Discover and read the best of Twitter Threads about #FIN7

Most recents (8)

As reported by @KorbenD_Intel, the initial powershell script use DeflateStream method for uncompress the zip in memory and extract it. This execute the second layer that heavily obfuscated. More 70 functions are used for reorder the data for sensible strings and the implant ImageImage
Once removed, this extract from another deflated stream with content the x64 PE still in memory by a memorystream. This finally loaded by reflective method. ImageImageImage
The x64 implant extract the configuration from the section ".text" of the PE for get the C2. This initiate the sockets after getting the system infos (computername, username, network cards infos ...). ImageImageImageImage
Read 6 tweets
I started playing Pokémon Go with my kids at the start of the COVID-19 pandemic.

I can’t believe how many #infosec Pokémon we’ve caught so far.

Here’s a quick thread – please add since I’m missing many.

First up: I definitely appreciate that they included #FIN7 in this game Image
That last one was much harder to capture than these Iranian TTP Pokémon. ImageImage
This #infosec Pokémon is an absolute thug. It’s fun every year & a new one is appearing soon #flareon7 Image
Read 8 tweets
OK so this is my last week at @Mandiant / @FireEye 😢

Here's the truth:
♥️ Joining Mandiant was the best decision of my career – the people & company have been SO good to me
🧠 Many of the brilliant minds in security are here & we have FUN every day

💻🔍 There is no better professional #infosec experience than responding to the intrusions that matter & defending at-scale alongside awesome people. If you have the chance to work here – .
🗓️ One year here is worth many more in experience. So here are some highlights:
☕️ Doing LRs & writing decoders during my first Mandiant breach response - with #APT17's HIKIT & also BLACKCOFFEE malware using technet for C2:…
💰 I was fortunate to lead the first IR for the group that would come to be known as #FIN7
Read 9 tweets
Just in time for the holidays: #StateoftheHack swag 🖱️👕

You'll never look better enabling those macros. #DailyWoolDrop 😉…
Most recent order: 3 shirts 👕
with the anonymous message: “Just in time to gift one to Hass, Jimbo, and Oleg, your comrade Andy.” 😂
#FIN7 / Combi Security shirt order extended until tomorrow, #CyberMonday2019:… Final cutoff.
All of our new Combi Security “employees” should be receiving their on-boarding packages soon!
There is simply no better shirt to wear to your local payment card-processing establishment! #FIN7 🍟🏨🎰🏪🏦 Image
Read 5 tweets
🎟️🍿Movie Night: "Between Two Steves"

@cglyer & I chat with the top two Steves from #AdvancedPractices 🦅: @stonepwn3000 & @stvemillertime to talk about the front-line technical stories and research presented at the 2019 #FireEyeSummit.
@cglyer @stonepwn3000 @stvemillertime 🗣️
• tracking the groups and techniques that matter
• recent #FIN7 events:…
• recent #AdvancedPractices team research, including PDB dossier & summit talks on proactive identification of C2, deep code signing research, and rich header hunting at scale...
We highlight a favorite talk
🍎 𝗟𝗶𝘃𝗶𝗻𝗴 𝗼𝗳𝗳 𝘁𝗵𝗲 𝗢𝗿𝗰𝗵𝗮𝗿𝗱 🍎
by @williballenthin, @nicastronaut, @HighViscosity
revealing TTPs & artifacts left behind from the million mac engagement…
We kinda want to do a full #StateOfTheHack on that one...
Read 5 tweets
🤙💰 Mahalo FIN7:…
• On several on-going investigations we saw #FIN7 trying to retool 🏄🏼
• Used DLL search order hijacking of a legit POS management utility with a signed backdoor (0 detections on VirusTotal)
• Hunting for #BOOSTWRITE and #RDFSNIFFER 💳 Image
.@josh__yoder & I stayed up much of the night to get this blog out.
The signed #BOOSTWRITE sample is still undetected by static VT scanners:…
We were fair on why that is and how that doesn't fully represent detection posture.
Then we provided hunting rules. Image
#FIN7's code signing certificate is purportedly from Mango Enterprise Limited in the UK.
Prob not theirs - based on the street address, I suspect there's more car theft than certificate theft 😜:…

We analyze & discuss how to find the certificate anomalies! ImageImageImageImage
Read 7 tweets
Hey I recognize that #AdvancedPractices 🦅 hoodie!

I had a tiny cameo in this 1st part of
a new series highlighting #DFIR/researchers
"hacker:HUNTER - Cashing In"

I expect the series will have #CARBANAK twists & turns + plenty of #FIN7 payment card theft Image
@FireEye @TmrwUnlocked "It's very hard to arrest a piece of code." -@stefant
📺 hacker:HUNTER - Cashing In Finale
Showcases the challenges of pursuing & meaningfully impacting fragmented cybercrime group operations.
Also answers the question: "will Nick have a shorter cameo?" 🤣
Read 4 tweets
In light of the #FIN7 "Combi Security" DOJ indictment, we've released our massive technical post and indicator release:…

We reveal new information from @Mandiant IRs about the extent of FIN7's crimes, their innovative techniques, & how to find them today.
#FIN7 targeted other financial data when they encountered encryption in POS networks. New information today - and certainly helped stack up the charges against Combi Security.

Also @BarryV @stvemillertime first shared SEC filing targeting in March 2017:…
Crime doesn't pay. Unless you worked for Combi Security, in which case it paid a pretty decent wage for Russian/Ukrainian "pen testers" 😄

Sidenote: @FireEye's red team is hiring but their operations *are* authorized and the only payment card hijinks is over who expenses dinner.
Read 8 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!