FIN7
Associated Group Descriptions |
|
Name | Description |
---|---|
Carbon Spider | (Citation: CrowdStrike Carbon Spider August 2021) |
ELBRUS | (Citation: Microsoft Ransomware as a Service) |
Sangria Tempest | (Citation: Microsoft Threat Actor Naming July 2023) |
GOLD NIAGARA | (Citation: Secureworks GOLD NIAGARA Threat Profile) |
ITG14 | ITG14 shares campaign overlap with FIN7.(Citation: IBM Ransomware Trends September 2020) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
FIN7 has registered look-alike domains for use in phishing campaigns.(Citation: eSentire FIN7 July 2021) |
.006 | Acquire Infrastructure: Web Services |
FIN7 has set up Amazon S3 buckets to host trojanized digital products.(Citation: Mandiant FIN7 Apr 2022) |
||
Enterprise | T1071 | .004 | Application Layer Protocol: DNS |
FIN7 has performed C2 using DNS via A, OPT, and TXT records.(Citation: FireEye FIN7 Aug 2018) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.(Citation: FireEye FIN7 April 2017)(Citation: FireEye FIN7 Aug 2018) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
FIN7 used a PowerShell script to launch shellcode that retrieved an additional payload.(Citation: FireEye FIN7 April 2017)(Citation: Morphisec FIN7 June 2017)(Citation: FBI Flash FIN7 USB)(Citation: Mandiant FIN7 Apr 2022) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
FIN7 used the command prompt to launch commands on the victim’s machine.(Citation: FireEye FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)(Citation: Mandiant FIN7 Apr 2022) |
||
.005 | Command and Scripting Interpreter: Visual Basic |
FIN7 used VBS scripts to help perform tasks on the victim's machine.(Citation: FireEye FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)(Citation: CrowdStrike Carbon Spider August 2021) |
||
.007 | Command and Scripting Interpreter: JavaScript |
FIN7 used JavaScript scripts to help perform tasks on the victim's machine.(Citation: FireEye FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)(Citation: FireEye FIN7 Aug 2018) |
||
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
FIN7 created new Windows services and added them to the startup directories for persistence.(Citation: FireEye FIN7 Aug 2018) |
Enterprise | T1587 | .001 | Develop Capabilities: Malware |
FIN7 has developed malware for use in operations, including the creation of infected removable media.(Citation: FBI Flash FIN7 USB)(Citation: FireEye FIN7 Oct 2019) |
Enterprise | T1546 | .011 | Event Triggered Execution: Application Shimming |
FIN7 has used application shim databases for persistence.(Citation: FireEye FIN7 Shim Databases) |
Enterprise | T1567 | .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
FIN7 has exfiltrated stolen data to the MEGA file sharing site.(Citation: CrowdStrike Carbon Spider August 2021) |
Enterprise | T1559 | .002 | Inter-Process Communication: Dynamic Data Exchange |
FIN7 spear phishing campaigns have included malicious Word documents with DDE execution.(Citation: CyberScoop FIN7 Oct 2017) |
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
FIN7 has created a scheduled task named “AdobeFlashSync” to establish persistence.(Citation: Morphisec FIN7 June 2017) |
.005 | Masquerading: Match Legitimate Name or Location |
FIN7 has attempted to run Darkside ransomware with the filename sleep.exe.(Citation: CrowdStrike Carbon Spider August 2021) |
||
Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
FIN7 has used random junk code to obfuscate malware code.(Citation: Mandiant FIN7 Apr 2022) |
.010 | Obfuscated Files or Information: Command Obfuscation |
FIN7 has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021) |
||
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
FIN7 has utilized a variety of tools such as Cobalt Strike, PowerSploit, and the remote management tool, Atera for targeting efforts.(Citation: Mandiant FIN7 Apr 2022) |
Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups |
FIN7 has used the command `net group "domain admins" /domain` to enumerate domain groups.(Citation: Mandiant FIN7 Apr 2022) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
FIN7 sent spearphishing emails with either malicious Microsoft Documents or RTF files attached.(Citation: FireEye FIN7 April 2017)(Citation: DOJ FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)(Citation: eSentire FIN7 July 2021)(Citation: CrowdStrike Carbon Spider August 2021) |
.002 | Phishing: Spearphishing Link |
FIN7 has conducted broad phishing campaigns using malicious links.(Citation: CrowdStrike Carbon Spider August 2021) |
||
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
