Skip Navigation
BlackBerry Blog

Threat Group FIN7 Targets the U.S. Automotive Industry

Summary

In late 2023, BlackBerry analysts identified a spear-phishing campaign by threat group FIN7 that targeted a large automotive manufacturer based in the United States. FIN7 identified employees at the company who worked in the IT department and had higher levels of administrative rights. They used the lure of a free IP scanning tool to run their well-known Anunak backdoor and gain an initial foothold utilizing living off the land binaries, scripts, and libraries (lolbas). We also found evidence that this attack was part of a wider campaign by FIN7.

In this blog, we’ll examine the mechanisms behind this attack, and discuss active steps you can take to prevent your organization falling victim to phishing attacks.

Brief MITRE ATT&CK® Information

Tactic

Technique

TA0001 – Initial Access

T1566.002

TA0002 – Execution

T1204.002, T1059.001, T1569.002

TA0003 – Persistence

T1053.005, T1543.003

TA0005 – Defense Evasion

T1027, T1564.001, T1222.001, T1562.004

TA0007 – Discovery

T1124, T1057, T1087.002, T1069.002, T1082, T1033

TA0008 – Lateral Movement

T1021.004

TA0011 – Command-and-Control

T1571, T1090

TA0042 – Resource Development

T1608.005, T1583.001


Weaponization and Technical Overview

Weapons

Anunak, POWERTRASH, OpenSSH

Attack Vector

Spear-phishing

Network Infrastructure

SSH Tunnels

Targets

Automotive Industry


Technical Analysis

Who is FIN7?

FIN7 is a Russian advanced persistent threat (APT) group that has been active since 2013. The group is financially motivated; in the past has targeted primarily the U.S. retail, restaurant, and hospitality sectors, although recently it has branched out into attacking the transportation, insurance, and defense sectors.

Also tracked as Carbon Spider, ELBRUS and Sangria Tempest, FIN7 is closely associated with other cybercriminal groups including GOLD NIAGARA, ALPHV and BlackCat. In 2020, the FBI issued a warning that FIN7 had begun using the infamous REvil ransomware in their attacks, as well as their own ransomware-as-a-service (RaaS) known as DarkSide, which is believed to be a rebrand of the BlackMatter ransomware.

In recent years, FIN7 has shifted their efforts from targeting the masses to the more precise targeting of large entities, a practice known as big game hunting. The group usually deploys ransomware as the end payload. Detection of a FIN7 intrusion early in the infection process can mitigate full network compromise and the typically large financial losses that ransomware can inflict.

In the case documented in this report, the BlackBerry Threat Research and Intelligence team detected the compromise and successfully stopped the intrusion before the threat group had a chance to launch a ransomware attack.

Attack Vector

So why did FIN7 shift to big game hunting? The reason for an attacker to put more resources into targeting a large entity is due to its presumed ability to pay a much larger ransom. Such an attack is usually very carefully orchestrated to ensure maximum effectiveness. The threat actors will first select and study their target company, searching for weaknesses and identifying employees who may have higher access privileges in the corporate network, before launching their attack.

In this case, employees with a high level of access privileges were targeted with spear-phishing emails that linked to “advanced-ip-sccanner[.]com”, a malicious URL masquerading (a.k.a typosquatting) as the legitimate website “advanced-ip-scanner[.]com”, a free online scanner.

This fake site redirected to “myipscanner[.]com”, which in turn redirected to an attacker-owned Dropbox that downloaded the malicious executable WsTaskLoad.exe onto the victim’s machine.

Figure 1: Attack chain used to compromise the target company

Hashes (md5, sha-256)

87aa5f3f514af2b9ef28db9f092f3249

ff4c287c60ede1990442115bddd68201d25a735458f76786a938a0aa881d14ef

ITW File Name

Advanced_Ip_Scanner_setup.exe

Compilation Stamp

2022-04-14 16:10:23 UTC

File Type/
Signature

Win32 EXE

File Size

18155592

Compiler Name/Version

Embarcadero Delphi (10.3 Rio) [Professional]

Installer Name

Inno Setup Module (6.1.0) [Unicode]

 

Hashes (md5, sha-256)

bb23dde1e3ecef7d93a39e77e32ef96c

d63060e61c98074c58926a6239185e8128fd0fbc2a45ccf60f3c831bb18ffc93

ITW File Name

 WsTaskLoad.exe

Compilation Stamp

2018-10-10 03:56:59 UTC

File Type/Signature

Win32 EXE

File Size

2234880

Compiler Name/Version

Embarcadero Delphi (2009)


Execution Flow

WsTaskLoad.exe has a multi-stage execution in order to run the final Anunak/Carbanak payload:

First, it loads jutil.dll (SHA256: 5ce7b63ef05d9f5cb8e309e6b195e3acb69cc72b899f4ae07c48b85bedfb286e) which executes the exported function SizeSizeImage.

