FIN7 Targets New Windows 10 Functionality - Security Boulevard

SBN FIN7 Targets New Windows 10 Functionality


DevOps Experience

Over the past few weeks, Morphisec Labs researchers identified a couple dozen documents that execute the GRIFFON javascript delivery backdoor. Following our investigation, we identified a high similarity to FIN7’s attack methodology.

FIN7 is one of the most active adversaries around and has created a significant number of fileless attacks over the past few years. We’ve been tracking this financially motivated threat actor for some time. In 2017 and 2018, for example, we tracked campaigns against the restaurant industry. This coincides with their financial motivations.

This time we have identified the use of the latest version of the remote desktop activeX control class that was introduced for Windows 10. FIN7 utilizes the activeX control for automatic execution of the malicious Macro following an enable of the Document content.

As newer features are introduced to a constantly updating OS, so too the detection vendors need to update their techniques to protect the system. This often creates very exhaustive and time-consuming work, which in turn can lead to the opposite effect of pushing defenders even farther behind the attacker. FIN7 has yet again taken advantage of the opportunity this change presents.

While tracing Fin7 abuse of the remote activeX control we also identified other groups misusing the same and earlier controls although with a slightly different technique.

Technical details


Most of the targeted documents were following the naming convention “i<7-9 random digits>.doc“, as each document usually contained an image to convince targets to enable the content. This leads to the execution of the malicious macro, only this time the image also hid an ActiveX control slightly below it. The malicious GRIFFON JavaScript backdoor is then hidden in white colored letters in between the content, so it’s not visible to people but can be seen by machines.

Fin7 02-28 image 1


Examining the activeX control revealed the use of the MsRdpClient10NotSafeForScripting class (which is used for remote control). The Server field is empty in the script, which will later cause an error that the attackers will actually abuse to properly execute their own code.

Fin7 02-28 image 2


Inspection of the macro revealed an interesting trigger method —
“<name>_OnDisconnected” — which will be the main function that is first executed. This method didn’t execute immediately as it takes time for it to try and resolve DNS to an empty string and then return an error. The GRIFFON will not execute unless the error number matches exactly to “disconnectReasonDNSLookupFailed”(260); the GRIFFON wscript command is concatenated with a combination of characters that are dependent on the error number calculation.

Fin7 02-28 image 3


Fin7 02-28 image 4


Fin7 02-28 image 5

Going over the documentation for the msrdpclient10 reveals that it will not work on workstations that are not updated to windows 10.

Fin7 02-28 image 6

As soon as GRIFFON is created in the form of a BAT file, this file is executed, and the word document form is closed.

Fin7 02-28 image 7


Fin7 02-28 image 8

The BAT will execute wscript back with its own content – an old trick using comments that the BAT will disregard during the execution of wscript (non-recognized command) while skipped together with its content when executed by wscript (or any other interpreter that adheres to the comments syntax).

Fin7 02-28 image 9-1

As soon as the JavaScript is beautified, we get back to the same old GRIFFON obfuscation pattern.

Fin7 02-28 image 10


Updating your operating system is necessary for better security, even though it doesn’t always serve that purpose. This example with GRIFFON makes it clear that this doesn’t always work. Even with an updated OS, there remains a need for preventive measures such as attack surface reduction, moving target defense, and hardening.

There are hundreds of other objects that have been introduced in the latest Windows 10 update and even dozen of more methods in the described object that sophisticated attackers can abuse. There might be additional opportunities for vulnerability exploitation with every new feature but this is not in the scope of this blog post.



















*** This is a Security Bloggers Network syndicated blog from Morphisec Moving Target Defense Blog authored by Michael Gorelik. Read the original post at:

Techstrong Group