FIN7, a threat group of Russian-speaking members, has been engaging in illegal activities and masquerading as a company recruiting IT experts since 2015. They have targeted retail, hospitality, and food service industries across the United States, the United Kingdom, Australia, and France. The group has also formed affiliations with other infamous threat actors such as BlackBasta, Lockbit, Darkside, and REvil.
The FIN7 group uses a range of malware in their operations, with their primary toolset being “Carbanak”. This toolset includes various types of malware, such as loaders, ransomware, and backdoors, along with a significant portion of custom malware.
Diceloader, a small but dangerous malware known to be used by FIN7, is still being employed by the threat group. It is injected into processes using a PowerShell script that provides specific obfuscation. Despite its small size, Diceloader is capable of executing several malicious functions to carry out various nefarious actions.
One of the functions of Diceloader is to create the primary data structures and mechanisms for future executions. It also creates empty linked lists to connect each part of the program to structure the data in memory. Furthermore, the loader begins multiple threads and processes incoming TCP packets from C2 servers after establishing the data structures and mechanisms.
The obfuscation methods of Diceloader are intricate and aim to obfuscate the C2 configuration, network communication, and victim system information. These methods employ XOR operations with fixed and dynamic keys, making it difficult to detect and analyze the malware’s activities.
Diceloader also collects system information from victims and generates a unique identifier by concatenating various data points and hashing them together. This fingerprint information is then sent to the C2 server, allowing the threat actors to identify and target specific victims.
In response to these findings, researchers have delved deeper into the operation of Diceloader, including creating a fake C2 server to further understand the communication and data exchange between the malware and its C2 server.
The activities and methods of FIN7 pose a significant threat to multiple industries across several countries. As such, researchers and cybersecurity experts are continuously monitoring and analyzing the operations of this group to develop countermeasures and protect potential targets from their malicious activities. It is imperative for organizations to remain vigilant and prioritize cybersecurity measures to mitigate the risks posed by FIN7 and similar threat actors.