Then, jutil.dll reads and decrypts infodb\audio.wav (SHA256: c8d8d666b509afaa0ef349cc3de9a6eec6dde98cc8a0e50228f8793275fae401) at offset 0x30f21 with size 0x256e; the decrypted blob is a shellcode which is copied on previously loaded mspdf.dll (SHA256: cdc0186ff3fcb67986f4f1f54e3a2991dd73f8bde20acf3a739e0fff7c6d94a7) and executed via EnumWindows().

The shellcode reads and decrypts infodb\audio.wav at offset 0xc2bc1 with size 0x150600; the decrypted blob is a loader with SHA256 7e927e1db12c404683c9c8b232e8cecb7334eed618992e965388b0b63508509f, which is later loaded and executed by the shellcode.

Finally, the loader looks for files on the current directory checking for a specific mark: the mark matches on dmxl.bin (SHA256: d4960f3c7cc891ff2bafd0a080451e42e0a23ba4db54ae2d7d355497a3b3d81a) and dfm\open.db (SHA256: a186ea72c942232998429e0d8b1bc0e0876bdb535738eba0ed9f4be9aeaa81db); during our execution, we observed dmxl.bin being used as likely open.db for redundancy.

The decrypted dmxl.bin is the Anunak payload, with the campaign ID "rabt4201_x86".

Later, WsTaskLoad.exe (executing the Anunak payload) manages dissemination of scripts and establishes persistence. The first thing WsTaskLoad.exe runs upon installation is a POWERTRASH obfuscated PowerShell script. POWERTRASH is a custom obfuscation of the shellcode invoker in PowerSploit.

Figure 2: Execution of POWERTRASH

It then checks system and network information on the host machine, gathering user information.

Figure 3: Reconnoitering by WsTaskLoad.exe

Persistence is established by installing OpenSSH, a connectivity tool for remote login with the SSH protocol. OpenSSH is scheduled as a task, and ports in the firewall are opened. Historical intelligence shows FIN7 typically utilizes OpenSSH for lateral movement as well, but this was not observed during this investigation.

More information on the network indicators of compromise (IoCs) is given in the Network Infrastructure section below.

Figure 4: Persistence being established

WsTaskLoad then procures basic system information:

Figure 5:  Checking user information after establishing persistence

Network Infrastructure

During the delivery phase of this campaign, the fake lure website “advanced-ip-sccanner[.]com” redirected to “myipscanner[.]com”. We found multiple domains registered within minutes of the original on the same provider, showing this campaign was not limited to the one BlackBerry detected, but may in fact be part of a wider campaign by FIN7.

Post compromise, OpenSSH is used for external access. The SSH tunnel proxy server is utilizing the SSH sha256 fingerprint bc4ef49e904d63415ee1c810c90019e12a590ff3b6293f4b69af65713a8da9fa, which is shared by 17 other hosts on the exact same ports of 53, 80, and 443. This is particularly interesting because SSH fingerprints are generally unique to servers or services as they are based on the public key presented by the server. The identical deployment and SSH fingerprint allow us to state with high confidence that these hosts are related.

Moderate confidence is given to another 21 hosts that are set up identically: ports 53, 80, 443, and 3721 hosting SSH; identical SSH fingerprints on ports 53, 80, and 443 with a different (probably management) SSH key on port 3721. These hosts also utilize the same hosting providers as our other “high confidence” hosts.

