This is a good example of knowing your intended target and providing the right context to increase perceived legitimacy, e.g. capitalizing on Microsoft’s recent announcement of Windows 11. Specifically, I thought the following items were interesting and relevant to our upcoming discussion on reconnaissance.
The FIN7 script checked for, and terminated itself, if the following were found on the victim’s machine:
- Eastern European languages in use
- Running within a virtual environment such as VMware or Virtual Box
The items above would be atypical for their ideal victim. Stopping the script when the above criteria is met helps avoid detection by security researchers and extends the lifespan of the attack.
https://thehackernews.com/2021/09/fin7-hackers-using-windows-11-themed.html
It’s not unusual that the threat actor groups are so bold in their victimization of industries. A great number of these are coming from Eastern Europe. While arrests continue to happen, most recently Fledir Hladyr, a FIN7 hacker, was sentenced to 10 years in prison for orchestrating attacks against POS system in Europe, the risks of working for such organizations don’t seem to matter. The article I posted this week was essentially Ransomware as a Service being advertised to the masses via blogs, forums, interviews etc. They literally have “representatives” to “sell” their “product”.
The attacks get smarter and the attackers get bolder and the consumer/victim is at more risk than ever.
Good point Vanessa. You’ll also find that a lot of times the reason that these groups exclude a region from their scripts is due to the fact that they reside there. Excluding the country in which the bad actors currently live will make it more difficult for the individuals to be brought to justice, due to the fact they are targeting only other countries so they would have to be extradited. Also keeping it vague by having multiple eastern European countries makes it so they are not advertising only one specific country they are excluding, indicating this might be the country in which they live.