[Translation] APT Analysis Report: 03.OpBlueRaven exposes Fin7/Carbanak (Part 1) Tirion malware

This is a new column created by the author. It mainly translates articles of APT reports from well-known foreign security vendors, understands their security technologies, and learns their methods of tracing the APT organization. I hope it will help you. The previous article shared the phishing email URL obfuscating the URL to avoid detection. This article will introduce the Tirion malware of the APT organization Fin7 / Carbanak, including the OpBlueRaven operation.

• Original Title: OpBlueRaven: Unveiling Fin7/Carbanak-Part I: Tirion
• Original link: https://threatintel.blog/OPBlueRaven-Part1/
• Author time: YUSUF ARSLAN POLAT 2020-07-31
• Article source: threatintel.blog, PRODAFT SARL, INVICTUS

---

1. Introduction to Fin7

The targets of the FIN7 organization are financial institutions (especially American financial companies), and phishing emails are the main attack channel. Common attack methods include:

• Use sophisticated spear phishing emails to convince the target to download attachments, and then use the attachments to infect their company's network with malware
• Good at using non-PE files to attack , few PE files landed during the attack
• The main attack payloads are based on js scripts and powershell scripts , which evade the detection and killing of security software to a certain extent.
• Among the malware used in FIN7, the most common is a specially crafted version of the Carbanak malware , which has been used in multiple attacks on banks

The conventional attack process is shown in the figure below. The attacker uses phishing emails as the entry channel to embed vbs scripts in malicious documents. After the vbs script runs, the decryption backdoor program is written into the registry, and the script calling the backdoor program is hidden on the disk as ads. File. After the backdoor runs, use DNS TXT as the C&C communication method.

In the email attachment document, malicious macro code is used. The interface of different phishing documents is roughly as follows. It is worth mentioning that the target of the attack is a foreign food company when the Hamburg picture is used as the bait document. Companies compromised by FIN7 include well-known brands such as Chipotle, Chilli's and Arby's. The organization is believed to have hacked thousands of business locations and has stolen millions of credit card numbers.

As the technology deepened, the organization deployed new tactics ( similar to BadUSB ). The Securityaffairs website found that FIN7 sent packages to the target company’s human resources, information technology or executive management staff through the United States Postal Service (USPS), including USB devices, gift cards, etc. When an employee plugs a USB device into a computer, commands are injected to download and execute the JavaScript backdoor tracked by Griffon.

Such packages are sent to many companies, including retail, catering, and hotels. The weaponized USB device mimics the user's keystroke characteristics and initiates PowerShell commands to retrieve malware from remote servers. Experts have observed that the malicious code's contact domain and IP address are located in Russia.

The USB device uses the Arduino microcontroller ATMEGA32U4 and is programmed to simulate a USB keyboard. Since the PC trusts the keyboard USB device by default, once plugged in, the keyboard emulator will automatically insert malicious commands. Then the Powershell script runs the third stage JavaScript to collect system information and delete other malware. According to the FBI's warning, once the target information was collected, the FIN7 organization began to move laterally to obtain management authority. After the collected information is sent to the C&C server. The main JS code will enter an infinite loop, sleep for 2 minutes in each loop iteration, and then get a new command from the command and control.

In short, once the USB controller chip is reprogrammed for other purposes (such as simulating a USB keyboard), these devices can be used to launch attacks and infect their computers without the user's knowledge. Coupled with the fact that these devices are very cheap and can be used by anyone at any time, this also means that it is only a matter of time before attackers can use these technologies and devices more deeply.

Reference materials:

• https://www.freebuf.com/articles/network/137612.html
• https://www.freebuf.com/news/231861.html
• https://www.freebuf.com/news/153032.html
• https://securityaffairs.co/wordpress/100661/cyber-crime/fin7-usb-teddy-bears-attacks.html
• https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html

---

2. About Fin7 and Carbanak

This article aims to provide readers with detailed information about the latest operations of the PRODAFT (Switzerland) & INVICTUS (Europe) Threat Intelligence (PTI) team against different threat actors, and found that it is related to the notorious Fin7 APT organization. In the article, all the information comes from an OPSEC failure of the threat participant. We will try to gradually expand the topic and expand the scope on the basis of continuous discovery.

