Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа FIN7
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
FIN7
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

FIN7

FIN7 is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of FIN7 was run out of a front company called Combi Security. Since 2020 FIN7 shifted operations to a big game hunting (BGH) approach including use of REvil ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but there appears to be several groups using Carbanak malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)
ID: G0046
Associated Groups: Carbon Spider, GOLD NIAGARA, ITG14
Version: 2.1
Created: 31 May 2017
Last Modified: 20 Jul 2022

Associated Group Descriptions
Name Description
Carbon Spider (Citation: CrowdStrike Carbon Spider August 2021)
GOLD NIAGARA (Citation: Secureworks GOLD NIAGARA Threat Profile)
ITG14 ITG14 shares campaign overlap with FIN7.(Citation: IBM Ransomware Trends September 2020)

Techniques Used
Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

FIN7 has registered look-alike domains for use in phishing campaigns.(Citation: eSentire FIN7 July 2021)
Enterprise T1071 .004 Application Layer Protocol: DNS

FIN7 has performed C2 using DNS via A, OPT, and TXT records.(Citation: FireEye FIN7 Aug 2018)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.(Citation: FireEye FIN7 April 2017)(Citation: FireEye FIN7 Aug 2018)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

FIN7 used a PowerShell script to launch shellcode that retrieved an additional payload.(Citation: FireEye FIN7 April 2017)(Citation: Morphisec FIN7 June 2017)(Citation: FBI Flash FIN7 USB)
.003 Command and Scripting Interpreter: Windows Command Shell

FIN7 used the command prompt to launch commands on the victim’s machine.(Citation: FireEye FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)

.005 Command and Scripting Interpreter: Visual Basic

FIN7 used VBS scripts to help perform tasks on the victim's machine.(Citation: FireEye FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)(Citation: CrowdStrike Carbon Spider August 2021)

.007 Command and Scripting Interpreter: JavaScript

FIN7 used JavaScript scripts to help perform tasks on the victim's machine.(Citation: FireEye FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)(Citation: FireEye FIN7 Aug 2018)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

FIN7 created new Windows services and added them to the startup directories for persistence.(Citation: FireEye FIN7 Aug 2018)
Enterprise T1587 .001 Develop Capabilities: Malware

FIN7 has developed malware for use in operations, including the creation of infected removable media.(Citation: FBI Flash FIN7 USB)(Citation: FireEye FIN7 Oct 2019)
Enterprise T1546 .011 Event Triggered Execution: Application Shimming

FIN7 has used application shim databases for persistence.(Citation: FireEye FIN7 Shim Databases)
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

FIN7 has exfiltrated stolen data to the MEGA file sharing site.(Citation: CrowdStrike Carbon Spider August 2021)
Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

FIN7 spear phishing campaigns have included malicious Word documents with DDE execution.(Citation: CyberScoop FIN7 Oct 2017)
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

FIN7 has created a scheduled task named “AdobeFlashSync” to establish persistence.(Citation: Morphisec FIN7 June 2017)
.005 Masquerading: Match Legitimate Name or Location

FIN7 has attempted to run Darkside ransomware with the filename sleep.exe.(Citation: CrowdStrike Carbon Spider August 2021)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

FIN7 sent spearphishing emails with either malicious Microsoft Documents or RTF files attached.(Citation: FireEye FIN7 April 2017)(Citation: DOJ FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)(Citation: eSentire FIN7 July 2021)(Citation: CrowdStrike Carbon Spider August 2021)
.002 Phishing: Spearphishing Link

FIN7 has conducted broad phishing campaigns using malicious links.(Citation: CrowdStrike Carbon Spider August 2021)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

FIN7 has used RDP to move laterally in victim environments.(Citation: CrowdStrike Carbon Spider August 2021)

.004 Remote Services: SSH

FIN7 has used SSH to move laterally through victim environments.(Citation: CrowdStrike Carbon Spider August 2021)

.005 Remote Services: VNC

FIN7 has used TightVNC to control compromised hosts.(Citation: CrowdStrike Carbon Spider August 2021)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

FIN7 malware has created scheduled tasks to establish persistence.(Citation: FireEye FIN7 April 2017)(Citation: Morphisec FIN7 June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)
Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

