Fire Eye - Hacking the Street

Fire Eye 定义组织名称 FIN4。
行动始于2013年中期。

主要企业目标

On multiple occasions, FIN4 has targeted several parties involved in a single business deal, to include law firms, consultants, and the public companies involved in negotiations.

• NYSE和NASDAQ的健康与制药相关的上市公司(public healthcare and pharmaceutical
  companies)
• 咨询公司(consultants)
• 律师事务所(law firms)
• 投行(investing banking, 主要是 M&A 业务)

主要人物目标

FIN4 focuses on acquiring information about
ongoing M&A discussions and identifying the
individuals who are most likely involved.

• C-level executives and senior leadership
• Legal counsel
• Regulatory, risk, and compliance personnel
• Researchers
• Scientists
• People in other advisory roles

FIN4’s campaign codes illustrate their interest in the organizations and job roles most likely to have access to market-moving information before it goes public.

攻击手段

The group frequently employs M&A-themed and SEC-themed lures with Visual Basic for Applications (VBA) macros implemented to steal the usernames and passwords of these key individuals. Additionally, FIN4 has included links to fake Outlook Web App (OWA) login pages designed to capture the user’s credentials.

• VBA宏
• Outlook钓鱼 (fake Outlook Web App)

获取Email访问权限。

回收再利用

Many of FIN4’s lures appeared to be stolen documents from actual deal discussions that the group then weaponized and sent to individuals

VBA宏,VBA分析详情参考Appendix

After identifying a target, FIN4 frequently embeds VBA macros into a previously stolen Office document. The embedded macro displays a dialog box that mimics the Windows Authentication prompt for the user to enter their domain credentials.

为什么是保健与制药公司

We believe FIN4 heavily targets healthcare and pharmaceutical companies as stocks in these industries can move dramatically in response to news of clinical trial results, regulatory decisions, or safety and legal issues. In fact, many high-profile insider trading cases involve the pharmaceutical sector. We’ve observed FIN4 access information on a wide variety of issues—including drug development, insurance reimbursement rates, and pending legal cases—all of which can significantly influence the price of healthcare industry stocks.

部分C2域名

lifehealthsanfrancisco2015[.]com
outlookscansafe[.]net
outlookexchange[.]net

防御

1. 禁止上述域名
2. 来自Tor出口节点的访问可以认为是非法登录的指示器。

the access from Tor exit nodes can serve as an indicator of the group’s illicit logins.

参考资料

[1] Hacking the Street? FIN4 Likely Playing the Market

[2] 国内近似案例 从一条微博揭秘”专黑大V名人”的定向攻击