Exploring Cyber Threats and Threat Actors in the Financial Sector: A Comprehensive Study

: This paper aims to discuss the recent activities of Financially motivated Threat actors and gather IOCs and Threat Intelligence based on the same. Common TTPs are mapped for 18 FIN threat actor groups along with known mitigations as per MITRE Attack Framework. In particular, FIN 7 is discussed in detail, including the lifecycle of Qakbot Malware and malwares are analyzed to gather IOCs using Static Analysis. Intrusion Detection Systems (Snort and YARA) are drafted for Qakbot. A comprehensive analysis on Diamond Model, Kill Chain and Pyramid of Pain is performed for Qakbot Malware and mitigations are mapped to MITRE ATTACK framework. Threat intelligence is gathered on the 1000 latest samples of Qakbot to deep dive into most commonly used delivery methods, malware file types and a timeline analysis is conducted. Advanced tools like OpenCTI and Cuckoo Sandbox are utilized to give an overall analysis on Financially motivated threat actors


Introduction
The financial sector is facing an ever evolving and complex threat landscape in the realm of cybersecurity.In recent years, there has been a rise in the frequency and sophistication of attacks on the financial and banking industry.The financial sector was the second most impacted sector based on the number of breaches last year.According to the IBM cost of a data breach report 2023, • The global average cost of a data breach in 2023 was $4.45 million, 15% more than in 2020.
• 51% of organizations are planning to increase security investments because of breach.
• The effect of extensive security AI and automation on the financial impact of a breach is USD1.76MThe selection of 17 industries has been included in the study for multiple years.Out of 17 industries, the financial industry suffers 14% of data breaches.Refer to the below diagram from the report.

Figure 2: Distribution of the sample by Industry
More information on the data breaches in the year 2023 can be found in the IBM report. [1]

Risks faced by financial sector:
Based on the Cybersecurity and Financial system resilience report, Cybersecurity came up at the top of list as the potential risks and emerging threats that affects the U.S. economy.It was called out RaaS (Ransomware-as-a-Service) and sophisticated DDoS (Distributed-Denial-of-Service) attacks as the biggest risks to financial institutions ability to operate and safeguard customer data.It was highlighted in the report, "The rising number of advanced persistent threats increases the potential for malicious cyber activity within the financial sector.These threats may result in incidents that affect one or more participants in the financial services sector simultaneously and have potentially systemic consequences.Such incidents could affect the ability of targeted firms to provide services and conduct business as usual, presenting a unique challenge to operational resilience.These incidents can also threaten the confidentiality, integrity, and availability of the targeted firm's data."[1] Active Campaigns: In line with the above reports, our research has identified a lot of active campaigns against financial institutions.The below snapshots show active campaigns.

Our Focus:
The financial sector the financial sector has witnessed a surge in cyber-attacks, necessitating a comprehensive analysis of the factors contributing to this trend.By examining the motivations of cybercriminals, the vulnerabilities inherent in the sector's digital transformation, and the sophisticated attack techniques employed, we can better comprehend the magnitude of the threats faced.
To highlight the significance of this research, we will explore recent high-profile attacks that have impacted the financial sector.These case studies will underscore the importance of proactive security measures and the potential consequences of failing to adequately protect financial institutions and their customers.Through this report, we aim to provide valuable insights into the evolving nature of cyber threats in the financial sector, emphasizing the importance of proactive cybersecurity measures such as threat monitoring and detection and fostering a collective effort to safeguard the integrity and stability of the financial ecosystem.

Our Research 2.1 APT groups
We have extensively looked at the Advanced Persistent Threats (APT) group which are motivated by financial gains, and we mapped the tactics and techniques of these groups in the MITRE ATT@CK framework.The information on the Threat groups can be found in [2]

Heatmap
With many APT groups are financially motivated, we have researched on their Tactics, Techniques and Procedures (TTPs) of these groups mentioned in the Table 1 and created heatmaps for TTPs used by these groups.

