The group, dubbed FIN7, was spotted delivering a macro-enable Word document in phishing emails.
The group, dubbed FIN7, was spotted delivering a macro-enable Word document in phishing emails.

Morphisec researchers spotted the same group that launched spearphishing campaigns targeting Securities and Exchange Commission (SEC) filings using a new fileless attack framework.

The group, dubbed FIN7, was spotted delivering a macro-enable Word document in phishing emails sent to high profile enterprise targets, according to a March 19 blog post.  

Researchers said this is likely the same group that carried out the DNS PowerShell messenger attacks discovered by Talos on earlier this month, the Meterpreter attack discovered by Kaspersky, and the campaign spotted by FireEye which targeted personnel involved in SEC filings, the blog said.

“There is a migration towards fileless malware, simply because running exploits directly in memory has a lower detection rate for security tools than executing a malicious binary on an endpoint,” Tripwire Principal Security Researcher Travis Smith told SC Media “That being said, the point where attacks like this are detected easily is when they attempt to establish a persistence on the victim machine.”

Smith added that any persistence leaves behind evidence in predictable locations on disk and that this is typically in the registry, system services, or scheduled tasks. 

He said that monitoring these areas can provide early indications of even the most advanced attacks. 

Morphisec researchers were briefly able to interact with the researcher via the very same PowerShell protocol used for the attack delivery in which researchers said it was made clear that the hacker was part of a group which limits their exposure by targeting specific companies only.

Afterwards the threat actors blocked one of the IPs the researchers were using for their investigation and soon after completely shut down that C2 command and control server.

Groups such as FIN7 are ran like any other legitimate business and are after a return on investment for their criminal endeavors, Smith said. He added that when threat actors see success in business opportunities like fileless malware, they will continue to fund development in exploit techniques.

While it's easy for an attacker to change the tools at their disposal, it is much harder for someone to change their tactics, techniques, and procedures. 

Smith said that although the migration to using fileless malware is a new development, the data they are after and the attack patterns they use will still be very similar.

Users can defend against these type of attacks by adopting best practices and leveraging critical security controls.