FireEye calls Shim-anigans: Bank-raiding hackers switch tactics
Game's the same, just got more fierce, apparently
A group of money-grabbing cybercrooks have switched up their tactics in a pretty interesting way, we're told. Buckle up and let us explain.
FIN7, whose stock in trade is targeting financial institutions through phishing emails, previously relied on a malicious Windows service to plant the Carbanak backdoor on targeted systems.
Recently, the group has switched towards using shim databases to achieve the same aim, according to FireEye Mandiant.
The shim injects a malicious in-memory patch into the Services Control Manager (“services.exe”) process on Windows, to essentially install a Carbanak backdoor. As before, the end game is to gain a foothold on compromised systems before harvesting payment card details.
The switch in the group's approach from its previous reliance on spear-phishing to a more DevOps-slanted approach is an example of how so-called advanced persistent threat (APT) attacks evolve over time.
An application compatibility shim is a small library that transparently intercepts an API (via hooking), changes the parameters passed, handles programmed operations, or redirects the operation elsewhere, such as towards additional code stored on a system.
Shims are currently used predominantly to achieve compatibility with legacy applications. While shims serve a legitimate purpose they can also be used nefariously. FIN7 modified tactics are uncommon but not unprecedented.
More details in FIN7's change-up in tactics can be found in a blog post by FireEye Mandiant here. ®