What is TTPs?
Based on NIST, Tactics, Techniques and Procedures (TTPs) means "The behavior of an actor.A tactic is the highest-level description of this behavior, while techniques give a more detailed description of behavior in the context of a tactic, and procedures an even lowerlevel, highly detailed description in the context of a technique."[3]

MITRE ATT@CK Heatmap:
A MITRE ATT&CK heatmap is a visual representation that showcases the tactics, techniques, and procedures (TTPs) used by threat actors.It provides a structured way to understand and analyze cybersecurity threats and defenses by mapping observed behaviors.This heatmap can help organizations assess their security posture and develop strategies to defend against cyber threats.We have used python to generate the heatmap in Excel sheet.Below is the python script to generate the MITRE ATT@CK Heatmap.

Figure 3: Heatmap with Python Code
The figure presented below is the output generated by the Python script mentioned earlier.It represents a MITRE ATT&CK heatmap focusing on 18 distinct threat groups.In this heatmap, red signifies a high frequency of occurrence of tactics, techniques, and procedures (TTPs), while blue indicates a lower frequency.This visualization helps in quickly identifying the prevalence and distribution of TTPs among the different threat groups.
The visual representation in the figure below is a column heatmap that offers an organized view of tactics used in cyber threats.It arranges these tactics in descending order of frequency, with the most utilized tactics occupying the upper sections and the less frequently employed tactics located lower down in the heatmap.This arrangement provides a clear and intuitive way to understand the distribution and prevalence of tactics used by threat actors.Based on the previously outlined rationale and findings, we have made the informed decision to prioritize the investigation and detailed analysis of the threat actor known as FIN 7.This selection is based on various factors, including their extensive use of the top tactics and techniques, making them a significant player in the cybersecurity threat landscape.Further research into FIN 7's tactics, strategies, and characteristics will provide valuable insights and contribute to a better understanding of their activities, ultimately enhancing our ability to defend against their threats.

FIN 7
FIN7 is a financially motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware.A portion of FIN7 was run out of a front company called Combi Security.Since 2020 FIN7 shifted operations to a big game hunting (BGH) approach including use of REvil ransomware and their own Ransomware as a Service (RaaS), Darkside.FIN7 may be linked to the Carbanak Group, but there appears to be several groups using Carbanak malware and are therefore tracked separately.Based on the thehackernews.com [5] article published in the year 2022, An exhaustive analysis of FIN7 has unmasked the cybercrime syndicate's organizational hierarchy, alongside unraveling its role as an affiliate for mounting ransomware attacks.It has also exposed deeper associations between the group and the larger threat ecosystem comprising the now-defunct ransomware DarkSide, REvil, and LockBit families.
The highly active threat group, also known as Carbanak, is known for employing an extensive arsenal of tools and tactics to expand its "cybercrime horizons," including adding ransomware to its playbook and setting up fake security companies to lure researchers into conducting ransomware attacks under the guise of penetration testing.
More than 8,147 victims have been compromised by the financially motivated adversary across the world, with most of the entities located in the U.S. Other prominent countries include China, Germany, Canada, Italy, and the U.K. FIN7's intrusion techniques, over the years, have further diversified beyond traditional social engineering to include infected USB drives, software supply chain compromise, and the use of stolen credentials purchased from underground markets.

Tools and Malwares and Vulnerabilities used by FIN7:
FIN7 uses various tools such as Powersploit, Mimikalz, Crack MapExec are some of the tools mainly used by this group.In June 2021, FIN7 attacked a law firm with a fake complaint that appeared to belong to Brown-Forman Inc., a prominent American company in the wine and spirits industry known for Jack Daniels whisky.This deceptive complaint served as bait to trick a law firm into downloading a version of the JSSLoader Remote Access Trojan (RAT) that was hidden within an Excel file attachment.Clever Phishing Lure in the Form of a Gift Card Exchange In 2020, one of its attacks, FIN7 sent out physical letters purportedly from Best Buy, with a $50 gift card and a USB drive, claiming to contain a list of items to spend on.The USB was identified as a "BadUSB Leonardo USB ATMEGA32U4" device, programmed to emulate a USB keyboard, allowing it to automatically inject malicious commands once plugged in.Exploiting Veeam Vulnerability A recent report highlighted FIN7's targeting of Veeam servers.The group has been seen exploiting a vulnerability (CVE-2023-27532) in the Veeam Backup & Replication software.Using a PowerShell script, Powertrash, the group deployed a backdoor called Diceloader to perform various postexploitation operations.The attacks involved the theft and exfiltration of credentials, network reconnaissance, and lateral movement within the compromised systems.

