IT employees in the automotive industry are often targeted by hackers because they have access to sensitive information such as customer data, intellectual property, and critical systems.
The connected technologies’ dependence on the automotive industry and the value of their data make them attractive targets for threat actors.
BlackBerry analysts recently discovered that the FIN7 hackers are actively attacking the IT employees of the automotive industry.
FIN7 Attacking IT Employees
According to some BlackBerry evaluations at the end of 2023, there was a spear-phishing campaign against a major United States-based car manufacturer by FIN7 hackers.
FIN7 used a free IP scanning tool as bait to exploit IT staff with admin rights and then deployed their Anunak backdoor.
It has been reported that these attacks were part of a broader campaign by FIN7, a financially motivated APT group from Russia known to be focused on sectors such as transportation and defense.Â
However, before this happened, the Blackberry team interrupted before they could perform a ransomware attack.
This demonstrates the importance of detecting early intrusion to mitigate possible losses.
FIN7 then shifted to hunting big game that could pay bigger ransoms, with great detailed plans for maximizing the impacts of attacks.
They are scouts who select and study targets carefully, zooming in for employees with high access rights and delivering payloads such as “WsTaskLoad.exe” via spear-phishing emails containing malicious URLs.
These attacks take advantage of trust in legitimate sites, highlighting the necessity for strong cyber security measures to mitigate such advanced threats.
.webp)
WsTaskLoad.exe executes the final payload of Anunak/Carbanak in multiple stages. It is called jutil.dll, and it then executes the exported function “SizeSizeImage.”
jutil.dll now reads and decrypts infodb\audio.wav; its decrypted blob is shellcode that gets copied to mspdf.dll, and it runs as code there.
This shellcode also reads and decrypts infodb\audio.wav again; this decrypted blob is a loader that can be loaded and run later by the same shellcode.
The loader identifies files in the current directory with dmxl.bin and dfm\open.db matching a certain mark.
The decrypted dmxml.bin constitutes the Anunak payload, having “rabt4201_x86” as the campaign ID.
Besides this, the WsTaskLoad.exe performs scripting dissemination and persistence establishment. The first thing it does is run an obfuscated PowerShell script called powertrash.
This is established by the persistent installation of OpenSSH, scheduled as a job that opens up firewall ports.
The fake lure website “advanced-ip-sccanner[.]com” was pointed at “myipscanner[.]com”, and several other domains were registered too.
Post compromise, OpenSSH is utilized for external access with an SSH tunnel proxy server using a common fingerprint.
The target was a large multinational automobile manufacturer whose IT department had been deliberately pointed against.
The obfuscation and tool employed resemble FIN7 POWERTRASH tactics, confirming that the actor behind this incident was likely FIN7.
Recommendations
Here below we have mentioned all the recommendations:-
- Conduct Regular Security Training
- Social Engineering Awareness
- Phishing Report System
- Multi-Factor Authentication
- Password hygiene
- Security Updates and Patch Management
- Endpoint Security Solutions
- Monitor Suspicious Behavior
- Data Protection and Encryption
- Email Filtering and Authentication
- Incident Response
Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.