Between May and July 2020, four members of the PRODAFT threat intelligence team conducted Operation BlueRaven. The case study originated from the discovery of a set of minor OpSec failures that seemed unimportant. Of course, it was later discovered that these threats were related to the notorious Fin7/Carbanak threats.

PTI's OP (PTI's OP) originates from the OPSEC failure of the attacker. Unlike the previously discovered and published data, what makes this OP so unique is that we managed to find a large amount of unpublished information about the attacker's tool set that revealed the attacker's TTP.

Carbanak Group / Fin7 was first discovered in 2014. It is one of the most famous APT groups in the world and one of the first APT groups exposed. The organization is believed to have caused more than $900 million in damages worldwide. Our OP results found the following key information about these threat actors:

• Obtain the true identity of certain attackers in Fin7
• Detailed evidence about Fin7's tools and attack methods has been discovered
• The relationship between Fin7 and the REvil ransomware group (to be described in detail in a later stage) has been discovered

This report was written to raise awareness and assist cybersecurity experts in their analysis. Of course, some of PRODAFT's findings have been deleted. Therefore, the authorized agency can contact PRODAFT or INVICTUS for further disclosure.

Each article will discuss specific aspects of operations, not just attack methods, organizations, and the identity of the attacker. Our team also managed to eavesdrop on various conversations between the attackers, and most of these conversations will also be released throughout the series.

---

3. Carbanak backdoor

Carbanak Backdoor was one of the first discoveries our team made. The current version of the Carbanak backdoor (the most well-known tool in the team, the name of the Carbanak group) is the first tool that caught our team’s attention.The "3.7.5" version compiled in November 2019 according to the title of the PE file is the latest version detected by the backdoor command and control server. The screenshot below provides a screenshot of the "3.7.5" version of the Carbanak backdoor management panel.

We compared the latest version we got with the "Command Manager" version in Virustotal in 2017 and evaluated this tool. The following figure reflects the difference between the source code obtained by decompilation of the above two versions. The figure only lists the source code between the two versions. The left column belongs to the files uploaded to Virustotal in 2017, and the right column belongs to the "3.7.5" version obtained by our team. The blue line represents a different file, and the green line represents a new file.

Through the inspection of the command and control server software, it can be seen that the GUI interface has made basic changes to the plug-in to create a more detailed error log, and a new language code has been added.

Six versions of the malware "Command Manager" tool compiled in 2019 have been identified. The following figure shows the timestamp of the detected version.

In the old version of Bot.dll, it was a component of the malware running on the victim device. 981 functions were detected in the disassembly and 706 functions were detected in the new version of the same software. Using the Diaphora binary comparison tool, 607 functions get the best match score, while 43 functions get a partial match. In addition, compared to the old version in Virustotal, the file size of the new bot file is less than 50kb. When checking the new bot file, you can see that functions other than the basic functions in the old version are implemented as plug-ins.These new plug-ins can perform operations such as key recording and process monitoring, and can be executed without files through the reflective loading method. As a result, the file size of malware is reduced, leaving fewer traces for forensic signature-based security software solutions.

• hd.plug
• hd64.plug
• hvnc.plug
• hvnc64.plug
• keylog
• keylog64
• procmon
• procmon64.dll
• rdpwrap.dll
• switcher.dll
• switcher64.dll
• vnc.plug
• vnc64.plug

In this section, we will check some plug-ins that are "not" in the previously discovered files. Since these are unprecedented functions in the toolkit, we believe that the following are essential for further analysis of the organization's TTP.

---

1. Keylogger plugin

The "keylog.dll" plugin uses the RegisterRawInputDevices API to capture user keystrokes. To determine in which context the keystroke was used, the "Executable File Path", "Windows Text" and Timestamp information of the foreground process will be recorded along with the keystroke.

The keylogger plug-in uses Windows GDI + API to convert the collected data into Bitmap and writes it into the user %TEMP% directory, in a folder named "SA45E91.tmp". The figure below shows the functions used by malware to store data.

The following figure shows a screenshot of the obtained log example.

---

2. Process monitor plugin

The plug-in can track the processes running in the target system and is used to obtain information about the start and end times of the required processes. The following figure shows a screenshot of the function that collects information about the running process.