Table 3: FIN 7 Attacks
Other than the above known attacks, FIN7 (AKA Carbanak) threat actor is linked to Black Basta.Black Basta is a ransomware operator and Ransomware-as-a-Service (Raas) criminal enterprise that emerged in early 2022 and immediately became one of the most active RaaS threat actors in the world.This intrigued us and we wanted to explore the Black Basta, and we chose this as our incident for our research and started working on this incident.

Black Basta 4.1 Introduction on Black Basta
The Black Basta operator(s) use the double extortion technique, meaning that in addition to encrypting files on the systems of targeted organizations and demanding ransom to make decryption possible, they also maintain a dark web leak site where they threaten to post sensitive information if an organization chooses not to pay ransom.
Based on Unit 42 report, The ransomware is written in C++ and impacts both Windows and Linux operating systems.It encrypts users' data using a combination of ChaCha20 and RSA-4096, and to speed up the encryption process, the ransomware encrypts in chunks of 64 bytes, with 128 bytes of data remaining unencrypted between the encrypted regions.QBot is a modular information stealer also known as Qakbot or Pinkslipbot.It has been active for years since 2007.It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.

Reference
Qakbot/QBot reference available based on our research is from the year 2009 to the year 2023 (October).All along the Qakbot are used various attacks to deliver payloads, connect to C2 servers and in some cases, it helped lateral movement as well.The consolidated reference can be found in the https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot[9]

Qakbot Malware sample
Qakbot/QBot malware sample can be downloaded from the following link.https://bazaar.abuse.ch/sample/3c35f7163318f296b2f63bae7dfdb1037ac0a383b16d2149a455970a8e139daa/ [10] The malware sample is a .zipfolder which contains an "Adobe Acrobat Document".The below figure shows the snapshot of the .pdffile.

Qakbot/QBot Initial Access
The initial infection chain starts by sending specially crafted emails to the target organizations.The method is less sophisticated than spear-phishing techniques but has additional attributes which add to its credibility.One of these is called "Hijacked Email Threads"capturing archived email conversations and replying to the sender with the malicious content.Those conversations could be captured using Qbot's Email Collector module.Some examples of crafted phishing emails are as shown below.

Qakbot/QBot Analysis
We have used remnux tool to start the analysis of the downloaded Qakbot malware sample (*.pdf) file.Below is the step-by-step analysis we have conducted on the .pdffile.
1. To understand the sample PDF related information's, we have used "pdfid.py"tool.The below snapshot shows the command executed and information gathered from the pdf file.3. We have done analysis on the identified URL through https://urlhaus.abuse.ch/url/2669875/.[11].
Below snapshot shows the information gathered from the above link From the above figure, we can understand, this PDF is related to Qakbot/QBot related and host is "Online" until 07 th July 2023.Also, it was identified that the URL is used for Malware download as well.The related payloads associated with this URL are also available in the location.The below figure shows the information of payloads associated with this URL.

Qakbot Execution:
After the initial analysis, we start exploring the PDF file and how QBot is executing in our test environment.Below are the steps we have identified during our analysis.1. html drops .zipvia html smuggling.2. zip contains iso file.
Stage 1: Analysis of HTML 1.We downloaded the malware sample file earlier, which contains HTML page.We have analyzed the HTML page and found the variable as shown in the below figure., we understood the variable started with the text "UEsDB".This is a common starting sequence in the Base64 representation of a ZIP file.Below is the information gathered from ChatGPT.
• A ZIP file typically starts with a specific byte sequence known as a "magic number" that helps identify it.The magic number for a ZIP file is "PK" (0x50 0x4B in hexadecimal).The base64 representation of these bytes is "UEsD" in ASCII.• If you have a ZIP file and you want to encode the starting sequence "PK" in base64, you can do so by encoding these bytes as follows: o Convert "PK" to its hexadecimal representation: 0x50 0x4B.
o Encode these bytes in base64: "UEs=" • "UEs=" is the base64 encoding of the ZIP file starting sequence "PK."Please note that this base64 encoding only represents the initial bytes of the ZIP file and not the entire file.3. We downloaded the ZIP file from the from the text by decoding Base64 to file.Refer the below snapshot on how to download the ZIP file from the HTML page variable.Refer the below figure for the generated chart.

