Author: Maël Le Touz
2. Customer impact
This campaign is focused on U.S. companies and English-speaking individuals. FIN7 are known for their aggressiveness, creative use of social media, blackmailing, and threatening to disclose victims’ personal data.1
3. Campaign analysis
Some emails in this campaign claim to contain bills from Tinder or T-Mobile. Other emails claim to be from the U.S. government and to contain new regulations and vaccination requirements related to Covid-19. The emails are sent a) to large groups rather than specific targets, and b) from a variety of free or inexpensive email providers rather than from a single, attacker-controlled domain.
The relatively low volume of emails we observed since 21 August was interrupted by a large spike from 12 to 15 September. On 14 September, the volume had increased by over 1400 percent.
4. Attack chain
When executed, the malware uses a WMI query to collect the IP address, active network interface, hostname, DNS configuration, and other information about the machine. It waits for two minutes and then sends this data to its C&C on a random URL. If C&C responds, the malware waits for a random period of time then pings C&C again in a loop and waits for its commands. The main loop also prepares a WScript object for receiving and executing future payloads. Public reports suggest that the C&C queries whoami on the local machine and tries to determine whether the user has administrative privileges.
To encrypt communications with its C&C as plain text, the malware uses a custom XOR encryption routine and a random encryption key. The malware chooses URLs for its C&C at random, from a list of defined variables. These URLs end with img, new, or pictures, so they might appear innocuous to unsuspecting targets. The malware also delays its actions frequently, probably to avoid detection and triggering of the antimalware on the victim’s machine.
5. Vulnerabilities and mitigation
Because the malware does not exploit any vulnerabilities but relies on user interaction and default Windows file associations, organizations can follow these recommendations to prevent falling victim to Griffon:
- Disable AutoRun and AutoPlay in Windows.
- Remove .js, .vbs, .hta, .ws, .bat, .ps1, .scr, and other default file associations commonly abused by threat actors. Configure these files such that when double-clicked, they would open in a text editor and would not be executed.
- Do not open attachments that are unexpected or from senders that look unfamiliar.
- Before opening an attachment, check with the alleged legitimate sender whether the file would be safe to open.
- Make sure that user accounts in the organization do not have administrative privileges.