FireEye calls Shim-anigans: Bank-raiding hackers switch tactics

Game's the same, just got more fierce, apparently

A group of money-grabbing cybercrooks have switched up their tactics in a pretty interesting way, we're told. Buckle up and let us explain.

FIN7, whose stock in trade is targeting financial institutions through phishing emails, previously relied on a malicious Windows service to plant the Carbanak backdoor on targeted systems.

Recently, the group has switched towards using shim databases to achieve the same aim, according to FireEye Mandiant.

The shim injects a malicious in-memory patch into the Services Control Manager (“services.exe”) process on Windows, to essentially install a Carbanak backdoor. As before, the end game is to gain a foothold on compromised systems before harvesting payment card details.

The switch in the group's approach from its previous reliance on spear-phishing to a more DevOps-slanted approach is an example of how so-called advanced persistent threat (APT) attacks evolve over time.

An application compatibility shim is a small library that transparently intercepts an API (via hooking), changes the parameters passed, handles programmed operations, or redirects the operation elsewhere, such as towards additional code stored on a system.

Shims are currently used predominantly to achieve compatibility with legacy applications. While shims serve a legitimate purpose they can also be used nefariously. FIN7 modified tactics are uncommon but not unprecedented.

More details in FIN7's change-up in tactics can be found in a blog post by FireEye Mandiant here. ?


Biting the hand that feeds IT ? 1998–2017

  • 1015111305 2018-02-19
  • 6607141304 2018-02-19
  • 5587621303 2018-02-19
  • 6265761302 2018-02-19
  • 6666351301 2018-02-19
  • 3788381300 2018-02-19
  • 9596221299 2018-02-19
  • 1153531298 2018-02-19
  • 8253311297 2018-02-19
  • 1614291296 2018-02-19
  • 107351295 2018-02-18
  • 9487041294 2018-02-18
  • 7763841293 2018-02-18
  • 5836761292 2018-02-18
  • 615581291 2018-02-18
  • 5081161290 2018-02-18
  • 321961289 2018-02-18
  • 776731288 2018-02-18
  • 9075261287 2018-02-18
  • 3005511286 2018-02-18