Hashes (md5, sha-256)	bb23dde1e3ecef7d93a39e77e32ef96c d63060e61c98074c58926a6239185e8128fd0fbc2a45ccf60f3c831bb18ffc93
ITW File Name	WsTaskLoad.exe
Compilation Stamp	2018-10-10 03:56:59 UTC
File Type/Signature	Win32 EXE
File Size	2234880
Compiler Name/Version	Embarcadero Delphi (2009)

Domain Name	String	Samples' Hashes
IP	String	Samples' hashes (md5, sha-256)
Domain	advanced-ip-sccanner[.]com	Delivery
Domain	myipscanner[.]com	Delivery
Domain	theipscanner[.]com	Delivery
Domain	ipscanneronline[.]com	Delivery
Domain	ipscannershop[.]com	Delivery
Domain	myscannappo[.]com	Delivery
Domain	myscannappo[.]info	Delivery
Domain	myscannappo[.]online	Delivery
IP	181[.]215.69[.]24	C2
IP	166[.]1.160[.]118	C2
IP	185[.]39.204[.]179	C2
IP	109[.]107.171[.]62	C2
IP	38[.]180.1[.]17	C2
IP	109[.]107.170[.]47	SSH Proxy
IP	162[.]248.224[.]79	SSH Proxy
IP	166[.]1.190[.]171	SSH Proxy
IP	166[.]1.190[.]186	SSH Proxy
IP	172[.]82.87[.]69	SSH Proxy
IP	185[.]161.210[.]18	SSH Proxy
IP	185[.]72[.]8.6	SSH Proxy
IP	185[.]72.8[.]70	SSH Proxy
IP	193[.]233.206[.]146	SSH Proxy
IP	207[.]174.31[.]205	SSH Proxy
IP	207[.]174.31[.]206	SSH Proxy
IP	209[.]209.113[.]91	SSH Proxy
IP	217[.]196.101[.]116	SSH Proxy
IP	38[.]180.14[.]240	SSH Proxy
IP	38[.]180.40[.]23	SSH Proxy
IP	46[.]246.98[.]196	SSH Proxy
IP	5[.]181.159[.]11	SSH Proxy
IP	62[.]233.57[.]98	SSH Proxy
IP	104[.]166.127[.]197	SSH Proxy - Moderate Confidence Relation
IP	104[.]166.127[.]200	SSH Proxy - Moderate Confidence Relation
IP	155[.]254.192[.]66	SSH Proxy - Moderate Confidence Relation
IP	166[.]1.190[.]48	SSH Proxy - Moderate Confidence Relation
IP	185[.]72.8[.]147	SSH Proxy - Moderate Confidence Relation
IP	193[.]233.22[.]136	SSH Proxy - Moderate Confidence Relation
IP	193[.]233.22[.]28	SSH Proxy - Moderate Confidence Relation
IP	193[.]233.22[.]36	SSH Proxy - Moderate Confidence Relation
IP	193[.]233.22[.]43	SSH Proxy - Moderate Confidence Relation
IP	193[.]233.23[.]177	SSH Proxy - Moderate Confidence Relation
IP	207[.]174.31[.]253	SSH Proxy - Moderate Confidence Relation
IP	23[.]133.88[.]52	SSH Proxy - Moderate Confidence Relation
IP	38[.]180.1[.]103	SSH Proxy - Moderate Confidence Relation
IP	38[.]180.20[.]94	SSH Proxy - Moderate Confidence Relation
IP	5[.]61.39[.]157	SSH Proxy - Moderate Confidence Relation
IP	5[.]8.63[.]105	SSH Proxy - Moderate Confidence Relation
IP	5[.]8.63[.]108	SSH Proxy - Moderate Confidence Relation
IP	5[.]8.63[.]139	SSH Proxy - Moderate Confidence Relation
IP	5[.]8.63[.]245	SSH Proxy - Moderate Confidence Relation
IP	62[.]233.57[.]195	SSH Proxy - Moderate Confidence Relation
IP	91[.]149.254[.]85	SSH Proxy - Moderate Confidence Relation