FIN7 has used Kerberoasting for credential access and to enable lateral movement.(Citation: CrowdStrike Carbon Spider August 2021)
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

FIN7 has signed Carbanak payloads with legally purchased code signing certificates. FIN7 has also digitally signed their phishing documents, backdoors and other staging tools to bypass security controls.(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)
Enterprise T1218 .005 System Binary Proxy Execution: Mshta

FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems.(Citation: FireEye FIN7 April 2017)
Enterprise T1204 .001 User Execution: Malicious Link

FIN7 has used malicious links to lure victims into downloading malware.(Citation: CrowdStrike Carbon Spider August 2021)
.002 User Execution: Malicious File

FIN7 lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file.(Citation: FireEye FIN7 April 2017)(Citation: eSentire FIN7 July 2021)(Citation: CrowdStrike Carbon Spider August 2021)

Enterprise T1497 .002 Virtualization/Sandbox Evasion: User Activity Based Checks

FIN7 used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes.(Citation: FireEye FIN7 April 2017)
Enterprise T1102 .002 Web Service: Bidirectional Communication

FIN7 used legitimate services like Google Docs, Google Scripts, and Pastebin for C2.(Citation: FireEye FIN7 Aug 2018)

Software
ID Name References Techniques
S0417 GRIFFON (Citation: CrowdStrike Carbon Spider August 2021) (Citation: FBI Flash FIN7 USB) (Citation: SecureList Griffon May 2019) Screen Capture, Domain Groups, System Time Discovery, JavaScript, System Information Discovery, Registry Run Keys / Startup Folder, Scheduled Task, PowerShell
S0416 RDFSNIFFER (Citation: FireEye FIN7 Oct 2019) Credential API Hooking, File Deletion, Native API
S0151 HALFBAKED (Citation: FireEye FIN7 April 2017) (Citation: FireEye FIN7 Aug 2018) Process Discovery, Windows Management Instrumentation, Screen Capture, PowerShell, File Deletion, System Information Discovery
S0194 PowerSploit (Citation: CrowdStrike Carbon Spider August 2021) (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation) Path Interception by PATH Environment Variable, Keylogging, Reflective Code Loading, Credentials in Registry, Indicator Removal from Tools, Audio Capture, Windows Management Instrumentation, Path Interception by Unquoted Path, Query Registry, Data from Local System, Group Policy Preferences, Path Interception, Dynamic-link Library Injection, Obfuscated Files or Information, Access Token Manipulation, Windows Service, Screen Capture, Registry Run Keys / Startup Folder, Scheduled Task, DLL Search Order Hijacking, Path Interception by Search Order Hijacking, Kerberoasting, Local Account, Security Support Provider, Process Discovery, Windows Credential Manager, PowerShell, Domain Trust Discovery, LSASS Memory
S0145 POWERSOURCE (Citation: Cisco DNSMessenger March 2017) (Citation: DNSMessenger) (Citation: FireEye FIN7 March 2017) PowerShell, Query Registry, Registry Run Keys / Startup Folder, NTFS File Attributes, DNS, Ingress Tool Transfer
S0146 TEXTMATE (Citation: Cisco DNSMessenger March 2017) (Citation: DNSMessenger) (Citation: FireEye FIN7 March 2017) DNS, Windows Command Shell
S0415 BOOSTWRITE (Citation: FireEye FIN7 Oct 2019) Deobfuscate/Decode Files or Information, Obfuscated Files or Information, Code Signing, Shared Modules, DLL Search Order Hijacking
S0030 Carbanak (Citation: Anunak) (Citation: CrowdStrike Carbon Spider August 2021) (Citation: DOJ FIN7 Aug 2018) (Citation: FBI Flash FIN7 USB) (Citation: FireEye CARBANAK June 2017) (Citation: FireEye FIN7 Aug 2018) (Citation: FireEye FIN7 March 2017) (Citation: Fox-It Anunak Feb 2015) (Citation: IBM Ransomware Trends September 2020) (Citation: Kaspersky Carbanak) OS Credential Dumping, Screen Capture, Web Protocols, Query Registry, Custom Command and Control Protocol, Remote Desktop Protocol, Windows Command Shell, Portable Executable Injection, Local Email Collection, Process Discovery, Obfuscated Files or Information, Remote Access Software, Keylogging, Registry Run Keys / Startup Folder, Local Account, Symmetric Cryptography, File Deletion, Standard Encoding, Commonly Used Port, Data Transfer Size Limits
S0390 SQLRat (Citation: Flashpoint FIN 7 March 2019) File Deletion, Windows Command Shell, Ingress Tool Transfer, Malicious File, Obfuscated Files or Information, Deobfuscate/Decode Files or Information, Scheduled Task, PowerShell
S0154 Cobalt Strike (Citation: cobaltstrike manual) (Citation: CrowdStrike Carbon Spider August 2021) (Citation: FBI Flash FIN7 USB) Domain Fronting, Sudo and Sudo Caching, Code Signing, Scheduled Transfer, JavaScript, Remote Desktop Protocol, Native API, Pass the Hash, Domain Accounts, Indicator Removal from Tools, Bypass User Account Control, System Network Configuration Discovery, Service Execution, PowerShell, Web Protocols, Application Layer Protocol, Data from Local System, Disable or Modify Tools, Dynamic-link Library Injection, Local Accounts, Multiband Communication, Keylogging, Distributed Component Object Model, Process Discovery, BITS Jobs, Process Hollowing, Software Discovery, Local Accounts, BITS Jobs, Remote Desktop Protocol, Internal Proxy, Exploitation for Privilege Escalation, Screen Capture, Process Argument Spoofing, Modify Registry, Domain Groups, System Network Connections Discovery, Protocol Impersonation, Parent PID Spoofing, Token Impersonation/Theft, Protocol Tunneling, Windows Service, Visual Basic, Native API, Parent PID Spoofing, Process Injection, System Service Discovery, Timestomp, System Network Configuration Discovery, SSH, File and Directory Discovery, DNS, Token Impersonation/Theft, DNS, Bypass User Account Control, Process Hollowing, Scheduled Transfer, Security Account Manager, Local Groups, PowerShell, SSH, Python, Reflective Code Loading, Remote System Discovery, LSASS Memory, Screen Capture, Commonly Used Port, Query Registry, Domain Account, Data Transfer Size Limits, Network Service Discovery, Pass the Hash, Domain Accounts, Network Share Discovery, Web Protocols, Asymmetric Cryptography, Windows Command Shell, Process Injection, Browser Session Hijacking, Deobfuscate/Decode Files or Information, Remote System Discovery, Visual Basic, Protocol Tunneling, Exploitation for Privilege Escalation, Windows Management Instrumentation, Keylogging, Browser Session Hijacking, Windows Remote Management, Symmetric Cryptography, Non-Application Layer Protocol, Standard Encoding, Ingress Tool Transfer, Indicator Removal from Tools, Domain Account, Internal Proxy, Service Execution, Windows Remote Management, SMB/Windows Admin Shares, Rundll32, Windows Service, Application Layer Protocol, Python, SMB/Windows Admin Shares, Windows Management Instrumentation, Security Account Manager, Make and Impersonate Token, Exploitation for Client Execution, Network Service Discovery, Timestomp, Distributed Component Object Model, Multiband Communication, Commonly Used Port, Network Share Discovery, Custom Command and Control Protocol, Process Discovery, Make and Impersonate Token, Data from Local System, Office Template Macros, Windows Command Shell, Obfuscated Files or Information
S0496 REvil (Citation: CrowdStrike Carbon Spider August 2021) (Citation: Cylance Sodinokibi July 2019) (Citation: FBI Flash FIN7 USB) (Citation: G Data Sodinokibi June 2019) (Citation: Group IB Ransomware May 2020) (Citation: IBM Ransomware Trends September 2020) (Citation: Intel 471 REvil March 2020) (Citation: Kaspersky Sodin July 2019) (Citation: McAfee REvil October 2019) (Citation: McAfee Sodinokibi October 2019) (Citation: Picus Sodinokibi January 2020) (Citation: Secureworks GandCrab and REvil September 2019) (Citation: Secureworks REvil September 2019) (Citation: Sodin) (Citation: Sodinokibi) (Citation: Talos Sodinokibi April 2019) (Citation: Tetra Defense Sodinokibi March 2020) Safe Mode Boot, Data Encrypted for Impact, Windows Command Shell, Disable or Modify Tools, PowerShell, Asymmetric Cryptography, Process Injection, Match Legitimate Name or Location, Modify Registry, Data Destruction, Query Registry, Visual Basic, Exfiltration Over C2 Channel, Service Stop, System Information Discovery, Native API, Malicious File, Create Process with Token, File and Directory Discovery, Obfuscated Files or Information, Drive-by Compromise, System Service Discovery, Windows Management Instrumentation, Deobfuscate/Decode Files or Information, Spearphishing Attachment, Ingress Tool Transfer, System Language Discovery, Token Impersonation/Theft, Web Protocols, Domain Groups, File Deletion, Inhibit System Recovery
