Stopping FIN7: Endgame's Full Stack Protection Against Fileless Attacks

Financially motivated cyber attacks occur on a daily basis, often via ransomware but often through direct and aggressive targeting of organizations both in and out of the financial sector. Attackers delivering ransomware can and do make significant sums of money doing so - after all, that’s why they do it - but targeting specific institutions directly has also proven extremely profitable. For instance, last year’s heist from the Bangladesh Central Bank brought in $81 million. In a similar fashion, criminal groups have been targeting a range of organizations across numerous industries, with estimates of the impact of cyber crime on the global economy ranging from $120 billion to $454 billion in 2017.

One of the most prolific criminal groups is FIN7, who has targeted a range of enterprises, including restaurants, hotels and banks, and is closely associated with the Carbanak gang, responsible for attacks on financial firms since at least 2013. Unlike many other groups, FIN7 employs a range of financial attack vectors, compromising companies through ATMs, point of sale systems, fileless attacks, and spear phishing. FIN7 has proven to be one of the most successful cyber criminal groups to date. We’ll describe the unique characteristics of this group, their attack vectors, and then detail how the Endgame platform stops multi-faceted attack vectors, such as those used by FIN7, through our layered prevention and detection capabilities.  


Who is FIN7?

During the past year, information pertaining to FIN7 has slowly surfaced, with a focus on their adoption of fileless attacks and effective spear phishing tactics. The group has emerged as a major cyber criminal group in 2017, making headlines thanks to several successful attacks against prominent organizations, as well as their unique integration of a range of fileless attack vectors and targeted spearphishing campaigns. In March, a FIN7 fileless attack campaign targeted government and financial institutions involved in Security and Exchange Commission filings.  FIN7 then turned their sights to the restaurant industry, targeting many restaurant chains, including Chipotle, Baja Fresh, and Ruby Tuesday.

The FIN7 label is often used interchangeably with Carbanak, a well-known family of malware associated with FIN7. The connection within and between the threat actors remains up for debate. While Carbanak malware has been associated with over a billion dollars in financial compromises, it remains unclear whether this represents the actions of a single group, let alone those of FIN7 as well. Although the group and the malware share the same name, in an era of proliferating availability, it is not certain that all groups who deploy Carbanak are part of the same group. FIN7 has used a modified version of Carbanak malware in recent operations, so there is valid reason for the confusion. Given the technical similarities of the malware and approaches, as well as the same financial motivations, these groups are likely either the same or closely associated. The uncertainty surrounding their association is likely a strategy to help disguise the breadth and extent of their global operations.


FIN7 in Action

FIN7 relies first on social engineering to compromise its victims, manipulating them with a false sense of urgency to either download the malware or self-infect - often through malicious, highly customized Word documents (in some cases macro enabled). While spear phishing is nothing new, what is noteworthy about these attacks is the thoughtful implementation of evasion techniques to avoid both signature-based and behavioral detections. The user opens a macro-enabled Word document, which uses PowerShell to perform a series of DNS queries that are used to construct a memory-resident payload (e.g. Meterpreter). Unlike other kinds of attacks that might download a malicious file to disk, these actions occur completely in memory. By working entirely in memory and keeping executables off the filesystem, attackers are often able to evade detection due to the reliance many security products have on artifacts on disk.  The attackers continue to use techniques which often evade defenses by living off the land through the use of PowerShell and other native scripting languages throughout the operation.


Endgame’s Layered Protections

Endgame’s platform features signatureless detections at each phase of the attack cycle. The platform is exceptional in its ability to stop fileless attacks and other advanced evasion techniques.  Fileless attack protection is just one layer of the Endgame platform which allows customers to stop FIN7 in its tracks at several steps, before damage and loss.  If FIN7 changes one technique and surprisingly bypasses Endgame, the next layer will be there waiting.  We will lay out the various ways in which Endgame is able to stop this advanced attack, and those using similar evasion techniques.


