UnFIN4ished Business

24 June 2015


 View Michael Yip's profile on LinkedIn

 View Chris Doman's profile on LinkedIn


With access to business critical information, senior executives and consultants are often said to be valuable targets for threat actors tasked with obtaining sensitive business secrets. FIN4 is a financially motivated threat actor which has consistently targeted this population.

On 23 June 2015, the press reported that the Securities and Exchange Commission are investigating FIN4’s activities[1].

Since mid-2013, this group is reported[2] to have targeted more than 100 organisations which are primarily NASDAQ and NYSE listed companies or firms working with those listed clients to provide advisory or financial services, such as investment banking. In particular, the FIN4 group has shown a particular interest in the healthcare and pharmaceutical industry and appears to have team members who are intimately familiar with that industry.

The group is not a new threat and has been previously reported on by other security companies:

  • Towards the end of 2013 security company Esentire released a brief alert (ESOC-2013-11-08[3]) regarding a "targeted attack against hedge funds";
  • In May 2014, Symantec released a brief alert (O97M.Ratil[4]) providing further details and mitigations for the threat; and,
  • In November 2014 FireEye released a detailed report on the threat actor, their tactics, techniques and their targets.

These reports document two methods of attack used by the FIN4 group: malicious Microsoft Office documents to obtain credentials, and phishing pages designed to mimic Outlook Web App authentication pages.

Our research into FIN4 has uncovered evidence which indicates that FIN4 also used bespoke malware to harvest credentials and steal documents from compromised victims.

The UpDocX Malware

During our research into FIN4’s malicious macros, we identified a sample, d102693540b53f9a564e3a550f938709, which contains similar code to the malicious macros cited in previously documented samples, such as the form display and the subroutine uploadPOST, an example of which is given below:

Cyber 1

However, in our sample the macro code differs, in that it uses URLDownloadToFile to download an executable named WINWORD32.exe - this can be seen below.


Cyber 2

Using this inbuilt Windows functionality, the macro downloads and executes a file located at the following URL:


 Due to the command and control filename as shown in the htmlUpload function below, we refer to this malware as UpDocX:



Cyber 3

UpDocX was written in VB.NET and compiled without any attempts at obfuscating the source code. There is also no attempt in obfuscating C2 network traffic. It has limited functionality and appears to be a simple backdoor used solely for keylogging and uploading documents to designated C2 servers.

The attackers have, however, put some effort into avoiding detection and hindering investigations. UpDocX has a list of extensive clean-up functions responsible for eliminating evidence of compromise, which indicates a degree of caution often not observed in targeted attacks.

We believe that one of the authors of UpDocX may be a French speaker, based on naming conventions used in the malware.

PwC threat intelligence customers can access a more detailed technical analysis of UpDocX, additional indicators associated with FIN4 and our most recent profile of the group, in report reference CTO-TAP-20150518-01A.