The financially motivated cyber-crime gang behind the Carbanak backdoor malware, FIN7, has hit upon an ingenious idea for maximising profit from ransomware: Hire real pen-testers to do some of their ‘dirty work’ instead of striking partnerships with other criminals.
The infamous Carbanak operator is looking to increase its ransomware profit by recruiting IT staff to its fake Bastion Secure “pen-testing” company.
Fake Security Company
According to a report from Gemini Advisory, the group has set up a fake security company (called “Bastion Secure”) & is looking to hire security staff under the pretence of needing red-teaming expertise for its clients. In reality, the duped “employees” are conducting malicious activity, unbeknown to them.
It is not the 1st time FIN7 has masqueraded as a legitimate security firm, but this latest tactic highlights its continued expansion into the ransomware area, researchers noted.
Expansion into Ransomware
FIN7 (aka Carbanak Gang or Navigator Group) has been in operation since at least 2015 & is well-known for both maintaining persistent access at target companies with its custom backdoor malware, & for targeting point-of-sale (PoS) systems with ‘skimmer’ software. The group often targets casual-dining restaurants, casinos & hotels, & it’s been very successful.
In the US alone, FIN7 has stolen more than 20m customer card records from more than 6,500 individual PoS terminals at more than 3,600 separate business locations, in all 50 US states, according to the Department of Justice. The total amount of victim losses has exceeded $1b.
Selection of Targets
Since 2020 though, FIN7 has got into the ransomware/data exfiltration business, with its activities involving REvil or Ryuk as the payload, Gemini researchers added.
The attacks have included the careful selection of targets according to revenue using the ZoomInfo service, performing recon., establishing initial access & carrying out all of the advanced activities these types of hits require – however, FIN7’s exact involvement in the process is unknown.
Ransomware Groups
“Whether they sold the access to ransomware groups or have formed a partnership with these groups remains unclear,” according to the report, issued Thurs. which was based on information from a source who was almost deceived into becoming 1 of FIN7’s recruits.
“However, the tasks that were assigned to the Gemini source by FIN7 (operating under the guise of Bastion Secure) matched the steps taken to prepare a ransomware attack.”
Typically, the ransomware economy is a complex tangle of relationships, with ransomware-as-a-service (RaaS) gangs offering their malware for rent to affiliates who perform the actual cyber-attack in exchange for a portion of the ransom.
Persistent Backdoors
These affiliates may in turn partner with other cyber-criminals who offer services like initial access via persistent backdoors, rental of various tools & post-attack activities like money laundering. The total cost of an attack can be expensive, which a millions of dollar ransom makes worthwhile.
Gemini researchers theorised that Bastion Secure is an idea for retaining a maximum amount of profit from this new arm of FIN7 operations, by operating outside of this paradigm. Simply put, paying “legit” salaries is cheaper than what services go for on the ‘cyber-underground.’
Starting Salary
“Bastion Secure’s job offers for IT specialist positions ranged between $800 & $1,200 a month, which is a viable starting salary for this type of position in post-Soviet states,” according to Gemini.
It added that with willing accomplices, FIN7 would be forced to share a percentage of ransom payments – but “FIN7’s fake company scheme enables the operators of FIN7 to obtain the talent that the group needs to carry out its criminal activities, while simultaneously retaining a larger share of the profits.”
System Administrators
Given FIN7’s increased interest in ransomware, Bastion Secure is likely specifically looking for system administrators, Gemini speculated. Those skills would include the ability to map compromised companies’ systems, identify users & devices within the systems, & locate backup servers & files.
“FIN7 operators could obtain the initial access through their well-documented phishing & social-engineering methods, or by purchasing access on Dark Web forums from a large pool of vendors,” according to Gemini.
“Once the system administrator mapped out the system & identified backups, FIN7 could then escalate to the next step in the malware & ransomware infection process.”
Bastion Secure
FIN7 has gone to great lengths for credibility for its fake company, starting with the name, Bastion Secure, which Gemini pointed out is remarkably close to the name of a real company specialising in physical security called Bastion Security.
The company’s office addresses, meanwhile, are lifted from a real but now-closed office for the legitimate Bastion Security, & 3 real office buildings that contain multiple businesses in Hong Kong, Moscow & Tel Aviv.
Then, there is the website. Gemini found that the malicious company’s web presence is just a copy of Convergent Network Solutions’ site (though it is hosted on a Russian domain registrar favoured by cyber-criminals called Beget – a potential red flag).
Google Search
A quick Google search may be enough to convince someone the fake Bastion Secure was legitimate.
“The criminal group used true, publicly available information from various legitimate cyber-security companies to create a thin veil of legitimacy around Bastion Secure,” according to the report.
“In effect, FIN7 is adopting disinformation tactics so that if a potential hire or interested party were to fact-check Bastion Secure, then a basic search on Google would return ‘true’ information for companies with a similar name or industry to FIN7’s Bastion Secure.”
Legitimate-Appearing
Bastion Secure also posts legitimate-appearing job offers on both its own website & prominent job-search sites in post-Soviet states, according to the report. It is also happy to provide reputable-seeming references for additional credibility.
