A sophisticated fileless attack is taking a bite out of restaurants across the US, allowing hackers to seize system control and install a backdoor to steal financial information at will.
Morphisec Lab said that the FIN7 APT group, which is associated with the Carbanak Gang, is likely behind the campaign.
Past highly successful and damaging attacks on banks, SEC personnel, large restaurant chains and hospitality organizations have all been attributed to the financially-motivated FIN7 group, Morphisec noted in an analysis. And like past attacks, the initial infection vector is a malicious Word document attached to a phishing email that is well-tailored to the targeted business and its day-to-day operations; FIN7’s phishing mails here use smartly named email attachments, called menu.rtf or Olive Garden.rtf.
What’s new now though is that the gambit incorporates never-before-seen evasive techniques that allow it to bypass most security solutions—both signature- and behavior-based. Alarmingly, the detection score on VirusTotal for all of the documents continues to be 0/56 from the time the first documents were uploaded on June 6 until press time.
“The Word document executes a fileless, polymorphic attack that uses DNS queries to deliver the next shellcode stage (Meterpreter),” the firm explained. “However, in this new variant, all the DNS activity is initiated and executed solely from memory—unlike previous attacks which used PowerShell commands.”
Having a Meterpreter session on a compromised computer allows for full control of the computer and exfiltration of any data, and in some cases lateral movement inside the organization.
“FIN7 constantly upgrades their attacks and evasion techniques, thus becoming even more dangerous and unpredictable,” Morphisec said. “The analysis of this attack shows how easy it is for them to bypass static, dynamic and behavior-based solutions. These attacks pose a severe risk to enterprises.”
This type of fileless attack is set to become ever more common. Carbon Black reports that researchers found a 33% rise in severe non-malware attacks in Q4 2016 compared to Q1.