APPENDIX 2 - Applied Countermeasures

YARA Rules

rule crimeware_fin7_powertrash { meta: description = "Identifies POWERTRASH powershell scripts" author = " The BlackBerry Research & Intelligence team" version = "1.0" last_modified = "2024-03-04" strings: // shellcode decompression $d1 = "[IO.MemoryStream][Byte[]]" $d2 = "New-Object IO.Compression.DeflateStream" $d3 = "New-Object Byte" $d4 = "[System.Convert]::FromBase64String(" // shellcode invoker $s1 = "[sysTem.reFLECTiOn.CallingConventions]::Any, @((New-Object System.Runtime.InteropServices.HandleRef).GetType(), [string]), $null)" nocase $s2 = "[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(" nocase $s3 = "[System.Runtime.InteropServices.Marshal]::Copy(" nocase $s4 = "[SYStem.rEFLeCtIOn.CallingConventions]::Any, @([string]), $null)" nocase condition: all of them }

APPENDIX 3 - DETAILED MITRE ATT&CK® MAPPING

Tactic	Technique	Sub-Technique Name / Context
Initial Access	T1566.002 - Phishing: Spear-phishing Link	User with a high level of access privileges was targeted with a spear-phishing email that linked to "advanced-ip-sccanner[.]com".
Resource Development	T1608.005 - Stage Capabilities: Link Target	A malicious URL masquerading as a legitimate URL redirected to an attacker-owned Dropbox that downloaded the malicious executable.
Execution	T1204.002 - User Execution: Malicious File	A malicious URL masquerading as a legitimate URL redirected to an attacker-owned Dropbox that downloaded the malicious executable.
Defense Evasion	T1027 - Obfuscated Files or Information	WsTaskLoad.exe executes a Powershell obfuscated script.
Execution	T1059.001 - Command and Scripting Interpreter: PowerShell	WsTaskLoad.exe executes a Powershell obfuscated script.
Discovery	T1124 - System Time Discovery	3CF9.ps1 script executes System Time Discovery using net time.
Discovery	T1057 - Process Discovery	3CF9.ps1 script performs Process Discovery executing tasklist /v command.
Discovery	T1087.002 - Account Discovery: Domain Account	3CF9.ps1 script enumerates domain accounts executing net group "Domain Admins" /domain.
Discovery	T1069.002 - Permission Groups Discovery: Domain Groups Discovery	3CF9.ps1 script enumerates domain groups executing net group "Domain Admins" /domain.
Discovery	T1082 - System Information Discovery	csvde.exe exports system information (objectClass=Computer).
Discovery	T1087.002 - Account Discovery: Domain Account	csvde.exe exports Active Directory data (objectClass=person).
Execution	T1059.001 - Command and Scripting Interpreter: PowerShell	PowerShell installs OpenSSH.
		OpenSSH is installed for remote login with the SSH Protocol.
Defense Evasion	T1564.001 - Hide Artifacts: Hidden Files and Directories	Adversary uses attrib +h to make SSH hidden.
Persistence	T1053.005 - Scheduled Task/Job: Scheduled Task	Adversary has used scheduled task to persists OpenSSH on victim's machine.
Persistence	T1543.003 - Create or Modify System Process: Windows Service	sshd services is modified -> sc config sshd start= auto.
Execution	T569.002 - System Services: Service Execution	Sshd service is started (Sc start sshd).
Defense Evasion	T1562.004 - Impair Defenses: Disable or Modify System Firewall	Adversary adds a new firewall rule for a Non-Standard Port: 59999.
Command-and-Control	T1041 - Non-Standard Port	Adversary adds a new firewall rule for a Non-Standard Port: 59999.
Discovery	T1082 - System Information Discovery	WsTaskLoad gathers system information: Hostname.
Discovery	T1033 - System Owner/User Discovery	WSTaksLoad collect victim username through whoami.
Discovery	T1087.002 - Account Discovery: Domain Account	WSTaskLoad executes Domain Account Discovery using net user /domain.
Discovery	T1057 - Process Discovery	WSTaskLoad performs Process Discovery through Tasklist.
Resource Development	T1583.001 - Acquire Infrastructure: Domains	Multiple domains were found registered within minutes of the original on the same provider.
Command-and-Control	T1090 - Proxy	Post compromise, OpenSSH is used for external access.

Related Reading:

• LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India
• Mexican Banks and Cryptocurrency Platforms Targeted With AllaKore RAT
• AeroBlade on the Hunt Targeting the U.S. Aerospace Industry

About The BlackBerry Research & Intelligence Team

The BlackBerry Research & Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve.

• Share on Twitter
• Share on Facebook
• Share on Linked In
• Email

Back