Domain/IP

String

Type

Domain

advanced-ip-sccanner[.]com

Delivery

Domain

myipscanner[.]com

Delivery

Domain

theipscanner[.]com

Delivery

Domain

ipscanneronline[.]com

Delivery

Domain

ipscannershop[.]com

Delivery

Domain

myscannappo[.]com

Delivery

Domain

myscannappo[.]info

Delivery

Domain

myscannappo[.]online

Delivery

IP

181[.]215.69[.]24

C2

IP

166[.]1.160[.]118

C2

IP

185[.]39.204[.]179

C2

IP

109[.]107.171[.]62

C2

IP

38[.]180.1[.]17

C2

IP

109[.]107.170[.]47

SSH Proxy

IP

162[.]248.224[.]79

SSH Proxy

IP

166[.]1.190[.]171

SSH Proxy

IP

166[.]1.190[.]186

SSH Proxy

IP

172[.]82.87[.]69

SSH Proxy

IP

185[.]161.210[.]18

SSH Proxy

IP

185[.]72[.]8.6

SSH Proxy

IP

185[.]72.8[.]70

SSH Proxy

IP

193[.]233.206[.]146

SSH Proxy

IP

207[.]174.31[.]205

SSH Proxy

IP

207[.]174.31[.]206

SSH Proxy

IP

209[.]209.113[.]91

SSH Proxy

IP

217[.]196.101[.]116

SSH Proxy

IP

38[.]180.14[.]240

SSH Proxy

IP

38[.]180.40[.]23

SSH Proxy

IP

46[.]246.98[.]196

SSH Proxy

IP

5[.]181.159[.]11

SSH Proxy

IP

62[.]233.57[.]98

SSH Proxy

IP

104[.]166.127[.]197

SSH Proxy - Moderate Confidence Relation

IP

104[.]166.127[.]200

SSH Proxy - Moderate Confidence Relation

IP

155[.]254.192[.]66

SSH Proxy - Moderate Confidence Relation

IP

166[.]1.190[.]48

SSH Proxy - Moderate Confidence Relation

IP

185[.]72.8[.]147

SSH Proxy - Moderate Confidence Relation

IP

193[.]233.22[.]136

SSH Proxy - Moderate Confidence Relation

IP

193[.]233.22[.]28

SSH Proxy - Moderate Confidence Relation

IP

193[.]233.22[.]36

SSH Proxy - Moderate Confidence Relation

IP

193[.]233.22[.]43

SSH Proxy - Moderate Confidence Relation

IP

193[.]233.23[.]177

SSH Proxy - Moderate Confidence Relation

IP

207[.]174.31[.]253

SSH Proxy - Moderate Confidence Relation

IP

23[.]133.88[.]52

SSH Proxy - Moderate Confidence Relation

IP

38[.]180.1[.]103

SSH Proxy - Moderate Confidence Relation

IP

38[.]180.20[.]94

SSH Proxy - Moderate Confidence Relation

IP

5[.]61.39[.]157

SSH Proxy - Moderate Confidence Relation

IP

5[.]8.63[.]105

SSH Proxy - Moderate Confidence Relation

IP

5[.]8.63[.]108

SSH Proxy - Moderate Confidence Relation

IP

5[.]8.63[.]139

SSH Proxy - Moderate Confidence Relation

IP

5[.]8.63[.]245

SSH Proxy - Moderate Confidence Relation

IP

62[.]233.57[.]195

SSH Proxy - Moderate Confidence Relation

IP

91[.]149.254[.]85

SSH Proxy - Moderate Confidence Relation


Targets

The target of this attack was a large multinational automotive manufacturer based in the U.S. This is in line with the big game hunting that FIN7 has participated in for the last few years. The individuals targeted with spear-phishing attacks worked in the IT department, making them the most likely workers to have administrative rights and domain credentials.

Attribution

The obfuscation on PowerShell script 3CF9.ps1 is identical to that used in other FIN7 POWERTRASH scripts. The script utilizes the shellcode invoker from PowerSploit, as do previously verified POWERTRASH samples. This leads us to state with a high level of confidence that the attacker was indeed FIN7.

Conclusions

While the tactics, techniques, and procedures (TTPs) involved in this campaign have been well documented over the past year, the OpenSSH proxy servers utilized by the attackers have not been disseminated. BlackBerry thinks it prudent to enable individuals and entities to also identify these hosts and protect themselves.

Remediation

The good news is that BlackBerry® cybersecurity solutions detect all malicious samples involved in this campaign. Early identification of the initial infection and subsequent actions by the threat actor allowed analysts to quickly locate the infected system. It was then removed from the network prior to lateral movement, preventing ransomware installation and subsequent damage to the victimized company.

