Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the FIN7 JS Implant and JSSLoader, including looking for Image Loading of ldap and wmi modules, associated with its payload, data collection and script execution.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-09-14
  • Author: Teoderick Contreras, Splunk
  • ID: df2b00d3-06ba-49f1-b253-b19cef19b569

Narrative

FIN7 is a Russian criminal advanced persistent threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A portion of FIN7 is run out of the front company Combi Security. It has been called one of the most successful criminal hacking groups in the world. this passed few day FIN7 tools and implant are seen in the wild where its code is updated. the FIN& is known to use the spear phishing attack as a entry to targetted network or host that will drop its staging payload like the JS and JSSloader. Now this artifacts and implants seen downloading other malware like cobaltstrike and event ransomware to encrypt host.

Detections

Name Technique Type
Check Elevated CMD using whoami System Owner/User Discovery TTP
Cmdline Tool Not Executed In CMD Shell JavaScript TTP
Jscript Execution Using Cscript App JavaScript TTP
MS Scripting Process Loading Ldap Module JavaScript Anomaly
MS Scripting Process Loading WMI Module JavaScript Anomaly
Non Chrome Process Accessing Chrome Default Dir Credentials from Web Browsers Anomaly
Non Firefox Process Access Firefox Profile Dir Credentials from Web Browsers Anomaly
Office Application Drop Executable Spearphishing Attachment TTP
Office Product Spawning Wmic Spearphishing Attachment TTP
XSL Script Execution With WMIC XSL Script Processing TTP

Reference

source | version: 1