State of the Art Prevention

To gain initial access to victims, FIN7 uses targeted spear phishing, tricking users to view a customized attachment, such as a Microsoft Word document, to load malicious macros in the process. Endgame’s dynamic binary instrumentation technology is able to detect the malicious macro content, preventing it before execution. If macro prevention is disabled on a system protected by Endgame, we can see what happens next.  As noted, FIN7 lives off the land in its operations, hidiing in the noise by using legitimate applications to evade most security products.  These activities can be easily seen and responded to using the Endgame platform.  During their operation, FIN7 attempts process injection to gain in-memory execution. As we have previously detailed in depth, process injection techniques are often employed to help attackers maintain stealth by lurking within a legitimate processes’ memory.  Endgame’s in-memory protection technologies prevent this entirely, stopping the attacker before any damage and loss can take place and sending a clear signal to the Endgame customer that an attack has been stopped.


Premier Detection & Response

Sophisticated attackers are constantly modifying their tools and tradecraft to evade defenses. Therefore, defenders should assume they are breached, even with the best preventative technologies in place. These flexible and intuitive detection and response capabilities are of paramount importance as they enable defenders to triage active attacks and pivot through rich, comprehensive data to determine the extent of a breach and terminate all unwanted activity.  

Endgame’s preventative layers provide powerful detection and response capabilities that give the operator complete access to endpoint and network data.  The power of that data is unlocked through Endgame’s Artemis.  Artemis is a an AI-powered security chatbot built upon natural language understanding technology. It assists analysts of all skill levels in quickly responding to compromise. Artemis expedites and facilitates search and discovery, a key part of the workflow to help analysts cut through the noise within the immense amount of security-relevant data generated on endpoints. From supporting quick exploration of event logs to searching across systems to determine the extent of a breach, Artemis expedites the analyst workflow by quickly guiding them to those events and data that matter most for decision-making.

Endgame’s Artemis also delivers simple and straightforward information on process lineage for suspicious processes.  This gives the analyst a concise temporal overview of what occurred, where and when.  In addition to providing the analyst with complete information on actions taken by that process, it enables root-cause understanding.  As the video below demonstrates, as we pivot from the FIN7 macro detection, it is possible to view an entire series of suspicious events using Artemis. By asking for a process lineage of the Microsoft Office application, we discern that malicious powershell and vbscript were executed and suspicious network traffic was generated.


Hunting with Tradecraft Analytics

What if the breach occurred before Endgame was installed?  Endgame’s powerful hunt analytics can immediately pinpoint outliers and suspicious artifacts on endpoint systems. These analytics are designed to immediately surface malicious artifacts with low noise in most environments.  Suspicious running processes, network connections, and persistent software can be easily identified with Endgame.  In addition, Endgame opens up memory to hunters, enabling users to find all in-memory adversaries, including FIN7.  In contrast to any other security product, Endgame’s memory analysis scales, allowing the analyst to examine all processes for entrenched fileless adversaries across tens of thousands of endpoints in minutes. Hunting in memory and hunting for persistence are just two of the ways Endgame’s hunting capabilities easily detect infections across a range of the most advanced groups, such as NetTraveler, Roaming Tiger, Fancy Bear and Cozy Bear.

Specifically for FIN7, Endgame is able to detect the in memory component of FIN7's attack as well as discover FIN 7’s persistence methods of creating scheduled tasks and WMI objects. The Endgame hunt capability combined with our tradecraft analytics are essential to determining the breach status in a fraction of time.

The above hunt, detection, and triage capabilities provide the responder with all the necessary information to respond to the attack and execute their incident response procedures, with Endgame providing thread-level remediation capabilities on even the most critical systems.


See Endgame in Action

The video below walks through each of these layers in the Endgame product - prevention, detection and response, and hunt - to demonstrate not only the power of, but also the necessity for pursuing a layered approach in light of the increasingly creative and evasive adversarial techniques.



FIN7 is arguably the most sophisticated financially motivated group, but they ]certainly aren’t the only group which combines a range of advanced attack vectors to compromise organizations. These not only include frequently employed techniques such as spear phishing and malicious macros, but also sophisticated in-memory stealth, persistence, and living-off-the-land strategies. With the odds remaining in favor of targeted attackers compromising a network, a layered approach is absolutely essential to prevent, detect, and respond to the wide range of attack vectors as early as possible.  If you’ll be at Black Hat this week, stop by our booth 1360 to see the demo live, and attend any of our talks and workshops at BSidesLV, Black Hat and DEF CON.