Criminals From Fin7 Download Rdfsniffer Malware Into Atm Manufacturer Software

✨ Megiddo

✨ President ✨
Staff member
May 15, 2016

Malware provides operators with the ability to carry out MitM attacks.

The FIN7 cybercrime group was armed with the new BOOSTWRITE and RDFSNIFFER tools. Researchers at FireEye’s Mandiant team have discovered several samples of a new malicious dropper called BOOSTWRITE, capable of loading the Carbanak backdoor and RDFSNIFFER Remote Access Trojan (RAT).

The RDFSNIFFER payload was designed to integrate the NCR Corporation ATM and payment terminal manufacturer into the Aloha Command Center client. Aloha Command Center introduces a set of remote administration tools designed to manage and fix problems on payment card processing systems running Command Center. The malicious program loads into the same process as Command Center, disrupting the loading order of the DLL library of the legitimate Aloha utility.

The newly discovered RAT gets to compromised systems after the BOOSTWRITE bootloader decrypts the built-in payload using the encryption keys from the operators at startup. BOOSTWRITE uses the DLL Search Order Hijacking technique to load its own malicious DLLs into the memory of the infected system, and then it loads the initialization vector and the key needed to decrypt the built-in payloads. One of the BOOSTWRITE samples was signed with a digital certificate issued by MANGO ENTERPRISE LIMITED. “Using the trust provided by digital certificates, FIN7 increases its chances of circumventing various security measures and successfully compromising victim systems,” the researchers note.

Malicious RDFSNIFFER allows criminals to “intercept Aloha Command Center installations and interact with target systems through existing legitimate two-factor authorization processes.” RDFSNIFFER is loaded into the RDFClient process every time legitimate software runs on compromised computers. The malware can monitor or modify connections created using RDFClient, giving operators the ability to carry out MitM attacks (Man-In-The-Middle), and also contains a backdoor that allows an attacker to download, download, execute and delete arbitrary files.


Despite the fact that one of the leaders of FIN7 pleaded guilty to fraud, the cybercriminal group is still active and continues to replenish its arsenal with new, pre-emptive software.
Top Bottom