---

4. Tirion Loader (the future of Carbanak backdoor)

The new loader tool of the Fin7 organization is a malware called Tirion, which is believed to be developed as a replacement for the Carbanak backdoor. It contains many functions for information collection, code execution, reconnaissance and lateral movement. Like the latest version of the Carbanak backdoor checked in the previous section, many functions performed by this malware have been developed as independent plug-ins, loaded into the target system using a reflective loading method and executed in a fileless manner. Public data shows that the development of the Carbanak backdoor has stopped, and the same team is developing and testing on Tirion Loader. The communication logs between the attackers indicate that this new tool is intended to replace the Carbanak backdoor.

The features of Tirion malware are as follows:

• Information Gathering (Information Gathering)
• 截屏（Taking Screenshot）
• List Running Processes
• Command / Code execution
• Process Migration
• Mimikatz Execution (Mimikatz Execution)
• Password Grabbing
• Active Directory and Network Recon

The latest Tirion Loader version detected belongs to the version "1.6.4" compiled by "23:24:03 on June 28, 2020". The figure below shows the actions an attacker can perform on the robot device. The "1.0" version is the earliest detected version and is considered the earliest used version. It has been compiled on "20:29:53, March 5, 2020".

The "readme.txt" file written by the attacker clearly stated the basic components of the malware.

The relevant translation is as follows, the system contains 3 components:

• Server
• Client
• Loader

The correlation of these components is as follows. The loader connects to the server periodically, and the client connects to the server through a permanent connection. The loader executes commands from the server and sends responses to the server. Through the client, the user sends a command to the loader through the server; after receiving the response from the loader, the server transmits it to cl.

---

1. File structure

The file organization of the malware is as follows:

---

2.Readme.txt

The English translation instructions of some important items in the "readme.txt" file are as follows. The file indicates the changes from the first version of the malware to the "1.6.3" version and contains build instructions. (Omit the original Russian)

---

3.Loader component

This component of the malware will run on the victim system, approximately 9kb in size, and run commands from the server. When an attacker wants to run a function on the victim's device, the relevant plug-in file containing the function will be reflected on the victim's device and executed in a fileless manner.

The network traffic between the server and the loader is encrypted using the key determined during the construction phase. The following figure contains related encryption algorithms.

---

4.PswInfoGrabber

It is a DLL file responsible for stealing and reporting sensitive information from the target system, especially browser and mail passwords. Make sure that the attacker also used this tool independently of Tirion Loader. In the image below, a screenshot of the logs collected by the malware is included.

---

Five. OpBlueRaven | End of Part One

In the first edition of these series, we hope to introduce our analysis report by comparing the latest Carbanak toolkit discovered by PTI with an older version that is publicly accessible.

In the next article, we will also study the attacker's TTP in more depth by providing a reference for actual conversations between attackers. In addition, we will provide screenshots taken directly from the computers of the threat actors.

Finally, I hope this article is helpful to you. Happy Mid-Autumn Festival and National Day. Someone take care of yourself!

Previous share:

• [Translation] APT Analysis Report: 01. Overview of targeted APT attacks under Linux
• [Translation] APT Analysis Report: 02. Phishing Email URLs Confusing URLs to Avoid Detection

The newly opened "Nazhang AI Security Home" on August 18, 2020 mainly focuses on Python big data analysis, cyberspace security, reverse analysis, APT analysis reports, artificial intelligence, Web penetration, and offensive and defensive technology. At the same time, it will share CCF, Algorithm implementation of SCI, South and North nuclear papers. Nazhang’s House will be more systematic and will reconstruct all the author’s articles, explain Python and security from scratch, and have written articles for nearly ten years. I sincerely want to share what I have learned, what I have learned, and what I have done. your attention! Thank you.

(By: Eastmount 2020-10-04 Written at 12 o'clock in the evening on Sunday in Wuhan http://blog.csdn.net/eastmount/ )

