Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques | Mandiant
Tags
cmtmf-attack-pattern: Data Encrypted Obfuscated Files Or Information
maec-delivery-vectors: Watering Hole
attack-pattern: Data Code Signing - T1553.002 Digital Certificates - T1596.003 Digital Certificates - T1587.003 Digital Certificates - T1588.004 Dll Search Order Hijacking - T1574.001 Embedded Payloads - T1027.009 Exploits - T1587.004 Exploits - T1588.005 File Deletion - T1070.004 File Deletion - T1630.002 Hooking - T1617 Malware - T1587.001 Malware - T1588.001 Obfuscated Files Or Information - T1406 Phishing - T1660 Phishing - T1566 Server - T1583.004 Server - T1584.004 Tool - T1588.002 Code Signing - T1116 Data Encrypted - T1022 Deobfuscate/Decode Files Or Information - T1140 Dll Search Order Hijacking - T1038 Execution Through Api - T1106 Execution Through Module Load - T1129 File Deletion - T1107 Hooking - T1179 Obfuscated Files Or Information - T1027 Execution Through Api Hooking
Show in Graph
Common Information
Type Value
UUID 99a1e804-5e84-4a17-ae78-e4cd6c3d7356
Fingerprint ee1482be013d9fe5
Analysis status DONE
Considered CTI value 2
Text language
Published Oct. 10, 2019, midnight
Added to db Nov. 6, 2023, 7:06 p.m.
Last updated Nov. 17, 2024, 5:57 p.m.
Headline Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques
Title Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques | Mandiant
Detected Hints/Tags/Attributes 79/3/13
Source URLs
Redirection Url
Details Source https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html
Details Source https://www.mandiant.com/resources/blog/mahalo-fin7-responding-to-new-tools-and-techniques
URL Provider
Details Provider Source level domain
Details fireeye.com www.fireeye.com
Details mandiant.com www.mandiant.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 330 Threat Intelligence https://www.mandiant.com/resources/blog/rss.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details File 9 
dwrite.dll
Details File 1 
pe32.dll
Details File 1 
dwriteimpl.dll
Details File 1 
module_ls.dll
Details File 17 
malware.bin
Details File 1 
ary.dll
Details md5 1 
a67d6e87283c34459b4660f19747a306
Details md5 1 
af2f4142463f42548b8650a3adf5ceb2
Details IPv4 2 
109.230.199.227
Details Pdb 1 
f:\projects\dwriteimpl\release\dwriteimpl.pdb
Details Threat Actor Identifier - FIN 377 
FIN7
Details Yara rule 1 
rule ConventionEngine_BOOSTWRITE {
	meta:
		author = "Nick Carr (@itsreallynick)"
		reference = "https://www.fireeye.com/blog/threat-research/2019/08/definitive-dossier-of-devilish-debug-details-part-one-pdb-paths-malware.html"
	strings:
		$weetPDB = /RSDS[\x00-\xFF]{20}[a-zA-Z]?:?\\[\\\s|*\s]?.{0,250}\\DWriteImpl[\\\s|*\s]?.{0,250}\.pdb\x00/ nocase
	condition:
		(uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and $weetPDB and filesize < 6MB
}
Details Yara rule 1 
import "pe"

rule Exports_BOOSTWRITE {
	meta:
		author = "Steve Miller (@stvemillertime) & Nick Carr (@itsreallynick)"
	strings:
		$exyPants = "DWriteImpl.dll" nocase
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and $exyPants at pe.rva_to_offset(uint32(pe.rva_to_offset(pe.data_directories[pe.IMAGE_DIRECTORY_ENTRY_EXPORT].virtual_address) + 12)) and filesize < 6MB
}