“In the past several months, Bastion Secure has posted job offerings for system administrators on job search sites & added new vacancies for PHP, Python, & C++ programmers & reverse engineers on their website,” according to Gemini researchers.
“On these job sites, Bastion Secure provides sufficiently professional information to appear legitimate & includes purported office information & a phone number.”
Steps to Recruitment
The report detailed FIN7’s careful recruitment & grooming of security staff, based on the source who went through the process. The effort involves 3 stages.
1st Stage: Interview Process
Based on the experience of Gemini’s source, the 1st stage of the hiring process offers no indication that something is wrong, researchers stated.
1st, an “HR representative” tells the target that he or she has reviewed the source’s CV & is interested in hiring them as an IT specialist. After that, the rep sets up a normal-seeming 1st-stage interview – albeit via messages on Telegram (potentially a red flag).
After completing the interviews, the source is told what to expect for next steps:
- Complete several test assignments before beginning on a ‘probationary’ basis
- Sign a contract & non-disclosure agreement
- Configure a computer by installing several virtual machines & opening ports
2nd Stage: Practice Tests
The 2nd stage of the hiring process did not really flag Bastion Secure as a cyber-criminal operation either, according to the source: The target is simply instructed to install certain platforms & conduct a series of practice assignments that Gemini noted would be typical for the position.
The software was supposedly licensed to “Checkpoint Software,” which of course attempts to ‘pass-off’ the name of legitimate company Check Point. However, the firm’s analysis uncovered that the tools provided are actually components of the infamous remote access trojan (RAT) Carbanak, & a recently developed RAT called Lizar/Tirion.
There were a few “things that make you go hmmm” moments: For 1, the company warned of big fines if the source installed antivirus software on the virtual machine; and two, the source was told that employees are required to use specific tools to avoid detection.
3rd Stage: ‘Real’ Assignment (aka Real Hacking)
In the 3rd stage, Bastion Secure offers the target a “real” assignment with a “client company” to work on. This is where the veneer fell apart for the source, according to Gemini.
“It became immediately clear that the company engaged in criminal activity,” researchers explained.
“The task would have been to use a script to collect information on domain administrators, domain trust relationships, file shares, backups & hypervisors….Bastion Secure provided access to the company’s network without any legal documentation or explanation.”
Gemini’s source noted that this, combined with the red flags from earlier in the hiring process, indicated that something criminal was going on.
Masquerading as Legitimate
It is unclear how successful Bastion Secure has been so far, but it is continuing its endeavours: Its website & job listings are still up & running, according to Gemini.
Masquerading as being involved in legitimate security activities is a bit of a tried-&-tested (& hugely ironic) tactic for FIN7.
In May, for instance, the Lizar RAT was discovered spreading under the guise of being a Windows pen-testing tool for ethical hackers. In that case, FIN7 was pretending to be a legitimate organisation that hawks a security-analysis tool.
BI.ZONE
Before that, security company BI.ZONE observed it pushing Carbanak under the guise of the package being a tool from cyber-security stalwarts Check Point or Forcepoint, just as Bastion Secure does.
As far back as 2018, the US Department of Justice found FIN7 posing as “Combi Security,” another fake cybersecurity company, to involve unaware IT specialists in its carding campaigns.
The tactic also is not specific to FIN7, though it has been used to achieve different outcomes. Earlier this year, a N. Korean advanced persistent threat group (APT) called Zinc, which has links to the more notorious APT Lazarus, mounted 2 separate attacks looking to infect security researchers with malware.
Media Platforms
In Jan., the group used elaborate social-engineering efforts through Twitter & LinkedIn, as well as other media platforms like Discord & Telegram, to set up trusted relationships with researchers by appearing to themselves be legitimate researchers interested in offensive security.
Specifically, attackers initiated contact by asking researchers if they wanted to collaborate on vulnerability research together. They demonstrated their own credibility by posting videos of exploits they have worked on, including faking the success of a working exploit for an existing, patched Windows Defender vulnerability that had been exploited as part of the massive SolarWinds attack.
Visual Studio Project
Eventually, after much correspondence, attackers provided the targeted researchers with a Visual Studio Project infected with malicious code that could install a backdoor onto their system. Victims also could be infected by following a malicious Twitter link.
Zinc was back at it in April, using some of the same social-media tactics but adding Twitter & LinkedIn profiles for a fake company called “SecuriElite,” which purported to be an offensive security firm located in Turkey. The company claimed to offer pen tests, software-security assessments, & exploits, & purported to actively recruit cyber-security personnel via LinkedIn.
Not a New Tactic
While it is not a new tactic, this latest case pushes the envelope on truthiness, Gemini noted.
“Not only is FIN7 looking for unwitting victims on legitimate job sites, but also attempting to obfuscate its true identity as a prolific cyber-criminal & ransomware group by creating a fabricated web presence through a largely legitimate-appearing website, professional job postings, & company info pages on Russian-language business development sites,” the report concluded.
https://www.cybernewsgroup.co.uk/virtual-conference-november-2021/