Benjamin Wiley .jpg

FIN7: A Case Study on Shim Database Persistence

Benjamin Wiley

If an attacker clearly had backdoor access to a system yet no malware can be found on disk and there is no sign of how the malware was loaded into memory, how would you even begin your forensic investigation? This was the obstacle Mandiant consultants faced while responding to an intrusion attributed to FIN7 in 2017. FIN7, a financially motivated threat group, was able to stealthily persist the CARBANAK backdoor as well as point-of-sale malware to steal thousands of credit card numbers and remain undetected for months using malicious application compatibility shim databases, a methodology that had rarely been seen in use prior to this intrusion.

This presentation will recount that investigation from the perspective of the incident responders and will detail how they were able to crack the case open. We believe that the number of threat actors utilizing application shim persistence will continue to rise in the years to come as network defenders become more effective at detecting traditional persistence mechanisms and more attackers are forced to take FIN7’s lead. Raising industry awareness of this attacker methodology is critical before its use becomes prevalent.

Attendees of this presentation will come away with a low-level technical understanding of how Microsoft uses shims to provide applications backwards compatibility with the Windows codebase, how attackers have abused shim functionality to persist malware, and the ways attackers will expand on this abuse in the near-future. Techniques to detect and hunt for malicious shims on their own network will also be shared.

Speakers Bio: Benjamin Wiley is an Associate Consultant in Mandiant’s Denver office where he assist clients with digital forensics and incident response. Benjamin has been a part of the Information Security community for over 4 years spending much of that time in the energy industry helping protect US critical infrastructure from cyber attack.