A recent report released by cybersecurity firm BlackBerry has uncovered an attempted cyber attack on a prominent American car manufacturer by the notorious Russia-based cybercriminal group, FIN7, also known as Carbon Spider, Elbrus, and Sangria Tempest. This group is infamous for its involvement in various cybercrimes, including phishing and ransomware attacks, and has increasingly targeted high-value entities in the pursuit of substantial financial gains.
BlackBerry’s threat analysis revealed that FIN7 initiated a spear-phishing campaign in late 2023, specifically targeting employees within the car manufacturing company who held significant administrative privileges. However, the cyber defenders at BlackBerry were able to intercept the campaign at an early stage, identifying and isolating an infected system before the hackers could advance further into the network through lateral movement.
The attribution of the attack to FIN7 was possible due to the group’s unique obfuscation techniques and their utilization of well-known malware loading tools, such as PowerTrash, which has been previously associated with the activities of FIN7 by Microsoft. Operating since 2013, FIN7 has adapted its tactics over the years, transitioning towards “big game hunting” – a strategy aimed at targeting a select few high-value victims with the expectation of substantial financial gains.
FIN7 has employed various methods to gain unauthorized access to corporate networks, including the distribution of decorated gift boxes containing infected thumb drives. Additionally, the group has been linked with other cybercriminal entities such as Gold Niagara and Alphv/BlackCat. Recent reports have indicated their involvement in deploying ransomware from groups like REvil and DarkSide, indicating a shift towards more aggressive tactics.
In their most recent campaign, FIN7 utilized tailored spear-phishing emails containing links to a malicious URL. The hyperlink, disguised as a legitimate IP scanning website, directed victims to an attacker-controlled Dropbox account, leading to the inadvertent download of a malicious executable file, WsTaskLoad.exe. This initial payload triggered a multi-stage execution process, ultimately deploying the final payload – a backdoor known as Anunak or Carbanak. An intriguing detail uncovered through BlackBerry’s analysis was the use of an encoded payload embedded within an innocuous .wav file, which was decrypted and extracted during the execution of WsTaskLoad.exe.
Further investigation into the attacker’s network infrastructure revealed a network of interconnected domains and proxy servers utilized by FIN7 to facilitate the delivery and maintenance of access to compromised systems. This incident serves as a stark reminder of the ever-changing nature of cyber threats and the critical importance of robust cybersecurity measures to protect against such attacks.
In conclusion, the unsuccessful attempt by FIN7 to compromise a major American auto manufacturer underscores the persistent threat posed by sophisticated cybercriminal groups. This incident emphasizes the crucial need for increased vigilance and proactive cybersecurity measures to mitigate the risks of falling victim to such malicious activities.