Clever spear-phishing emails hit employees involved in SEC filings

FireEye has flagged a sophisticated spear-phishing campaign hitting US-based businesses with emails purportedly coming from the US Securities and Exchange Commission (SEC).

phishing SEC filings

The emails look like they’ve been sent by a SEC employee, address the recipients by name, and urge them to download a Word document containing important changes regarding Form 10-K, an annual financial performance report required by the organization.

The malware

The malicious attachment drops two PowerShell backdoors.

One is fileless and resides in the target machine’s memory, and the other is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. Both use DNS TXT queries to keep in touch with the C&C server and the attackers, just like the DNSMessenger backdoor/RAT recently analyzed by the Cisco Talos team.

“In some cases, we identified a Cobalt Strike Beacon payload being delivered via [the backdoors],” the researchers noted. “This particular Cobalt Strike stager payload was previously used in operations linked to FIN7.”

FIN7 is the identifier the company uses for a specific cybercriminal group that has operated for years, and is usually after sensitive financial data.

“We observed that the same domain hosting the Cobalt Strike Beacon payload was also hosting a CARBANAK backdoor sample compiled in February 2017. CARBANAK malware has been used heavily by FIN7 in previous operations,” they added.

The attack

This was not a mass-email operation. The attackers targeted very specific persons: employees that are involved with SEC filings for their respective organizations. This information was, in most cases, pulled from past SEC filings.

The researchers say that 11 companies in the financial services, transportation, retail, education, IT services, and electronics sectors were targeted, but it’s more than likely that other companies have also been hit.

“We have not yet identified FIN7’s ultimate goal in this campaign, as we have either blocked the delivery of the malicious emails or our FaaS team detected and contained the attack early enough in the lifecycle before we observed any data targeting or theft,” they noted.

“However, we surmise FIN7 can profit from compromised organizations in several ways. If the attackers are attempting to compromise persons involved in SEC filings due to their information access, they may ultimately be pursuing securities fraud or other investment abuse. Alternatively, if they are tailoring their social engineering to these individuals, but have other goals once they have established a foothold, they may intend to pursue one of many other fraud types.”