---

Appendix: YARA signature

import "pe"
rule apt_Fin7_Tirion_plugins
{
    
    
    meta:
        author = "Yusuf A. POLAT"
        description = "Tirion Loader's plugins. It is used by Fin7 group. Need manual verification"
        version = "1.0"
        date = "2020-07-22"    
        reference = "https://threatintelligence.blog/"
        copyright = "PRODAFT"
        SHA256 = "fdc0ec0cc895f5b0440d942c0ab60eedeb6e6dca64a93cecb6f1685c0a7b99ae"
        
    strings:
        $a1 = "ReflectiveLoader" ascii
        $a2 = "plg.dll" fullword ascii
    condition:
        uint16(0) == 0x5A4D  and (all of ($a*)) and filesize < 15000 and (pe.exports("?ReflectiveLoader@@YA_KPEAX@Z") or
            pe.exports("?ReflectiveLoader@@YGKPAX@Z"))
}

rule apt_Fin7_Tirion_PswInfoGrabber
{
    
    
    meta:
        author = "Yusuf A. POLAT"
        description = "Tirion Loader's PswInfoGrabber plugin. It is used by Fin7 group."
        version = "1.0"
        date = "2020-07-22"    
        reference = "https://threatintelligence.blog/"
        copyright = "PRODAFT"
        SHA256 = "e7d89d1f23c2c31e2cd188042436ce6d83dac571a5f30e76cbbcdfaf51e30ad9"
   
    strings:
        $a1 = "IE/Edge Grabber Begin" fullword ascii
        $a2 = "Mail Grabber Begin" fullword ascii
        $a3 = "PswInfoGrabber" ascii
        $a4 = "Chrome Login Profile: '"
        $a5 = "[LOGIN]:[HOST]:"
    condition:
        uint16(0) == 0x5A4D  and (all of ($a*)) and filesize < 150KB
}

rule apt_Fin7_Tirion_loader
{
    
    
    meta:
        author = "Yusuf A. POLAT"
        description = "Tirion Loader's loader component. It is used by Fin7 group."
        version = "1.0"
        date = "2020-07-22"    
        reference = "https://threatintelligence.blog/"
        copyright = "PRODAFT"
        SHA256 = "e7d89d1f23c2c31e2cd188042436ce6d83dac571a5f30e76cbbcdfaf51e30ad9"
   
    strings:
        $a1 = "HOST_PORTS" fullword ascii
        $a2 = "KEY_PASSWORD" fullword ascii
        $a3 = "HOSTS_CONNECT" ascii
        $a4 = "SystemFunction036"
        $a5 = "ReflectiveLoader"
    condition:
        uint16(0) == 0x5A4D  and (all of ($a*)) and filesize < 15KB
}

rule apt_Fin7_Carbanak_keylogplugin  
{
    
    
    meta:
        author = "Yusuf A. POLAT"
        description = "Carbanak backdoor's keylogger plugin. It is used by Fin7 group"
        version = "1.0"
        date = "2020-07-21"    
        reference = "https://threatintelligence.blog/"
        copyright = "PRODAFT"
        SHA256 = "db486e0cb94cf2bbe38173b7ce0eb02731ad9a435a04899a03d57b06cecddc4d"
   
    strings:
        $a1 = "SA45E91.tmp" fullword ascii
        $a2 = "%02d.%02d.%04d %02d:%02d" fullword ascii
        $a3 = "Event time:" fullword ascii
        $a4 = "MY_CLASS" fullword ascii
        $a5 = "RegisterRawInputDevices" fullword ascii 

    condition:
        uint16(0) == 0x5A4D  and (all of ($a*)) and filesize < 15000
}

rule apt_Fin7_Carbanak_procmonplugin  
{
    
    
    meta:
        author = "Yusuf A. POLAT"
        description = "Carbanak backdoor's process monitoring plugin. It is used by Fin7 group"
        version = "1.0"
        date = "2020-07-21"    
        reference = "https://threatintelligence.blog/"
        copyright = "PRODAFT"
        SHA256 = "3bf8610241a808e85e6ebaac2bb92ba4ae92c3ec1a6e56e21937efec71ea5425"
   
    strings:
        $a1 = "[%02d.%02d.%04d %02d:%02d:%02d]" fullword ascii
        $a2 = "%s open %s" fullword ascii
        $a3 = "added monitoring %s" fullword ascii
        $a4 = "pm.dll" fullword ascii
        $a5 = "CreateToolhelp32Snapshot" fullword ascii  

    condition:
        uint16(0) == 0x5A4D  and (all of ($a*)) and filesize < 10000
}

