According to digital forensics specialists, the hacker group identified as FIN7 has developed a new malicious tool, capable of delivering payloads directly into the memory of the targeted system, as well as including a module that establishes a connection to the remote control software used by NCR Corporation, an ATM manufacturer.
The experts, members of the Mandiant
research team, a part of security firm FireEye, dubbed this malware Boostwrite,
and mention that some of the samples they have collected from this malware are
capable of delivering more than one payload, including the dangerous backdoor
known as Carbanak, often associated with the activities of these hackers.
In addition, digital forensics experts mention
that Boostwrite delivers a Remote Access Trojan (RAT), identified as
RSFSNIFFER, which decrypts payloads using keys sent by hackers since the
malware launching. “The malware uses a DLL search hijacking technique to
load its own malicious DDL into the memory of the targeted system, allowing it
to download the initialization vector and key to decrypt the built-in
payloads”, the experts mention.
In the end, when the encryption key and initialization vector have been downloaded, Boostwrite decrypts the payloads and verifies that the process has completed successfully. If so, millions of ATM machines users around the world could be exposed.
FIN7 hacking group (also known as Cobalt or
Carbanak) activities were first detected in mid-2015, specifically attacking
some banking institutions and point-of-sale terminals for profit using the
dangerous backdoor Carbanak.
Although a few months ago an international
operation allowed the arrest of some leaders of this group, digital forensics
experts from the International Institute of Cyber Security (IICS) mention that
FIN7 has managed to consolidate new leadership and even develop new attack
variants, including the use of new malware strains, such as Boostwrite. In
addition to FireEye, other security firms, such as Kaspersky Labs, claim to
have detected multiple hacking campaigns linked to FIN7, which has been
employing malware variants such as Carbanak and BabyMetal, so it is highly
likely that this group of cybercriminals keep evolving.