5.
With the information gathered in excel, we plotted the delivery method for Qakbot.The below figure shows the code used to plot the chart.
The most common file types used to deliver Qakbot are represented in the below chart.
6. Timeline of samples first seen on malware bazaar for Qakbot (entry effect).It is important to note that we picked the latest 1000 samples.So, it is easy to see that after 2023-07, the sample is not being uploaded anymore, indicating likely that it is patched and isn't functional, and the CCs are dow 7. Timeline of samples last seen on malware bazaar for Qakbot (trailing effect).It is important to note that we picked the latest 1000 samples.So, it is easy to see that after 2023-06/7, the sample is not being uploaded anymore, indicating likely that it is patched and isn't functional, and the CCs are down.• Email: editor@ijfmr.comIJFMR230610843 Volume 5, Issue 6, November-December 2023 35

Mitigations for the identified Techniques
The mitigation for various techniques were derived from mitre.org.The reference [2] can be found under section Error!Reference source not found.

Conclusion:
The QBOT malware family is highly active and still part of the threat landscape in mid-2023 due to its features and its powerful modular system.While initially characterized as an information stealer in 2007, this family has been leveraged as a delivery mechanism for additional malware and post-compromise activity.
However, with recent samples received in Malware Bazaar, the number of samples received is "null" and this explains most of the vulnerabilities used by this malware are already patched.

Appendix
We have utilized OpenCTI as threat intelligence platform to understand better on the Qakbot/Qbot malwares.

OpenCTI
OpenCTI is an open-source platform allowing organizations to manage their cyber threat intelligence knowledge and observables.Cuckoo Sandbox is free software that automated the task of analyzing any malicious file under Windows, macOS, Linux, and Android.Below are some of the snapshots of the Cuckoo platform.(We will demonstrate Cuckoo during our presentation).[13]

Figure 5 :
Figure 5: Top techniques used by FIN groups.

Figure 6 :
Figure 6: Top tactics used by FIN groups.Our research into the threat actor utilizing these prominent techniques and tactics has led us to identify the threat group FIN 7.This specific threat group extensively employs 11 out of the top 14 tactics and techniques in their malicious activities.The following figure visually represents the mapping of these eleven techniques, showcasing their significance in the operational playbook of the FIN 7 group.

Figure 7 :
Figure 7: Top techniques used by FIN 7

3. 1
Overview of FIN 7FIN 7 group has been working since 2013.The below figure shows the FIN7 activities in the year 2020-2021.[4]

Figure 9 :
Figure 9: Distribution of Relations

Figure 10 :
Figure 10: Tools used by FIN 7 Similarly, multiple malwares were used by this group are listed down in the below figure

Figure 13 :
Figure 13: Black Basta Ransomware InfoThe black basta ransomware using QBot as an initial point of entry and to move laterally in compromised networks.QBot, also known as Qakbot, is a Windows malware strain that started as a banking trojan and evolved into a malware dropper.Along with other researchers, we noted that Black Basta infections began with Qakbot delivered by email and macro-based MS Office documents, ISO+LNK droppers and .docxdocuments exploiting the MSDTC remote code execution vulnerability, CVE-2022-30190.The Black Basta group was observed using Qakbot for both initial access and to spread laterally throughout the network.The sample of Black Basta file can be downloaded from MalwareBazaar.The link to download the sample is provided here Black Basta Malware Sample Download[8].The Black Basta file information is as shown in the below figure:

Figure 14 :
Figure 14: Black Basta file information

Figure
Figure 15: Black Basta Attack Lifecycle

Figure 19: pfdid.py information 2 .
Figure 19: pfdid.pyinformation 2. We found there are "/URI" in the pdf and we used "strings" command to see the URI embedded in the pdf file.Below snapshot shows the command executed and found the URI path https://ourloverlyday.us/xuenxavleu/xuenxavleu.gif

