IT employees in the automotive industry are often targeted by hackers because they have access to sensitive information such as customer data, intellectual property, and critical systems.
The connected technologies’ dependence on the automotive industry and the value of their data make them attractive targets for threat actors.
BlackBerry analysts recently discovered that the FIN7 hackers are actively attacking the IT employees of the automotive industry.
According to some BlackBerry evaluations at the end of 2023, there was a spear-phishing campaign against a major United States-based car manufacturer by FIN7 hackers.
FIN7 used a free IP scanning tool as bait to exploit IT staff with admin rights and then deployed their Anunak backdoor.
It has been reported that these attacks were part of a broader campaign by FIN7, a financially motivated APT group from Russia known to be focused on sectors such as transportation and defense.
However, before this happened, the Blackberry team interrupted before they could perform a ransomware attack.
This demonstrates the importance of detecting early intrusion to mitigate possible losses.
FIN7 then shifted to hunting big game that could pay bigger ransoms, with great detailed plans for maximizing the impacts of attacks.
They are scouts who select and study targets carefully, zooming in for employees with high access rights and delivering payloads such as “WsTaskLoad.exe” via spear-phishing emails containing malicious URLs.
These attacks take advantage of trust in legitimate sites, highlighting the necessity for strong cyber security measures to mitigate such advanced threats.
WsTaskLoad.exe executes the final payload of Anunak/Carbanak in multiple stages. It is called jutil.dll, and it then executes the exported function “SizeSizeImage.”
jutil.dll now reads and decrypts infodb\audio.wav; its decrypted blob is shellcode that gets copied to mspdf.dll, and it runs as code there.
This shellcode also reads and decrypts infodb\audio.wav again; this decrypted blob is a loader that can be loaded and run later by the same shellcode.
The loader identifies files in the current directory with dmxl.bin and dfm\open.db matching a certain mark.
The decrypted dmxml.bin constitutes the Anunak payload, having “rabt4201_x86” as the campaign ID.
Besides this, the WsTaskLoad.exe performs scripting dissemination and persistence establishment. The first thing it does is run an obfuscated PowerShell script called powertrash.
This is established by the persistent installation of OpenSSH, scheduled as a job that opens up firewall ports.
The fake lure website “advanced-ip-sccanner[.]com” was pointed at “myipscanner[.]com”, and several other domains were registered too.
Post compromise, OpenSSH is utilized for external access with an SSH tunnel proxy server using a common fingerprint.
The target was a large multinational automobile manufacturer whose IT department had been deliberately pointed against.
The obfuscation and tool employed resemble FIN7 POWERTRASH tactics, confirming that the actor behind this incident was likely FIN7.
Here below we have mentioned all the recommendations:-
Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP
.
Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…
The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…
A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…
Meta has announced the removal of over 2 million accounts connected to malicious activities, including…
Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…
A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…