Researchers attributed the attacks to a financially motived threat group dubbed “FIN7,” that use the malicious emails to deploy malware.
Researchers attributed the attacks to a financially motived threat group dubbed “FIN7,” that use the malicious emails to deploy malware.

FireEye researchers spotted a spear phishing campaign targeting United States Securities and Exchange Commission (SEC) filings at various organizations.

Researchers attributed the attacks to a financially motived threat group dubbed “FIN7,” that use the malicious emails to deploy malware, according to a March 7 blog post.

All of the observed targets appeared to be involved with SEC filings for their respective organizations some of which were even listed in their company's SEC filings including businesses in the financial services, transportation, retail, education, IT services, and electronics sectors. .

In the phishing emails, FIN7 spoofed the sender email address as “EDGAR filings@sec.gov” in an email with an attachment reading disguised as a word doc entitled “Important_Changes_to_Form10_K.doc”.

The malicious file is used to drop a VBS script that installs a PowerShell backdoor that uses DNS TXT records for its command and control.

Researchers said the backdoor appears to be from a new malware family dubbed “POWERSOURCE” which is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. The use of DNS TXT was noted as a trend that has been rising since 2013, likely due to its making detection and hunting for command and control traffic difficult.

The POWERSOURCE malware was also spotted being used to download a second-stage PowerShell called a TEXTMATE, a memory resident often described as fireless malware, in an effort to further infect the user's device.

So far the threat group has targeted at least 11 organizations and researchers have yet to identify their ultimate goal.

“The FIN7 attackers are among the most sophisticated financially motivated actors and leverage a variety of tools and methods to compromise organizations across diverse industries,” FireEye  Cyber Crime Analyst Jordan Nuce  told SCMedia. “We've seen them compromising POS environments and showing indications of interest in securities fraud; they are also tentatively linked to ATM compromises and SWIFT transaction fraud. The tactics, techniques and procedures associated with FIN7 operations date back to 2013.”

Nuce went on to say that she has observed the attackers leverage multiple payloads throughout their operations such as CARBANAK and Cobalt Strike Beacon.

Based on the attacker's decision to specifically target personnel involved in SEC filings, it is plausible that the ultimate goal of the campaign is to leverage their information access for the purpose of engaging in securities fraud or other types of investment abuse,” Nuce said.

The threat actors would then likely pursue a variety of other types of fraud once they have access to the victim's network and while they haven't discovered the identities of the threat actors researchers say they are comprised of highly sophisticated criminal actors. Furthermore, researchers said it's possible that the threat actors are using similar schemes in other countries.