Preventing Phishing Attacks

Just because your organization may be modest doesn’t mean your attack surface is smaller or less appealing to a threat group than a big company might be. Nearly 1.2 percent of all emails sent worldwide are phishing attempts, amounting to 3.4 billion emails daily, according to 2024 statistics. The average cost of a successful phishing attempt to an SMB resulted in losses amounting to $4.45 million USD.

Putting active security measures into place is the best way to preserve your organization’s finances and reputation, regardless of size. Phishing is becoming increasingly sophisticated and can take many forms, ranging from simple attempts to scam users, such as a malicious attachment or link in a phishing email, to more complex deceptions, such as those utilizing phone or even fake video via the use of AI-based deepfake technology.

As a recent example of this, just two months ago in February, a finance worker in a large multinational organization was tricked into paying out millions of dollars to fraudsters who used deepfake technology to pose as the company’s chief financial officer in a video conference call. The worker was initially suspicious after he received an email that was purportedly from the CFO, as it spoke of the need for a secret transaction to be carried out.

However, the employee put aside his doubts after a follow-up video call, because the CFO and other people on the call looked and sounded just like colleagues he recognized. The elaborate deepfake scam netted the fraudsters $25 million USD. With the use of generative AI on the rise, this is just the latest case in which fraudsters used deepfake technology to modify publicly available video and audio to cheat people out of money.

Recommendations for Mitigation

To thwart successful phishing attacks on your organization, there are a number of proactive steps organizations can take to protect themselves:

  • Conduct Regular Security Training. This remains one of the very best ways to protect businesses from phishing attacks. Teach employees basic red flags that are the hallmark of phishing attempts. Workers need to know how to verify the authenticity of emails and avoid clicking on links or downloading attachments from unknown or suspicious sources.
  • Social Engineering Awareness. This is the next step, but an important one. Expand your employee’s training to include sessions on how to recognize social engineering tactics, which may include the attacker attempting to engage with them via social platforms, phone, text, or even video call.
  • Phishing Report System. Put a system in place to allow employees to immediately report attempted phishing attacks to your SOC or IT security team. Adding a “Report phishing” button to your email system is a good first step. Enforce a culture of trust so that users feel comfortable reporting phishing incidents. 
  • Multi-Factor Authentication. Implement multi-factor authentication (MFA) on all user accounts. This makes it harder for an attacker to access an employee’s account and gain entry to your network, even if they steal password and login details.
  • Password hygiene: Use strong and unique passwords online, and don’t reuse the same password across multiple sites. Better yet, we strongly encourage the use of passwordless (e.g. FIDO2) authentication whenever possible.
  • Security Updates and Patch Management. Keep all employee apps, operating systems and devices updated to apply the latest security fixes.
  • Endpoint Security Solutions. Deploy endpoint security solutions such as antivirus software, endpoint detection and response (EDR) solutions, and email security gateways to detect and block phishing attempts, malware, and other threats at the endpoint.
  • Monitor Suspicious Behavior. Implement monitoring tools and processes to detect suspicious login attempts, unusual user behavior, and unauthorized access. Lock user accounts after a certain number of failed login attempts to deter attackers from guessing passwords.
  • Data Protection and Encryption. Encrypt sensitive data in transit and at rest. This can help protect data from unauthorized access following a successful phishing attack.
  • Email Filtering and Authentication. Implement advanced email filtering solutions to detect and block phishing emails before they reach users' INBOXES. Use Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) to authenticate email senders and detect spoofed emails.
  • Incident Response. Develop and test incident response plans to mitigate security incidents quickly.
     

APPENDIX 1 – IoCs (Indicators of Compromise)

Hashes (md5, sha-256)

87aa5f3f514af2b9ef28db9f092f3249

ff4c287c60ede1990442115bddd68201d25a735458f76786a938a0aa881d14ef

ITW File Name

Advanced_Ip_Scanner_setup.exe

Compilation Stamp

2022-04-14 16:10:23 UTC

File Type/
Signature

Win32 EXE

File Size

18155592

Compiler Name/Version

Embarcadero Delphi (10.3 Rio) [Professional]

Installer Name

Inno Setup Module (6.1.0) [unicode]

 

Hashes (md5, sha-256)

bb23dde1e3ecef7d93a39e77e32ef96c

d63060e61c98074c58926a6239185e8128fd0fbc2a45ccf60f3c831bb18ffc93

ITW File Name

 WsTaskLoad.exe

Compilation Stamp

2018-10-10 03:56:59 UTC

File Type/Signature

Win32 EXE

File Size

2234880

Compiler Name/Version

Embarcadero Delphi (2009)

