The notorious cybercrime syndicate known as FIN7 has been identified in a spear-phishing campaign aimed at the U.S. automotive sector, deploying the Carbanak backdoor, also known as Anunak.
According to the BlackBerry research and intelligence team, FIN7 singled out IT department employees with elevated administrative privileges within the targeted company. They enticed these individuals with the promise of a free IP scanning tool, leveraging this ruse to execute their well-known Anunak backdoor and establish initial access using living off the land binaries, scripts, and libraries (LOLBAS).
FIN7, recognized by aliases such as Carbon Spider, Elbrus, Gold Niagara, ITG14, and Sangria Tempest, has a lengthy history of financially motivated cybercrime. Since 2012, the group has been active across various industries, deploying malware capable of pilfering data from point-of-sale (PoS) systems.
In recent years, FIN7 has shifted its focus to ransomware operations, distributing strains like Black Basta, Cl0p, DarkSide, and REvil. Notably, two members of the group, Fedir Hladyr and Andrii Kolpakov, have been sentenced to prison in the U.S.
The latest campaign, uncovered by BlackBerry in late 2023, begins with a spear-phishing email containing a malicious link leading to a counterfeit site (“advanced-ip-sccanner[.]com”), masquerading as Advanced IP Scanner.
“This fake site redirected to ‘myipscanner[.]com,’ which in turn redirected to an attacker-owned Dropbox that downloaded the malicious executable WsTaskLoad.exe onto the victim’s machine,” explained the Canadian cybersecurity company.
The malicious binary follows a multi-stage process culminating in the execution of Carbanak. Additionally, it is programmed to deliver supplementary payloads such as POWERTRASH and establish persistence by installing OpenSSH for remote access.
As of now, it remains unclear whether the threat actors intended to deploy ransomware, as the infected system was detected and removed from the network before reaching the lateral movement phase.
Although the primary target of the attack was a “large multinational automotive manufacturer” based in the U.S., BlackBerry discovered several similar malicious domains hosted on the same provider, suggesting a broader campaign orchestrated by FIN7.
To mitigate the risks posed by such threats, organizations are advised to remain vigilant against phishing attempts, implement multi-factor authentication (MFA), maintain up-to-date software and systems, and monitor for any unusual login activity.
