Morphisec has been tracking #FIN7 ’s activity for the past several years and last month, our team was able to extract #data from one of the latest FIN7 attack approaches. Check out our analysis of the evolution of the FIN7 JSSLoader here: bit.ly/3pZ5xqP

Noticed spikes of dropped batch helper files with low AV detection rates

YARA Rule
github.com/Neo23x0/signat…

- use with LOKI/THOR to uncover past successful infections

Rule Info
valhalla.nextron-systems.com/info/rule/SUSP…

Malware
virustotal.com/gui/file/dd677…

Dropped BAT
virustotal.com/gui/file/3a9d1…

First for all, thanks to Stephan (@[email protected]) for the #Egregor samples, that confirm that the group have finish to development of their ransomware in getting a common template where only the keys and the encrypted payload to run inside the DLL change.

#more_eggs A new sample of #Terraloader have been spotted and continue to be FUD to the AV engines. This keeps the same structure that the last sample of July with new exceptions loops and modified rounds on the algorithm.

The second part of our Article Series: 'OpBlueRaven: Unveiling Fin7/Carbanak' has just been published! In the second article; we are deailing with BadUSB attacks carried out by these threat actors!
threatintel.blog/OPBlueRaven-Pa…

2020-07-24: 🔥👁‍🗨 #more_eggs JS loader | #TerraLoader #Signed .ocx
Cert -> 🇨🇿 [AntiFIX s.r.o.] #Sectigo
base91 en|de|code | crc32 sum AV process check

BV = '6.6a'
🛑C2: maps.doaglas .com/update/check

MD5:C8AEF418DF5CE78AA55FDA9B4DA2B6A8
h/t MalwareHunterTeam

still amazes me #badbullz #more_eggs dropper gets 0 on VT 🤷 md5: a340facf78875e447dd06ba225a07502
couldn't find the ocx/dll associated with this one

Intezer Correct. But it's not #TerraTV , this is new #TerraLoader version directly injecting #Meterpreter instead (c2 xo[.]mikeplein[.]com). There is somethig likely in common with TerraTV tho..the #GoldenChickens customer using it - #FIN6 (more on this to come, stay tuned)

Interesting use of Outlook calendar format (ICS) in a phishing attack.

Hash of the file: 0986e7cbdef080dada8dee9c55542c37

🌐pwncode.io/2020/04/outloo…

🅾️ 0 detections on VT.

ICS -> Sharepoint -> Google Storage -> Wells Fargo Phishing.

MalwareHunterTeam Nick Carr JayTHL

2020-04-14:🆕🔥Possible #FIN7 'VBS' PowerShell Active Directory (LDAP) Hunter via 'Payment overdue' Spam
'JS' Loader 'group=vbs' (+start_delay())

🛡️
C2:domenuscdm. com
C2:environmentalist .com

h/t simpo|cc DerekT2
Pushed the decoded portions↘️
github.com/k-vitali/Malwa…

Easter Egg time !
Comparative analysis on the JS loader #Terraloader
Thanks to DerekT2
github.com/StrangerealInt…

Goooooooood morning, Excel 4.0 macros! With a side of sandbox evasion! This was a fun one.

clickallthethings.wordpress.com/2020/04/06/cov…

For your Excel 4.0 Macro pleasure Malwrologist. These files are 'encrypted' 🔓 with the VelvetSweatshop password. Luckily Philippe Lagadec's oletools knows how to decrypt, but your #Yara rules might not!
🔗virustotal.com/gui/file/9e134…
📋gist.github.com/JohnLaTwC/55a6…
🧠nakedsecurity.sophos.com/2013/04/11/pas…

New blog post 'Update: msoffcrypto-crack. py Version 0.0.5' blog.didierstevens.com/2020/03/31/upd…

Friday night #FIN7 -- below domains are also serving the #Malware :

colorpickerdesk.\com
digitalsoundmaker99.\com
expressdesign9.\com
fgfotr.\com
nattplot.\com
nlotsoft.\com
poolwort.\com
softowii.\com
tssoftos.\com
untypicaldesign9.\com
uoplotr.\com

(1/3)

#threatintel

Have you received an unsolicited USB like this in the mail? It may be an attempt to compromise your computer. If you receive a USB, please contact your local #FBI office.

#FIN7 mailing USBs is finally out in the public this week 😅
These make for interesting IRs 📦🤏🏽🔍

It’s super cool that they validate various red team assessment techniques (like phone-based social engineering); but don’t be surprised. Remember they run offsec front companies.

This week Wesley received a malicious xls on an email adres leaked by LiteBit.eu later that week i also received it. Interesting part is, gmail spam filters did not catch it. Had a tough time analyzing it so decided to make a small thread.