Footprints of FIN7: Tracking Actor Patterns (Part 1)

July 25, 2017

By: Justin Warner, Stephen Hinck
  • Tags:
  • FIN7
  • Threat Research

The 2017 Verizon DBIR Report states that 73% of breaches in 2016 were financially motivated and span a number of different industries and financial targets. Since 2015, a financially motivated threat group known as FIN7 (also referred to as the Carbanak Group) has emerged from the shadows and has been highlighted in a number of different incidents. This group is a moderately sophisticated and persistent adversary that has targeted various industries.

In early 2017, ICEBRG detected and observed FIN7 activity and spent some time profiling various aspects of their operations. This analysis showed that, as many others have reported, FIN7 is not just a capable threat group that utilizes “off the shelf” capabilities to accomplish their objectives, but also adapts to meet the challenges of the environment in which they are operating. It is our hope that this information will help others dealing with the threat actors and also shine light on some recommended capabilities for response teams to better understand the mindset of their adversaries.

This is part one of a two part blog series detailing ICEBRG’s engagements with FIN7 throughout early 2017. Part one of this series focuses on the network command and control techniques utilized by the actors in depth. In these posts, ICEBRG will not disclose IOCs from the campaigns, but rather focus on specific patterns that may help identify attacker activity. (Part two)


FIN7 Network Command and Control (C2)

While it is widely believed that the use of custom tools is a characteristic of sophisticated threat actor groups, open source and commercially available tools are easily obtained, easy to hide, and due to their widespread legitimate use, make attribution difficult. FIN7 makes heavy use of these tools, involving a number of techniques throughout their operations.


Operational Patterns

ICEBRG observed FIN7 utilizing several types of communications to maintain a foothold in their target environment, rotating their infrastructure throughout the operation in order to stay one step ahead of response and remediation efforts. For their primary command and control (C2), FIN7 utilized Cobalt Strike’s DNS C2 as their method of maintaining access inside of target environments. Two separate C2 servers were utilized during the observed periods, one used heavily during initial access and a second one used more during post-exploitation activities.

The authoritative DNS servers for the malicious domains were geographically distributed, but all hosted within the same low-reputation Virtual Private Server (VPS) provider. The secondary C2 method leveraged a different, encrypted, communication channel. Infrastructure for the secondary C2 method was also hosted on the same geographically disparate low-reputation VPS provider.

During the incident, ICEBRG observed that the attackers were consistently active between 08:00 and 23:00 GMT with peak activity at 17:00 GMT and with minimal activity outside of that window. This time window is not intended to perform any sort of attribution but was useful when planning and coordinating phases of the response effort.


Figure 1

Figure 1: Actor DNS C2 activity broken out by hour


Using these timelines, ICEBRG was able to identify FIN7 employing different C2 techniques based on their operational patterns. Before concluding operations for the day, the adversary would set their callback times to one hour, and change the mode of their communications to use A resource records (instead of TXT records). This change appeared to be an attempt by the actors to maintain a lower profile by using more “natural” queries in the environment. Further, the threat actors would spawn a secondary C2 component during their “off-hour” periods in an apparent attempt to maintain access should the DNS C2 be detected. We will explore each of these techniques further in the following sections.


Cobalt Strike DNS C2

DNS C2 leverages malicious DNS TXT and A RRs (Resource Records) queries which traverse standard recursive DNS channels and terminate at an attacker’s authoritative DNS server. The traversal of standard DNS channels make this technique effective for highly controlled environments where restrictive firewall, web filter or proxy policies are enforced; for example, in point of sale (POS) networks in the retail and hospitality sector, as well as other high-security financial transaction environments. 

Figure 2

Figure 2: Example flow of DNS C2 Traffic

The specific C2 capabilities of Cobalt Strike are outlined in various blogs on their website. It should be noted that Cobalt Strike allows for modification of several aspects of the DNS C2 channel through the “Malleable C2” option. In the observed operations, FIN7 utilized the default communication settings present in Cobalt Strike without modification. This decision (or lack thereof) could be indicative of lack of tool knowledge, or a lack of necessity to do anything more to accomplish their objectives. The communications schema and components leveraged in the attack are broken out below.

During the initial exploitation, and throughout the lateral spread attack phases, the actors utilized PowerShell scripts to deploy DNS TXT record stagers into memory. During execution, PowerShell would make iterative DNS TXT queries, which would return encrypted data to be concatenated and then executed in memory. These queries followed a pattern matching:

aaa.stage.[encryptedstage].MaliciousDomain.com
baa.stage.[encryptedstage].MaliciousDomain.com
caa.stage.[encryptedstage].MaliciousDomain.com

Emerging Threats Pro has a signature for this part of the Cobalt Strike DNS C2 chain (SID 2809850) that should provide basic alerting. By monitoring for the aaa.stage.[encryptedstage].MaliciousDomain.com pattern, ICEBRG was able to detect attacker movement in real-time, prior to confirmed control of the victim host, enabling immediate analysis of the new activity.


Figure 3

Figure 3: The DNS TXT record staging process for Cobalt Strike used by FIN7


After staging, the attacker would shift to the use of DNS A resource records. When idle, the malware would make requests to the attacker controlled domain with a pattern matching [SessionID].MaliciousDomain.com. By tracking the session IDs in observed requests, ICEBRG could uniquely identify compromised hosts, and alert on any possible new compromises by identifying new session IDs, even without direct visibility of hosts in certain network enclaves. Additionally, using these session IDs, ICEBRG tracked the volume of activity per ID to determine which hosts appeared central to the operations of the attacker.