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: CrowdStrike Carbon Spider August 2021) (Citation: Deply Mimikatz) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0517 Pillowmint (Citation: CrowdStrike Carbon Spider August 2021) (Citation: Trustwave Pillowmint June 2020) Application Shimming, Asynchronous Procedure Call, Modify Registry, Query Registry, Obfuscated Files or Information, Clear Persistence, Process Discovery, Indicator Removal, Native API, PowerShell, Deobfuscate/Decode Files or Information, Data from Local System, File Deletion, Archive Collected Data
S0488 CrackMapExec (Citation: CME Github September 2018) (Citation: CrowdStrike Carbon Spider August 2021) Security Account Manager, NTDS, Password Spraying, Password Policy Discovery, Domain Account, System Network Connections Discovery, Password Guessing, At, Network Share Discovery, Remote System Discovery, LSA Secrets, Windows Management Instrumentation, Modify Registry, File and Directory Discovery, Pass the Hash, System Information Discovery, Domain Groups, PowerShell, System Network Configuration Discovery, Brute Force
S0648 JSS Loader (Citation: CrowdStrike Carbon Spider August 2021) (Citation: eSentire FIN7 July 2021) Scheduled Task, Visual Basic, JavaScript, Spearphishing Attachment, Ingress Tool Transfer, Malicious File, PowerShell
S0552 AdFind (Citation: CrowdStrike Carbon Spider August 2021) (Citation: FireEye FIN6 Apr 2019) (Citation: FireEye Ryuk and Trickbot January 2019) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) Domain Trust Discovery, Domain Groups, System Network Configuration Discovery, Remote System Discovery, Domain Account
S0681 Lizar (Citation: BiZone Lizar May 2021) (Citation: Gemini FIN7 Oct 2021) (Citation: Threatpost Lizar May 2021) (Citation: Tirion) Process Injection, Windows Command Shell, Browser Bookmark Discovery, Dynamic-link Library Injection, Native API, LSASS Memory, Windows Credential Manager, Screen Capture, System Owner/User Discovery, Deobfuscate/Decode Files or Information, PowerShell, Portable Executable Injection, Ingress Tool Transfer, Email Account, System Information Discovery, Security Software Discovery, Credentials from Web Browsers, Encrypted Channel, System Network Configuration Discovery, Process Discovery, Archive Collected Data, System Network Connections Discovery

References

  1. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  2. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  3. eSentire. (2021, July 21). Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm Using Fake Legal Complaint Against Jack Daniels’ Owner, Brown-Forman Inc.. Retrieved September 20, 2021.
  4. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019.
  5. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  6. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
  7. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
  8. Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.
  9. The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022.
  10. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  11. Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.
  12. Gemini Advisory. (2021, October 21). FIN7 Recruits Talent For Push Into Ransomware. Retrieved February 2, 2022.
  13. Seals, T. (2021, May 14). FIN7 Backdoor Masquerades as Ethical Hacking Tool. Retrieved February 2, 2022.
  14. Waterman, S. (2017, October 16). Fin7 weaponization of DDE is just their latest slick move, say researchers. Retrieved November 21, 2017.
  15. Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.
  16. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
  17. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  18. Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017.
  19. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.
  20. CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.