RDFSNIFFER
The Carbanak Group continues to be very active in their attacks against retail businesses and companies working in the restaurant and hospitality sectors. These group's attacks are financially-motivated almost exclusively, and they often go after financial data – they are responsible for the Carbanak backdoor Trojan that caused hundreds of millions of dollars of damages worldwide. One of the recent tools being employed in their attacks is RDFSNIFFER, a Remote Access Trojan (RAT) that appears to be deployed by the BOOSTWRITE loader, another new tool that the Carbanak Group (also known as FIN7) has been using recently.
FIN7 (a.k.a the Carbanak Group) Uses the RDSNIFFER RAT on Systems Linked to Payment Processing
The RDFSNIFFER is a pretty unique RAT since the infected host must meet certain requirements to enable RDFSNIFFER's execution. This Trojan will only work on machines equipped with the NCR Aloha Commander Toolset software suite – a Remote Assistance Tool that is often used by support technicians. The RDFSNIFFER hijacks the legitimate DLLS and processes of the toolset and injects its corrupted code in the memory as soon as the Aloha Command Center Client is launched. Then, the RDFSNIFFER will attempt to hijack sessions and elements of the NCR Aloha Command Center Client, therefore allowing the evil-minded operator to perform unauthorized actions on the compromised host.
The threat actors behind the RDFSNIFFER can command the threat to download files on the infected host or upload files from the control server. Naturally, the RDFSNIFFER also is able to run the files it obtains, and its operators also can initialize commands on the remote host. Last but not least, the RDFSNIFFER can work with the infected machine's file system to delete files.
While the exact companies targeted by FIN7's RDFSNIFFER and BOOSTWRITE malware cannot be named, it is almost certain that they work with financial data. It seems that the threat actors continue with their financially-motivated attacks, and are not afraid to experiment with new malware families that may enable them to maximize the efficiency of their operations.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to RDFSNIFFER may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
* See Free Trial offer below. EULA and Privacy/Cookie Policy.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.