FIN7 Targets US Automaker in Spear-Phishing Attack

At the end of last year, a major American automobile manufacturer, whose name has not been disclosed, fell victim to a targeted attack orchestrated by the hacker group FIN7. According to researchers from BlackBerry, the perpetrators used phishing emails targeted at the IT department staff to infiltrate the company’s systems with the Anunak backdoor malware.

The assault commenced with the distribution of links to a counterfeit website, disguised as the legitimate tool Advanced IP Scanner. Employing social engineering techniques, the hackers convinced users to click on the link and download an executable file, which initiated the installation of the backdoor.

During their analysis, BlackBerry specialists discovered that the cybercriminals utilized unique PowerShell scripts with an obfuscated shellcode named “PowerTrash,” which confidently linked this attack to the FIN7 group. This method was first observed in a malicious FIN7 campaign in 2022.

In the course of the attack, a malicious file named “WsTaskLoad.exe” triggered a multi-stage process involving malicious DLLs, WAV files, and shellcode, ultimately leading to the loading and decryption of the “dmxl.bin” file containing the Anunak backdoor. It is notable that while FIN7 frequently employs another backdoor, Carbanak, in their attacks, they specifically utilized Anunak in this campaign.

After deploying the backdoor in the target system, a task for OpenSSH was created to ensure the perpetrators’ continued access. However, researchers did not observe the use of this method for lateral movement within the network in the analyzed campaign.

Interestingly, despite the complexity of the attack, FIN7 failed to spread the infection beyond the initially compromised system. Researchers emphasize the importance of protecting against phishing, which remains a primary method of intrusion for attackers.

Implementing multi-factor authentication and utilizing advanced email filtering solutions can help thwart hacker assaults and safeguard data. Measures such as using unique, complex passwords, regularly updating software, and continuously monitoring network activity will also significantly enhance the security of corporate networks and ensure the company’s safety.