 

Domain/IP

String

Type

Domain

advanced-ip-sccanner[.]com

Delivery

Domain

myipscanner[.]com

Delivery

Domain

theipscanner[.]com

Delivery

Domain

ipscanneronline[.]com

Delivery

Domain

ipscannershop[.]com

Delivery

Domain

myscannappo[.]com

Delivery

Domain

myscannappo[.]info

Delivery

Domain

myscannappo[.]online

Delivery

IP

181[.]215.69[.]24

C2

IP

166[.]1.160[.]118

C2

IP

185[.]39.204[.]179

C2

IP

109[.]107.171[.]62

C2

IP

38[.]180.1[.]17

C2

IP

109[.]107.170[.]47

SSH Proxy

IP

162[.]248.224[.]79

SSH Proxy

IP

166[.]1.190[.]171

SSH Proxy

IP

166[.]1.190[.]186

SSH Proxy

IP

172[.]82.87[.]69

SSH Proxy

IP

185[.]161.210[.]18

SSH Proxy

IP

185[.]72[.]8.6

SSH Proxy

IP

185[.]72.8[.]70

SSH Proxy

IP

193[.]233.206[.]146

SSH Proxy

IP

207[.]174.31[.]205

SSH Proxy

IP

207[.]174.31[.]206

SSH Proxy

IP

209[.]209.113[.]91

SSH Proxy

IP

217[.]196.101[.]116

SSH Proxy

IP

38[.]180.14[.]240

SSH Proxy

IP

38[.]180.40[.]23

SSH Proxy

IP

46[.]246.98[.]196

SSH Proxy

IP

5[.]181.159[.]11

SSH Proxy

IP

62[.]233.57[.]98

SSH Proxy

IP

104[.]166.127[.]197

SSH Proxy - Moderate Confidence Relation

IP

104[.]166.127[.]200

SSH Proxy - Moderate Confidence Relation

IP

155[.]254.192[.]66

SSH Proxy - Moderate Confidence Relation

IP

166[.]1.190[.]48

SSH Proxy - Moderate Confidence Relation

IP

185[.]72.8[.]147

SSH Proxy - Moderate Confidence Relation

IP

193[.]233.22[.]136

SSH Proxy - Moderate Confidence Relation

IP

193[.]233.22[.]28

SSH Proxy - Moderate Confidence Relation

IP

193[.]233.22[.]36

SSH Proxy - Moderate Confidence Relation

IP

193[.]233.22[.]43

SSH Proxy - Moderate Confidence Relation

IP

193[.]233.23[.]177

SSH Proxy - Moderate Confidence Relation

IP

207[.]174.31[.]253

SSH Proxy - Moderate Confidence Relation

IP

23[.]133.88[.]52

SSH Proxy - Moderate Confidence Relation

IP

38[.]180.1[.]103

SSH Proxy - Moderate Confidence Relation

IP

38[.]180.20[.]94

SSH Proxy - Moderate Confidence Relation

IP

5[.]61.39[.]157

SSH Proxy - Moderate Confidence Relation

IP

5[.]8.63[.]105

SSH Proxy - Moderate Confidence Relation

IP

5[.]8.63[.]108

SSH Proxy - Moderate Confidence Relation

IP

5[.]8.63[.]139

SSH Proxy - Moderate Confidence Relation

IP

5[.]8.63[.]245

SSH Proxy - Moderate Confidence Relation

IP

62[.]233.57[.]195

SSH Proxy - Moderate Confidence Relation

IP

91[.]149.254[.]85

SSH Proxy - Moderate Confidence Relation


APPENDIX 2 – Applied Countermeasures

YARA Rules

rule crimeware_fin7_powertrash {
  meta:
    description = "Identifies POWERTRASH powershell scripts"
    author = " The BlackBerry Research & Intelligence team"
    version = "1.0"
    last_modified = "2024-03-04"

  strings:
    // shellcode decompression
    $d1 = "[IO.MemoryStream][Byte[]]"
    $d2 = "New-Object IO.Compression.DeflateStream"
    $d3 = "New-Object Byte"
    $d4 = "[System.Convert]::FromBase64String("

