Using a lure that relates to a lawsuit against the owners of Jack Daniels whiskey, a cybercriminal group launched a campaign that may be an indication of future ransomware attacks.
After law enforcement imprisoned some core FIN7’s members, the cybercrime gang has rebranded and now launched a new campaign. It uses a legal complaint that involves Jack Daniels parent company as a lure.
The hackers compromised at least one law firm by posing as a client and then pushing a remote-access trojan known as JSSLoader, researchers said.
“One of the victims of the malicious legal complaint campaign was a law firm,” researchers said in a posting this week. “The lure successfully bypassed the law firm’s email filters, and it was not detected as suspicious by any of the firm’s employees.”
The ultimate goal of FIN7 is not clear. It could be used to infiltrate point-of-sale systems to steal sensitive information. It uses a variety of techniques to infiltrate systems and steal sensitive data. It has also added ransomware attacks to its mix.
“It is plausible that proficient financial cybercrime groups, such as FIN7, are providing initial access to seasoned ransomware groups, such as REvil (aka Sodinokibi), Ryuk, etc. as a way to monetize their access,” according to TRU.
Despite the imprisonment of several group’s members, researchers said that FIN7’s infrastructure is still going strong. The main download server uses the domain browm-forman[.]com. TRU recently observed the registration of a new lookalike domain within this web of infrastructure, brown-formam[.]com, on June 9, which may indicate an impeding new campaign that uses the Jack Daniels case as a lure.
“While in-the-wild use has not been observed, the registration and TLS certificate patterns match the previous landing page,” researchers said. “We assess this domain will replace the prior one given that it has been exposed publicly.”
Researchers noted that in the Brown-Forman case, FIN7 threat actors also registered the infrastructure months before the TRU saw it in action.
“Either the attackers were using it for months before eSentire saw the activity, or they weaponized it after a period of time to evade email filtering by newly registered domains. If that is the case, this shows a degree of planning and sophistication on the part of FIN7.”