Figure 23 :
Figure 23: Stage 1-HTML File Analysis 2. Based on ChatGPT query [12], we understood the variable started with the text "UEsDB".This is a common starting sequence in the Base64 representation of a ZIP file.Below is the information gathered from ChatGPT.•A ZIP file typically starts with a specific byte sequence known as a "magic number" that helps identify it.The magic number for a ZIP file is "PK" (0x50 0x4B in hexadecimal).The base64 representation of these bytes is "UEsD" in ASCII.• If you have a ZIP file and you want to encode the starting sequence "PK" in base64, you can do so by encoding these bytes as follows:o Convert "PK" to its hexadecimal representation: 0x50 0x4B.oEncode these bytes in base64: "UEs=" • "UEs=" is the base64 encoding of the ZIP file starting sequence "PK."Please note that this base64 encoding only represents the initial bytes of the ZIP file and not the entire file.3. We downloaded the ZIP file from the from the text by decoding Base64 to file.Refer the below snapshot on how to download the ZIP file from the HTML page variable.

Figure 26 : 2 .
Figure 26: Stage 2-Extracting the files from the ZIP folder.2. After extracting the ZIP file, we can extract the files using 7z using the following commands.The below figure shows the extraction of files from the ISO file.

Figure 27 :
Figure 27: Stage 2-Extracting the files from the ISO.

7. 0 2 . 4 .
Understanding the Science behind the QakbotAfter the analysis we started researching the science behind the Qakbot.We tried to get knowledge on Qakbot from the database of Malware Bazaar through API. 1.We send a request to the API, specifically asking for the 1000 "latest" malware SHA-256 samples with the tag "Qakbot."This gives us access to the most recent instances of this malware strain.Each sample is identified by its unique SHA-256 hash.Refer the below figure for the Python code to import the data, Run the above code to get the 1000 Hash values (latest samples) to get the information about the samples and save them in excel namely First seen, Last seen, Delivery Method, File Type and the corresponding SHA value for the malware.3. Downloaded intelligence about 1000 latest malware samples from Qakbot malware are in the format shown below.With the information gathered in excel, we plotted the common delivery method for Qakbot.The below figure shows the code used to plot the chart.The most used delivery method of Qakbot is "Web_download".The below is the top delivery methods.• Email: editor@ijfmr.comIJFMR230610843 Volume 5, Issue 6, November-December 2023 32 It has been created to structure, store, organize and visualize technical and non-technical information about cyber threats.Below are some of the snapshots of the OpenCTI platform.(We will demonstrate OpenCTI during our presentation) • Email: editor@ijfmr.comIJFMR230610843 Volume 5, Issue 6, November-December 2023 38

Figure
Figure 38: Snapshots of OpenCTI

BlackTech has No Threat Group Introduction used
a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information.The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries.[2] No Threat Group Introduction FIN 6 FIN6 is a cybercrime group that has stolen payment card data and sold it for profit on underground marketplaces.This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.[2] FIN 7 FIN7 is a financially motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware.A portion of FIN7 was run out of a front company called Combi Security.[2] FIN 8 FIN8 is a financially motivated threat group known to launch tailored spear phishing campaigns targeting the retail, restaurant, and hospitality industries.[2] FIN 10 FIN10 is a financially motivated threat group that has targeted organizations in North America from 2013 through 2016.The group uses stolen data exfiltrated from victims to extort organizations.[2] CARBANK Carbanak is a cybercriminal group that has used Carbanak malware to target financial institutions since at least 2013.Carbanak may be linked to groups tracked separately as Cobalt Group and FIN7 that have also used Carbanak malware.[2] SILENCE Silence is a financially motivated threat actor targeting financial institutions in different countries.The group was first seen in June 2016.BLACKTECH BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013.originally known for the creation and deployment of TrickBot since at least 2016.Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[2]

table .
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware.Easily exploitable vulnerability allows unauthenticated attacker CVE Description with network access via HTTP to compromise Oracle WebLogic Server.Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14882 [6] CVE-2020-14750 Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware.Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server.Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14750 [6] CVE-2020-1472 An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472 [6] Table2: CVEs used by FIN 7 group.Based on the tactics, techniques and procedures used by this group FIN 7, we have identified some of the notable attacks carried out by FIN7 group.These attacks are sophisticated and far-reaching cyberattacks and are listed below.