Deobfuscating FIN7 JavaScript Implants

 

Community Feature - @Arkbird_SOLG

Curated Intelligence's very own Malware Slayer™ - Arkbird_SOLG - has recently put together an informative blog on GitHub about how to deobfuscate and analyse the JavaScript Implants used by the infamous FIN7 cybercriminal APT group (also known as Carbanak or CarbonSpider).

https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/FIN7/2021-09-07/FIN7.md

FIN7's JavaScript malware (known as GRIFFON by FireEye or Harpy by CrowdStrike) is a lightweight JavaScript validator-style implant without any persistence mechanism. The malware is designed for receiving modules to be executed in-memory and sending the results to a remote C&C server. The first module downloaded by the JavaScript malware to the victim’s computer is an information-gathering script, which allows the cybercriminals to understand the context of the infected workstation. (source)


Curated Intel Community Features are sourced using our Member Content channel on Discord. If you have recently produced a noteworthy piece of writing, a project, a podcast, an infographic or other CTI content let us know!