Financial cybercrime group abuses Windows app compatibility feature

The FIN7/Carbanak gang deploys fake application compatibility patches to inject malicious code into other processes

When Microsoft made it possible for enterprises to quickly resolve incompatibilities between their applications and new Windows versions, it didn't intend to help malware authors as well. Yet, this feature is now abused by cybercriminals for stealthy and persistent malware infections.

The Windows Application Compatibility Infrastructure allows companies and application developers to create patches, known as shims. These consist of libraries that sit between applications and the OS and rewrite API calls and other attributes so that those programs can run well on newer versions of Windows.

Shims are temporary fixes that can make older programs work even if Microsoft changes how Windows does certain things under the hood. They can be deployed to computers through Group Policy and are loaded when the target applications start.

Shims are described in special database files called SDBs that get registered on the OS and tell Windows when they should be executed. Security researchers have warned at security conferences in the past that this functionality can be abused to inject malicious code into other processes and achieve persistence, and it seems the attackers were listening.

Security researchers from FireEye have recently seen the shim technique used by a group of financially motivated cybercriminals known in the security industry as FIN7 or Carbanak. Since 2015, this group has stolen between US$500 million and $1 billion from hundreds of financial organizations worldwide.

FIN7 has recently diversified its targets and in March launched a spear-phishing campaign that targeted personnel involved with U.S. Securities and Exchange Commission (SEC) filings at organizations from multiple sectors, including financial services, transportation, retail, education, IT services, and electronics.

In an even more recent FIN7 attack detected by FireEye, the group used a PowerShell script to register a rogue shim database for services.exe, a legitimate Windows process. This ensured that its malicious shim code started on every system reboot and injected the Carbanak backdoor into the Windows Service Host (svchost.exe) process.

The group used the same technique to install a tool for harvesting payment card details from compromised systems, the FireEye researchers said in a blog post. "This was a departure from FIN7’s previous approach of installing a malicious Windows service for process injection and persistent access."

In the attack seen by FireEye, the rogue shim database masqueraded as a Windows update using the description: Microsoft KB2832077. This Microsoft Knowledge Base (KB) identifier does not correspond to any legitimate patch, so finding a reference to it in the system registry or in the list of installed programs can be a sign that the computer was compromised by FIN7.

To detect shim attacks, the FireEye researchers recommend monitoring for new files in the default shim database directories, monitoring for changes in registry keys related to shim database registrations and monitoring for processes that call the "sdbinst.exe” utility.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?