rule apt_Fin7_Carbanak_hdplugin  
{
    
    
    meta:
        author = "Yusuf A. POLAT"
        description = "Carbanak backdoor's hidden desktop plugin. It is used by Fin7 group"
        version = "1.0"
        date = "2020-07-21"    
        reference = "https://threatintelligence.blog/"
        copyright = "PRODAFT"
        SHA256 = "39b545c7cd26258a9e45923053a5a64c9461470c3d7bfce3be1c776b287e8a95"
   
    strings:
        $a1 = "hd%s%s" fullword ascii
        $a2 = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced" fullword ascii
        $a3 = "StartHDServer" fullword ascii
        $a4 = "SetThreadDesktop" fullword ascii
    condition:
        uint16(0) == 0x5A4D  and (all of ($a*)) and filesize < 15000
}

rule apt_Fin7_Carbanak_hvncplugin  
{
    
    
    meta:
        author = "Yusuf A. POLAT"
        description = "Carbanak backdoor's hvnc plugin. It is used by Fin7 group"
        version = "1.0"
        date = "2020-07-21"    
        reference = "https://threatintelligence.blog/"
        copyright = "PRODAFT"
        SHA256 = "40ce820df679b59476f5d277350dca43e3b3f8cac7ec47ad638371aaa646c315"
   
    strings:
        $a1 = "VncStartServer" fullword ascii
        $a2 = "VncStopServer" fullword ascii
        $a3 = "RFB 003.008" fullword ascii
        $a4 = "-nomerge -noframemerging" fullword ascii
        $a5 = "--no-sandbox --allow-no-sandbox-job --disable-3d-apis --disable-gpu --disable-d3d11" fullword wide
    condition:
        uint16(0) == 0x5A4D  and (all of ($a*)) and filesize < 300000
}

rule apt_Fin7_Carbanak_vncplugin  
{
    
    
    meta:
        author = "Yusuf A. POLAT"
        description = "Carbanak backdoor's vnc plugin. It is used by Fin7 group"
        version = "1.0"
        date = "2020-07-21"    
        reference = "https://threatintelligence.blog/"
        copyright = "PRODAFT"
        SHA256 = "ecf3679f659c5a1393b4a8b7d7cca615c33c21ab525952f8417c2a828697116a"
   
    strings:
        $a1 = "VncStartServer" fullword ascii
        $a2 = "VncStopServer" fullword ascii
        $a3 = "ReflectiveLoader" fullword ascii
        $a4 = "IDR_VNC_DLL" fullword ascii
    condition:
        uint16(0) == 0x5A4D  and (all of ($a*)) and filesize < 400000
}

rule apt_Fin7_Carbanak_rdpplugin  
{
    
    
    meta:
        author = "Yusuf A. POLAT"
        description = "Carbanak backdoor's rdp plugin. It is used by Fin7 group"
        version = "1.0"
        date = "2020-07-21"    
        reference = "https://threatintelligence.blog/"
        copyright = "PRODAFT"
        SHA256 = "0d3f1696aae8472145400d6858b1c44ba7532362be5850dae2edbd4a40f36aa5"
   
    strings:
        $a1 = "sdbinst.exe" fullword ascii
        $a2 = "-q -n \"UAC\"" fullword ascii
        $a3 = "-q -u \"%s\"" fullword ascii
        $a4 = "test.txt" fullword ascii
        $a5 = "install" fullword ascii
        $a6 = "uninstall" fullword ascii
    condition:
        uint16(0) == 0x5A4D  and (all of ($a*)) and filesize < 400000
}

rule apt_Fin7_Carbanak_switcherplugin  
{
    
    
    meta:
        author = "Yusuf A. POLAT"
        description = "Carbanak backdoor's switcher plugin. It is used by Fin7 group"
        version = "1.0"
        date = "2020-07-21"    
        reference = "https://threatintelligence.blog/"
        copyright = "PRODAFT"
        SHA256 = "d470da028679ca8038b062f9f629d89a994c79d1afc4862104611bb36326d0c8"
        
    strings:
        $a1 = "iiGI1E05.tmp" fullword ascii
        $a2 = "oCh4246.tmp" fullword ascii
        $a3 = "inf_start" fullword ascii
        $a4 = "Shell_TrayWnd" fullword ascii
        $a5 = "ReadDirectoryChangesW" fullword ascii
        $a6 = "CreateToolhelp32Snapshot" fullword ascii
    condition:
        uint16(0) == 0x5A4D  and (all of ($a*)) and filesize < 15000
}