E2. FIN7: A Case Study on Shim Database Persistence
Thursday, June 6, 2019
10:10 AM - 11:10 AM
In 2017, the financially-motivated threat group, FIN7, used application compatibility shims to persist the CARBANAK backdoor and point-of-sale malware to steal thousands of card numbers and remain undetected for months. This presentation will recount the investigation from the perspective of the incident responders and will detail how they were able to crack the case. The number of attackers utilizing shim persistence will rise in the years to come as defenders become more effective at detecting traditional persistence mechanisms. Raising awareness of this methodology is critical before its use becomes prevalent. Techniques to hunt for malicious shims will also be shared.
After completing this session, attendees will come away with: - A technical understanding of what application shimming is and how Microsoft uses shims to provide applications backwards compatibility as the Windows codebase changes - A first-hand account of how attackers have abused shim functionality to provide persistence to malicious backdoors and payment card stealing malware - A look into the future of how abuse of shim functionality will evolve to become both stealthier and easier for attackers to deploy - A game plan for detecting and hunting for malicious shim databases on their own network
Ben Wiley is an Associate Consultant in Mandiant’s Denver office. As part of the Incident Response team, Ben provides emergency services to clients when a security breach occurs. Ben has been a part of the Information Security community for about 3 years spending much of that time as a SOC analyst in the energy industry.