APT FIN7 Targeted Businesses with SEC Spear-Phishing Emails

According to research conducted by Cisco’s Talos team, Advanced Persistent Threat (APT) group “FIN7” is targeting specific US businesses in a highly sophisticated spear-phishing campaign. FIN7 used a compromised US state government server – which has since been taken offline – to send spear-phishing emails appearing to be from the Securities and Exchange Commission (SEC) Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system. The emails contained malicious Microsoft Word attachments that used Dynamic Data Exchange (DDE) to perform code execution and initiate a DNSMessenger malware infection on the targeted system. The documents contained logos and language consistent with documents originating from the SEC. After it was opened, a pop-up indicated that the document contained links that may refer to other files and asked the user to update the document. If the user allowed the external content, the document retrieved code from a remote command-and-control (C2) server to execute the malware infection. The actors heavily obfuscated their activities by using a multi-stage infection chain and through the use of DDE and Domain Name System (DNS) commands for C2 communications. The NJCCIC recommends all security professionals review the Cisco Talos report and scan for the indicators of compromise (IoCs) provided to determine whether malicious activity associated with FIN7 has been observed within their networks. Organizations are strongly encouraged to implement a defense-in-depth cybersecurity strategy, employ the Principle of Least Privilege, and establish strong identity and access management controls, including multi-factor authentication.