of financial information . “ Like past attacks , the initial infection vector is a malicious Word document attached to a phishing email that is well-tailoredAttack.Phishingto the targeted business and its day-to-day operations , ” the researchers noted . “ The Word document executes a fileless attack that uses DNS queries to deliver the next shellcode stage ( Meterpreter ) . However , in this new variant , all the DNS activity is initiated and executed solely from memory – unlike previous attacks which used PowerShell commands. ” The researchers attribute this one important change to the group ’ s efforts to stay one step ahead of the defenders , and they are succeeding : “ After decryption of the second stage shellcode , the shellcode deletes the ‘ MZ ’ prefix from within a very important part of the shellcode . This prefix indicates it may be a DLL , and its deletion helps the attack to evade memory scanning solutions , ” the researchers found . “ If this DLL was saved on disk , many security solutions would immediately identify it as a CobaltStrike Meterpreter , which is used by many attackers and pen testers. ” But it ’ s not , and it passes undetected . In-memory resident attacks and the use of fileless malware are on the rise , and FIN7 is one group that has been employing this approach regularly . There can be no doubt other attackers will try to implement the same tactic . FIN7 has previously been tied to a sophisticated spear-phishing campaign hittingAttack.PhishingUS-based businesses with emails purportedly coming fromAttack.Phishingthe US Securities and Exchange Commission ( SEC ) , and Morphisec researchers believe that the series of attacks leveraged against 140+ banks and other businesses earlier this year is also their work . FIN7 is also associated with the infamous Carbanak gang , but whether they are one and the same it ’ s still impossible to say for sure .