FIN7 has used RDP to move laterally in victim environments.(Citation: CrowdStrike Carbon Spider August 2021) |
.004 | Remote Services: SSH |
FIN7 has used SSH to move laterally through victim environments.(Citation: CrowdStrike Carbon Spider August 2021) |
||
.005 | Remote Services: VNC |
FIN7 has used TightVNC to control compromised hosts.(Citation: CrowdStrike Carbon Spider August 2021) |
||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
FIN7 malware has created scheduled tasks to establish persistence.(Citation: FireEye FIN7 April 2017)(Citation: Morphisec FIN7 June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019) |
Enterprise | T1608 | .001 | Stage Capabilities: Upload Malware |
FIN7 has staged legitimate software, that was trojanized to contain an Atera agent installer, on Amazon S3.(Citation: Mandiant FIN7 Apr 2022) |
.004 | Stage Capabilities: Drive-by Target |
FIN7 has compromised a digital product website and modified multiple download links to point to trojanized versions of offered digital products.(Citation: Mandiant FIN7 Apr 2022) |
||
Enterprise | T1558 | .003 | Steal or Forge Kerberos Tickets: Kerberoasting |
FIN7 has used Kerberoasting PowerShell commands such as, `Invoke-Kerberoast` for credential access and to enable lateral movement.(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022) |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
FIN7 has signed Carbanak payloads with legally purchased code signing certificates. FIN7 has also digitally signed their phishing documents, backdoors and other staging tools to bypass security controls.(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018) |
Enterprise | T1195 | .002 | Supply Chain Compromise: Compromise Software Supply Chain |
FIN7 has gained initial access by compromising a victim's software supply chain.(Citation: Mandiant FIN7 Apr 2022) |
Enterprise | T1218 | .005 | System Binary Proxy Execution: Mshta |
FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems.(Citation: FireEye FIN7 April 2017) |
.011 | System Binary Proxy Execution: Rundll32 |
FIN7 has used `rundll32.exe` to execute malware on a compromised network.(Citation: Mandiant FIN7 Apr 2022) |
||
Enterprise | T1204 | .001 | User Execution: Malicious Link |
FIN7 has used malicious links to lure victims into downloading malware.(Citation: CrowdStrike Carbon Spider August 2021) |
.002 | User Execution: Malicious File |
FIN7 lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file.(Citation: FireEye FIN7 April 2017)(Citation: eSentire FIN7 July 2021)(Citation: CrowdStrike Carbon Spider August 2021) |
||
Enterprise | T1078 | .003 | Valid Accounts: Local Accounts |
FIN7 has used compromised credentials for access as SYSTEM on Exchange servers.(Citation: Microsoft Ransomware as a Service) |
Enterprise | T1497 | .002 | Virtualization/Sandbox Evasion: User Activity Based Checks |
FIN7 used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes.(Citation: FireEye FIN7 April 2017) |
Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
FIN7 used legitimate services like Google Docs, Google Scripts, and Pastebin for C2.(Citation: FireEye FIN7 Aug 2018) |
References
- Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
- Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
- Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
- Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
- Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.
- The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022.
- Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
- Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.
- Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
- Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.
- eSentire. (2021, July 21). Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm Using Fake Legal Complaint Against Jack Daniels’ Owner, Brown-Forman Inc.. Retrieved September 20, 2021.
- Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017.
- Waterman, S. (2017, October 16). Fin7 weaponization of DDE is just their latest slick move, say researchers. Retrieved November 21, 2017.
- Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.
- Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.
- Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
- Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
- Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019.
- Gemini Advisory. (2021, October 21). FIN7 Recruits Talent For Push Into Ransomware. Retrieved February 2, 2022.
- Seals, T. (2021, May 14). FIN7 Backdoor Masquerades as Ethical Hacking Tool. Retrieved February 2, 2022.
- CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.