By default, the C2 server would respond to the aforementioned A record requests with ‘0.0.0.0’ when the malware should remain inactive. By tracking DNS responses of ‘0.0.0.0’, ICEBRG detected new attacker infrastructure even when not discovered by other heuristics, as well as tracked periods of attacker inactivity to further cement a profile of FIN7’s operational habits. It should be noted that several non-malicious domains perform similar actions and this monitoring requires additional analysis for verification.


Figure 4

Figure 4: Idle DNS A Record queries and answers from Cobalt Strike used by FIN7



When tasked with commands by the attackers that had results or output, the A resource record requests would use a pattern matching post.[EncryptedData].[RandomValue].MaliciousDomain.com. By monitoring for this pattern, ICEBRG was able to observe data leaving the environment and, although encrypted, make rough determinations on approximate volume of data loss. DNS A record C2 results in a slower data channel due to limitations in the DNS specification and hampers the ability to conduct large scale data exfiltration. 


Figure 5

Figure 5: DNS queries indicating the exfiltration of information by Cobalt Strike


While the patterns presented above are specific to Cobalt Strike’s default configuration of DNS C2, aspects of this activity can be abstracted to allow for general purpose detection of malware utilizing DNS command and control methods. The following characteristics may identify suspicious DNS behavior (note: multiple legitimate solutions utilize similar schemes to communicate. These behaviors, like most heuristic-based analytics, will likely have high initial false positive rates, and require tuning to each environment):

  • Large TXT or A resource record requests with a high entropy and a low TTL value
  • A record requests that receive an answer of “0.0.0.0” or “127.0.0.1” on a repeating or regular schedule
  • Significant number of requests to the same suspicious domain in short bulk time periods
    • Domains might be considered suspicious based on their age, rarity in relation to other observed networks, the number of assets communicating to the domain, and other such environment-specific correlations


DNS Domain Configuration

One unique aspect of the observed FIN7 infrastructure is the configuration pattern of their C2 domain. The actors utilize a primary domain which remains parked and setup subdomains with the pattern [random hostname][1-5] (ie. www1) off of the second-level domain. The Cobalt Strike malware will attempt to access these subdomains in a rotational pattern. FIN7 likely utilizes this structure as a method of surviving mitigation activities in the case their target takes action against a single subdomain.


Alternate Command and Control

In our observations, it is not uncommon for network defense teams to hone in on a specific threat involved in an incident, and tailor detection around known intelligence. This behavior presents a risk by potentially resulting in a failure to identify other, unobserved, attacker TTPs; as the saying goes, “you only know what you know”. ICEBRG utilizes network-wide visibility to not only detect previously known patterns or IOCs, but to enable analysts to hunt for new or shifting TTPs.

Outside of FIN7’s operational hours, ICEBRG observed the actors spawning additional connections from compromised assets to the same low-reputation VPS provider used for DNS C2. This encrypted connection used TCP with a destination port of 443, but was not standard TLS or SSL. This non-standard traffic, when combined with reuse of similar network space, enabled ICEBRG to quickly identify and track the activity. These long-duration connections contained low packet sizes, approximately 90 bytes, likely a simple heartbeat for connection keep alive.


Figure 6

Figure 6: Sample of Encrypted C2 Patterns



Lateral Spread & Network Exploration

Throughout our engagements with FIN7, ICEBRG observed heavy use of compromised credentials, specifically domain administrator accounts, to move throughout the environment. Notably, FIN7 would frequently utilize the “psexec_psh” command within Cobalt Strike, which uses the RPC Service Controller protocol to create a service on a remote host with the binary path set to execute a malicious PowerShell command.


Figure 7

Figure 7: Service Controller calls for psexec_psh



Figure 8

Figure 8: An abridged value of the binary path for the new service


FIN7 showed little regard for operational security (OpSec) in their lateral spread, nor caution around key assets in the environment. While it appeared as though the access to payment information was the key focus of the operations, ICEBRG observed the group constantly exploring other enclaves of the target environment. In one instance, ICEBRG observed the threat actors pivot from a remote POS environment to compromise a domain controller, then from the domain controller to assets in other corporate subnets. By monitoring flow data for key assets, ICEBRG detected abnormalities originating from compromised remote locations and identified odd directionality involved with credential use.


Conclusion

Throughout our engagements with FIN7, it became clear that while certain components of their operations were automated, the large majority of their activities appeared to be interactive in nature. When dealing with an interactive adversary such as this, traditional steps of the incident response process can be painstaking and require additional coordination or effort. In contrast to automated malware infections, interactive threat actors may detect and respond to containment actions, modify TTPs to avoid detection, and work to stay ahead of the response team’s decision making processes.

In spite of this challenge, profiling and monitoring an interactive adversary allows defenders to gain insight into the attacker’s thought processes, procedures, and ultimately the patterns of their behaviors and activity. By modeling and recognizing those patterns, understanding why the adversary performs certain actions, and knowing how to line up response to outperform an interactive actor, responders can complete thorough and effective mitigations of this activity.

It is easy to surrender to passive, disengaged, monitoring when dealing with encrypted command and control protocols, but so much can be gained from black-box analysis of the patterns in the protocol. In these engagements, ICEBRG was able to profile phases of tactical action and track the adversary by understanding the specifics of their C2 protocols. We hope that this information acts a good resource for those dealing with FIN7, as well as other unknown threats in their environment.

In the second part of the series, ICEBRG will discuss the end goal of FIN7, and present technical details of their financial compromise capabilities. To find out more about ICEBRG and get a demo of how our capability can help you combat threats to your environment, please reach out to info@icebrg.io.


This two part blog series is a joint research post by ICEBRG and PwC.
Part two can be found here.

Edited on 7/25/17. Added links to part two.