    // shellcode invoker
    $s1 = "[sysTem.reFLECTiOn.CallingConventions]::Any, @((New-Object System.Runtime.InteropServices.HandleRef).GetType(), [string]), $null)" nocase
    $s2 = "[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(" nocase
    $s3 = "[System.Runtime.InteropServices.Marshal]::Copy(" nocase
    $s4 = "[SYStem.rEFLeCtIOn.CallingConventions]::Any, @([string]), $null)" nocase

  condition:
    all of them
}


APPENDIX 3 – DETAILED MITRE ATT&CK® MAPPING

Tactic

Technique

Sub-Technique Name / Context

Initial Access

T1566.002 – Phishing: Spear-phishing Link

 

User with a high level of access privileges was targeted with a spear-phishing email that linked to “advanced-ip-sccanner[.]com”.

Resource Development

T1608.005 – Stage Capabilities: Link Target

A malicious URL masquerading as a legitimate URL redirected to an attacker-owned Dropbox that downloaded the malicious executable.

Execution

T1204.002 – User Execution: Malicious File

A malicious URL masquerading as a legitimate URL redirected to an attacker-owned Dropbox that downloaded the malicious executable.

Defense Evasion

T1027 – Obfuscated Files or Information

WsTaskLoad.exe executes a Powershell obfuscated script.

Execution

 

T1059.001 – Command and Scripting Interpreter: PowerShell

WsTaskLoad.exe executes a Powershell obfuscated script.

Discovery

T1124 – System Time Discovery

3CF9.ps1 script executes System Time Discovery using net time.

Discovery

 

T1057 – Process Discovery

3CF9.ps1 script performs Process Discovery executing tasklist /v command.

Discovery

 

T1087.002 – Account Discovery: Domain Account

3CF9.ps1 script  enumerates domain accounts executing net group "Domain Admins" /domain.

Discovery

 

T1069.002 – Permission Groups Discovery: Domain Groups

Discovery

3CF9.ps1 script enumerates domain groups executing net group "Domain Admins" /domain.

Discovery

 

T1082 – System Information Discovery

csvde.exe exports system information (objectClass=Computer).

Discovery

 

T1087.002 – Account Discovery: Domain Account

csvde.exe exports Active Directory data (objectClass=person).

Execution

T1059.001 – Command and Scripting Interpreter: PowerShell

PowerShell installs OpenSSH.

 

 

OpenSSH is installed for remote login with the SSH Protocol.

Defense Evasion

T1564.001 – Hide Artifacts: Hidden Files and Directories

Adversary uses attrib +h to make SSH hidden.

Persistence

T1053.005 – Scheduled Task/Job: Scheduled Task

Adversary has used scheduled task to persists OpenSSH on victim's machine.

Persistence

T1543.003 – Create or Modify System Process: Windows Service

sshd services is modified -> sc config sshd start= auto.

Execution

T569.002 – System Services: Service Execution

Sshd service is started (Sc start sshd).

Defense Evasion

T1562.004 – Impair Defenses: Disable or Modify System Firewall

Adversary adds a new firewall rule for a Non-Standard Port: 59999.

Command-and-Control

T1041 – Non-Standard Port

Adversary adds a new firewall rule for a Non-Standard Port: 59999.

Discovery

T1082 – System Information Discovery

WsTaskLoad gathers system information: Hostname.

Discovery

 

T1033 - System Owner/User Discovery

WSTaksLoad collect victim username through whoami.

Discovery

 

T1087.002 – Account Discovery: Domain Account

WSTaskLoad executes Domain Account Discovery using net user /domain.

Discovery

 

T1057 – Process Discovery

WSTaskLoad performs Process Discovery through Tasklist.

Resource Development

T1583.001 – Acquire Infrastructure: Domains

Multiple domains were found registered within minutes of the original on the same provider.

Command-and-Control

T1090 – Proxy

Post compromise, OpenSSH is used for external access.

 

The BlackBerry Research and Intelligence Team

About The BlackBerry Research and Intelligence Team

The BlackBerry Research and Intelligence team is a highly experienced threat research group specializing in a wide range of cybersecurity disciplines, conducting continuous threat hunting to provide comprehensive insights into emerging threats. We analyze and address various attack vectors, leveraging our deep expertise in the cyberthreat landscape to develop proactive strategies that safeguard against adversaries.

Whether it's identifying new vulnerabilities or staying ahead of sophisticated attack tactics, we are dedicated to securing your digital assets with cutting-edge research and innovative solutions.