Threat Actor activity: a quick recap

In our recent Threat Landscape Report we profiled several active threat actors which have made an impact over the past year. All of the threat actors in this article remain under close observation.

Sharing this intelligence is part of our ongoing mission to collaborate with industry peers, enrich the quality of investigations and accelerate performance. Threat Compass provides targeted, actionable intelligence relevant to your business, as outlined below.


FIN7 (also known as Carbanak) is a financially-motivated threat group. It has primarily targeted the retail and hospitality sectors, but also has an eye on financial information. in the past, the group has used phishing techniques to distribute point-of-sale (POS) malware, often combined with remarkably bold social engineering techniques, such as calling up victims to ensure they open malicious files.

Since appearing in 2015, the group compromised hundreds of companies, thousands of POS terminals, and millions of payment cards. FIN7 has been linked to high profile breaches at Arby’s, Chili’s, Chipotle, Red Robin, Jason’s Deli, and Sonic. After a successful breach, FIN7 typically offers the compromised cards for sale on the underground card shop Joker’s Stash.

Researchers uncovered that in addition to compromising payment cards, FIN7 occasionally elects to also pivot towards finance departments. Even more, US law enforcement has reported FIN7-linked phishing emails posing as the US Security and Exchange Commission (SEC), targeting individuals with access to documents that may prove useful in the stock market.

In August 2018, the US Department of Justice (DOJ) announced that three members of FIN7 had been arrested. In the announcement, the DOJ revealed that FIN7 used a front company called “Combi Security” to carry out at least a portion of their activities. Combi Security masquerades as a legitimate company headquartered in Russia and Israel and has posted on job recruitment boards in Eastern Europe and Central Asia. Membership of the group is primarily Eastern European.

FIN7 should be considered a dangerous APT because of its rigorous and sophisticated procedures, proving in several occasions the ability to quickly evolve new strategies and adapt tools. The group has shown to be a particularly professional and disciplined organization, working following a regular office schedule, with nights and weekends off.

As recently as March 2019, the group was reported as returning with new SQLRat malware. Watch this space.


A relatively new hacker group named Orangeworm has been discovered deploying a custom backdoor into large international corporations, most of them related to the healthcare sector in the United States, Europe and Asia. There is no evidence of this group working for any nation or fighting for any political cause. Rather, Orangeworm could be a lone criminal or a small group of individuals working in their own interest. This group seems to choose its objectives carefully, planning strikes in advance after studying the potential victims for some time.

The malware they use consists of a custom Trojan backdoor called Trojan.Kwampirs. This Trojan prowls in medical devices – think X-ray devices and MRI machines – but it has also been detected in machines used to assist patients in completing consent forms for medical procedures. In order to get access to healthcare corporations, Orangeworm develops a large supply chain-attack, striking industries related with the healthcare business.

The malware they deploy, Kwampir, uses some obfuscating techniques and ensures its persistence on the infected system, avoiding antivirus detection by inserting randomly generated strings into the middle of the payload. In spite of that, this malware shows a notably noisy behavior due to the way it propagates and communicates with its command and control servers. It tries to infect all the devices inside the victim’s network by copying itself over the network shares, and communicates with the C&Cs servers by cycling connections through a large list of servers.

Those methods are easily detectable and they indicate that Orangeworm is not concerned about being discovered. Kwampir collects basic information about the compromised device, such as the language settings, system version and network adapter information, and it may use that data in order to determine if the infected system is potentially worthy. Following this, Kwampir opens a backdoor and allows the attackers to access the victim’s device remotely, allowing them to steal confidential data.


TA505 has been one of the most prolific threat actors in recent years. The group has targeted several countries since they have been discovered, and seems to be driven purely by financial motives. They appear to be Eastern European since they have never targeted countries in the Commonwealth of Independent States (CIS), and they cease their activities during Russian Orthodox holidays. The group mainly provides a malware distribution service to other cybercriminal groups and individuals.

TA505 was discovered for the first time in 2014 during a campaign against the US, while they were distributing the Dridex banking Trojan using the Necurs botnet to send millions of spam messages with the malware attached. They repeated these attacks against several countries such as the UK, Germany and Australia without much variation until October 2015, when they started using the Shifu banking Trojan against Japanese and British targets (all while they still were launching Dridex campaigns).

In 2016 they stopped using banking Trojans, and centered almost all their activities on the Locky ransomware. During this switch of tactics, techniques and procedures (TTPs) and at the beginning of 2017, the group experimented with several other ransomware variants in smaller campaigns such as Bart, Philadelphia and GlobeImposter.

In October 2017, TA505 introduced their first geotargeted campaign, dropping either the Trickbot banking Trojan for victims that appeared to reside in the UK, Australia, Luxembourg, Ireland, and Belgium, or Locky if the target was located elsewhere.

At the beginning of 2018 their activities were almost halted due to problems with the Necurs botnet but they rapidly changed their TTPs. When the botnet started to recover, they launched a handful of campaigns delivering the Remote Access Tool (RAT) FlawedAmmyy, last seen in June of this year. Their recent foray into large-scale distribution of RATs and intermediate loaders bears furthers the observation that as, unlike with Locky or GlobeImposter infections, victims may not realize they are infected until the group triggers additional malware installations or steals valuable data.

The group’s willingness to explore new vectors, payloads, sending infrastructure, and other malicious services – even when they do not have access to the Necurs spam cannon – exemplifies their adaptability, making them a threat actor to keep an eye on. Its latest phishing campaign uses LOLBins to distribute backdoor malware.

Threat Context

Each of these threat actors are profiled on our Threat Context module, including much more in-depth analysis. Using this sort of strategic threat intelligence, a CISO reporting on an APT can enrich an investigation, derive greater value and deeper defense.

For example, FIN7’s targeting of the retail sector should have the CISO at an e-commerce company worried. Querying this actor allows the CISO to find the detail they require, including indicators, historical campaigns, attack patterns, signatures and tools. They can pivot from page to page to obtain as much contextual information as possible, and even score the threat level of particular indicators based on history, related IOCs and freshness.

For additional threat actor profiles, download our full Threat Landscape Report here:

English version | German version / Deutsche Sprachversion

The post Threat Actor activity: a quick recap appeared first on Blueliv.

Article Link: