Recent attacks associated with the financially-motivated threat group FIN7 were using an application shim database to achieve persistence on systems, FireEye security researchers discovered.
The actor, also referred to as the “Carbanak Group,” has been active since 2015, and was associated with multiple incidents in 2017, in some of which the Carbanak backdoor was used. The group is believed to have hit hundreds of financial organizations worldwide, and to have stolen upwards of $1 billion.
Earlier this year, FIN7 was observed using a new PowerShell backdoor dubbed POWERSOURCE in a series of fileless attacks that were eventually associated with an attack framework used by other cybercriminals. Last month, the group was said to have adopted new phishing techniques.
FireEye now says that the group is using a “shim” to inject a malicious in-memory patch into the Services Control Manager (“services.exe”) process, and then spawn a Carbanak backdoor process. The same technique is used to install a payment card harvesting utility for persistent access, the security firm said.
Shims are small patches that application developers can create through the Windows Application Compatibility Infrastructure, and are mainly used for compatibility purposes for legacy applications. Designed for legitimate use, shims can intercept APIs (via hooking), change the parameters passed, handle the operation itself, or redirect the operation elsewhere, and can be abused for malicious purposes.
As part of their attack, the FIN7 hackers used a custom Base64 encoded PowerShell script to run the sdbinst.exe utility and register a custom shim database file (SDB) containing a patch. Next, they wrote an “.sdb” file to the 64-bit shim database default directory, and create specific registry keys for the shim database, which had the description “Microsoft KB2832077.”
The SDB file could patch both the 32-bit and the 64-bit versions of “services.exe” with the Carbanak payload when the process was executed at startup and contained shellcode for the first stage loader. This linked to a second stage shellcode that launched the Carbanak DLL, which spawned an instance of Service Host (svchost.exe) and injected itself into it.
To stay protected, organizations are advised to monitor their environments for new shim database files created in the default shim database directories (C:\Windows\AppPatch\Custom and C:\Windows\AppPatch\Custom\Custom64) and for registry key creation and/or modification events for HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom and HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB. They should also monitor process execution events and command line arguments for malicious use of the sdbinst.exe utility, FireEye said.