Hackers Target U.S. Restaurants Using Clever Phishing Emails
In a June 9 blog post, Morphisec Lab said it "identified a new, highly sophisticated fileless attack targeting restaurants across the United States. The ongoing campaign allows hackers to seize system control and install a backdoor to steal financial information at will."
Morphisec Lab attributes the malware to FIN7, a group associated with other damaging attacks on banks, SEC personnel, large restaurant chains and hospitality organizations.
Like previous FIN7 attacks, a malicious Word document is attached to a phishing email that is well-tailored to daily operations of the target. In this case, restaurants seem to be getting documents with file names such as: menu.rtf, Olive Garden.rtf or Chick Fil A Order.rtf. However, while previous attacks used PowerShell commands and DNS queries to deliver the next shellcode stage (Meterpreter), in the most recent attack all DNS activity is initiated and executed solely from memory.
According to Morphisec Lab, "the detection score on VirusTotal for all of the documents continues to be 0/56 from the time the first documents were uploaded (1.6.2017) up until the date of this [blog post]. This means the attackers successfully bypass static analysis by most of the security solutions."
To read the blog post in full: http://blog.morphisec.com/fin7-attacks-restaurant-industry
Morphisec Lab attributes the malware to FIN7, a group associated with other damaging attacks on banks, SEC personnel, large restaurant chains and hospitality organizations.
Like previous FIN7 attacks, a malicious Word document is attached to a phishing email that is well-tailored to daily operations of the target. In this case, restaurants seem to be getting documents with file names such as: menu.rtf, Olive Garden.rtf or Chick Fil A Order.rtf. However, while previous attacks used PowerShell commands and DNS queries to deliver the next shellcode stage (Meterpreter), in the most recent attack all DNS activity is initiated and executed solely from memory.
According to Morphisec Lab, "the detection score on VirusTotal for all of the documents continues to be 0/56 from the time the first documents were uploaded (1.6.2017) up until the date of this [blog post]. This means the attackers successfully bypass static analysis by most of the security solutions."
To read the blog post in full: http://blog.morphisec.com/fin7-attacks-restaurant-industry