The Zero2Hero malware course continues with Vitali Kremez dissecting the ‘Fin7’ malware chain, which leverages malicious Office Macros and lightweight JS Loader scripts.
“FIN7” is a financially motivated advanced persistent group operating out of Eastern Europe. Since 2015, this group has continued to be extremely successful and formidable targeting various businesses seeking large-scale point-of-sale (PoS) compromises and network intrusion impacting global enterprises. The group is also known and notorious for its stealthy techniques and sophisticated and persistent approach.
Global corporations impacted by the group are primarily part of the restaurant, gaming, and hospitality industries. Some of the victims of this group include such restaurant chains as Chipotle Mexican Grill, Chili’s, and Arby’s.
Most interestingly, this group used a front company “Combi Security” (reportedly based in Russia and Israel) to recruit various hackers to join their activities. This front company allowed the group to sustain their hacking activities and truly professionalized their hacking approach.
Despite the previous arrests of three members of the FIN7 group in January 2018, the group and/or its remnants still remained active on the financial crime landscape.
The FIN7 Microsoft document loaders do not rely on any exploits but simply require a social engineering trick to “Enable Content” to activate macros. Notably, to avoid process whitelisting of
%LOCALAPPDATA% and leverages a possible anti-analysis routine of checking the system drive size via
GetDrive.TotalSize of more than 2456 bytes to possibly thwart anti-sandbox check.
%TEMP%. The final execution of the backdoor is performed via this following command:
%LOCALAPPDATA%mses.exe //b /e:jscript %temp%errors.txt
Once it is done, the document macro runs a message box displaying “Decryption error” via
1. Extract the VBA macro via olevba;
2. Debug in Office VBA to retrieve decoded script;
4. Modify JS code close to
eval() and run script via Internet Explorer debugger, for example;
5. Debug, extract and beautify the full FIN7 JS backdoor.
crypt_controller function accepts two parameters of type and request.
a. If type parameter equals “decrypt”, the request is processed via
decodeURIComponent splitting the request with separator
")*(" and then retrieving
encryption_key(second element) from split request. If there’s no encryption_key split, it pulls it as a random value via
(Math.floor(Math.random() * 9000) + 1000).toString().split("");.
The decoding routine is a simple XOR loop decoding the content as follows joining the
var output = ; for (var i = 0; i b. If type parameter equals "encrypt", the
result_stringis joined with
")*("and passed to
encodeURIComponent. FIN7 Second-Stage Machine & Network Profiling Script In the aftermath of the initial call, the group deploys a custom "profiling" script meant to fingerprint the machine and the network environment more closely. The malware checks for the presence of virtual machine, queries active directory, operating system, screen resolution, user account control (UAC) level, and retrieves a process list.
Finally, it formats the data and appends to “action=add_info” request, which is sent to the server.
Microsoft Office First-Stage VBA Macro “.doc” Documents:
Recent Microsoft Office First-Stage VBA Macro “.xlsb” Documents: