1. Home
  2. Groups
  3. FIN7

FIN7

FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of FIN7 was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to a big game hunting (BGH) approach including use of REvil ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but there appears to be several groups using Carbanak malware and are therefore tracked separately.[1][2][3][4][5][6]

ID: G0046
Associated Groups: GOLD NIAGARA, ITG14, Carbon Spider, ELBRUS, Sangria Tempest
Contributors: Edward Millington
Version: 4.0
Created: 31 May 2017
Last Modified: 17 April 2024

Associated Group Descriptions

Name Description
GOLD NIAGARA

[7]
ITG14

ITG14 shares campaign overlap with FIN7.[8]
Carbon Spider

[5]
ELBRUS

[9]
Sangria Tempest

[10]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

FIN7 has used WMI to install malware on targeted systems.[11]
Enterprise T1546 .011 事件触发执行: Application Shimming

FIN7 has used application shim databases for persistence.[12]
Enterprise T1005 从本地系统获取数据

FIN7 has collected files and other sensitive information from a compromised network.[5]
Enterprise T1036 .004 伪装: Masquerade Task or Service

FIN7 has created a scheduled task named "AdobeFlashSync" to establish persistence.[13]
.005 伪装: Match Legitimate Name or Location

FIN7 has attempted to run Darkside ransomware with the filename sleep.exe.[5]
Enterprise T1195 .002 供应链破坏: Compromise Software Supply Chain

FIN7 has gained initial access by compromising a victim's software supply chain.[6]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

FIN7 created new Windows services and added them to the startup directories for persistence.[4]
Enterprise T1190 利用公开应用程序漏洞

FIN7 has compromised targeted organizations through exploitation of CVE-2021-31207 in Exchange.[9]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.[2][4]
Enterprise T1059 命令与脚本解释器

FIN7 used SQL scripts to help perform tasks on the victim's machine.[4][14][4]
.001 PowerShell

FIN7 used a PowerShell script to launch shellcode that retrieved an additional payload.[2][13][15][6]
.003 Windows Command Shell

FIN7 used the command prompt to launch commands on the victim’s machine.[4][14][6]
.005 Visual Basic

FIN7 used VBS scripts to help perform tasks on the victim's machine.[4][14][5]
.007 JavaScript

FIN7 used JavaScript scripts to help perform tasks on the victim's machine.[4][14][4]
Enterprise T1008 回退信道

FIN7's Harpy backdoor malware can use DNS as a backup channel for C2 if HTTP fails.[16]
Enterprise T1113 屏幕捕获

FIN7 captured screenshots and desktop video recordings.[17]
Enterprise T1071 .004 应用层协议: DNS

FIN7 has performed C2 using DNS via A, OPT, and TXT records.[4]
Enterprise T1587 .001 开发能力: Malware

FIN7 has developed malware for use in operations, including the creation of infected removable media.[15][18]
Enterprise T1486 数据加密以实现影响

FIN7 has encrypted virtual disk volumes on ESXi servers using a version of Darkside ransomware.[5][6]
Enterprise T1608 .001 暂存能力: Upload Malware

FIN7 has staged legitimate software, that was trojanized to contain an Atera agent installer, on Amazon S3.[6]
.004 暂存能力: Drive-by Target

FIN7 has compromised a digital product website and modified multiple download links to point to trojanized versions of offered digital products.[6]
Enterprise T1078 有效账户

FIN7 has harvested valid administrative credentials for lateral movement.[5]
.003 Local Accounts

FIN7 has used compromised credentials for access as SYSTEM on Exchange servers.[9]
Enterprise T1069 .002 权限组发现: Domain Groups

FIN7 has used the command net group "domain admins" /domain to enumerate domain groups.[6]
Enterprise T1027 .001 混淆文件或信息: Binary Padding

FIN7 has used random junk code to obfuscate malware code.[6]
.010 混淆文件或信息: Command Obfuscation

FIN7 has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.[19][4][5]
Enterprise T1204 .001 用户执行: Malicious Link

FIN7 has used malicious links to lure victims into downloading malware.[5]
.002 用户执行: Malicious File

FIN7 lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file.[2][11][5]
Enterprise T1558 .003 窃取或伪造Kerberos票据: Kerberoasting

FIN7 has used Kerberoasting PowerShell commands such as, Invoke-Kerberoast for credential access and to enable lateral movement.[5][6]
Enterprise T1218 .005 系统二进制代理执行: Mshta

FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems.[2]
.011 系统二进制代理执行: Rundll32

FIN7 has used rundll32.exe to execute malware on a compromised network.[6]

Enterprise T1033 系统所有者/用户发现

FIN7 has used the command cmd.exe /C quser to collect user session information.[6]
Enterprise T1102 .002 网络服务: Bidirectional Communication

FIN7 used legitimate services like Google Docs, Google Scripts, and Pastebin for C2.[4]
Enterprise T1583 .001 获取基础设施: Domains

FIN7 has registered look-alike domains for use in phishing campaigns.[11]
.006 获取基础设施: Web Services

FIN7 has set up Amazon S3 buckets to host trojanized digital products.[6]
Enterprise T1588 .002 获取能力: Tool

FIN7 has utilized a variety of tools such as Cobalt Strike, PowerSploit, and the remote management tool, Atera for targeting efforts.[6]
Enterprise T1497 .002 虚拟化/沙盒规避: User Activity Based Checks

FIN7 used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes.[2]
Enterprise T1125 视频捕获

FIN7 created a custom video recording capability that could be used to monitor operations in the victim's environment.[4][17]
Enterprise T1105 输入工具传输

FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.[2][17][6]

Enterprise T1559 .002 进程间通信: Dynamic Data Exchange

FIN7 spear phishing campaigns have included malicious Word documents with DDE execution.[20]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

FIN7 has used RDP to move laterally in victim environments.[5]
.004 远程服务: SSH

FIN7 has used SSH to move laterally through victim environments.[5]
.005 远程服务: VNC

FIN7 has used TightVNC to control compromised hosts.[5]
Enterprise T1210 远程服务漏洞利用

FIN7 has exploited ZeroLogon (CVE-2020-1472) against vulnerable domain controllers.[5]
Enterprise T1219 远程访问软件

FIN7 has utilized the remote management tool Atera to download malware to a compromised system.[6]
Enterprise T1091 通过可移动媒体复制

FIN7 actors have mailed USB drives to potential victims containing malware that downloads and installs various backdoors, including in some cases for ransomware operations.[15]
Enterprise T1567 .002 通过网络服务渗出: Exfiltration to Cloud Storage

FIN7 has exfiltrated stolen data to the MEGA file sharing site.[5]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

FIN7 sent spearphishing emails with either malicious Microsoft Documents or RTF files attached.[2][17][14][11][5]
.002 钓鱼: Spearphishing Link

FIN7 has conducted broad phishing campaigns using malicious links.[5]
Enterprise T1571 非标准端口

FIN7 has used port-protocol mismatches on ports such as 53, 80, 443, and 8080 during C2.[4]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

FIN7 malware has created scheduled tasks to establish persistence.[2][13][4][14]
Enterprise T1553 .002 颠覆信任控制: Code Signing

FIN7 has signed Carbanak payloads with legally purchased code signing certificates. FIN7 has also digitally signed their phishing documents, backdoors and other staging tools to bypass security controls.[3][4]

Software

ID Name References Techniques
S0552 AdFind [5] 域信任发现, 权限组发现: Domain Groups, 系统网络配置发现, 账号发现: Domain Account, 远程系统发现
S0415 BOOSTWRITE [18] 共享模块, 劫持执行流: DLL Search Order Hijacking, 反混淆/解码文件或信息, 混淆文件或信息: Encrypted/Encoded File, 颠覆信任控制: Code Signing
S0030 Carbanak [1][4][17][8][5][15][6] 创建账户: Local Account, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用层协议: Web Protocols, 操作系统凭证转储, 数据传输大小限制, 数据编码: Standard Encoding, 查询注册表, 混淆文件或信息, 电子邮件收集: Local Email Collection, 移除指标: File Deletion, 输入捕获: Keylogging, 进程发现, 进程注入: Portable Executable Injection, 远程服务: Remote Desktop Protocol, 远程访问软件
S0154 Cobalt Strike [5][15][6] BITS任务, Windows管理规范, 从本地系统获取数据, 代理: Domain Fronting, 代理: Internal Proxy, 使用备用认证材料: Pass the Hash, 修改注册表, 创建或修改系统进程: Windows Service, 办公应用启动: Office Template Macros, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 协议隧道, 反射性代码加载, 反混淆/解码文件或信息, 命令与脚本解释器: JavaScript, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Python, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 客户端执行漏洞利用, 屏幕捕获, 应用层协议: DNS, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 数据传输大小限制, 数据混淆: Protocol or Service Impersonation, 数据编码: Standard Encoding, 文件和目录发现, 有效账户: Domain Accounts, 有效账户: Local Accounts, 本机API, 权限提升漏洞利用, 权限组发现: Domain Groups, 权限组发现: Local Groups, 查询注册表, 浏览器会话劫持, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息, 滥用权限提升控制机制: Sudo and Sudo Caching, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: Timestomp, 系统二进制代理执行: Rundll32, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 网络服务发现, 访问令牌操控: Parent PID Spoofing, 访问令牌操控: Token Impersonation/Theft, 访问令牌操控: Make and Impersonate Token, 账号发现: Domain Account, 软件发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 进程注入: Process Hollowing, 进程注入, 远程服务: Remote Desktop Protocol, 远程服务: SSH, 远程服务: Windows Remote Management, 远程服务: SMB/Windows Admin Shares, 远程服务: Distributed Component Object Model, 远程系统发现, 隐藏伪装: Process Argument Spoofing, 非应用层协议, 预定传输, 颠覆信任控制: Code Signing
S0488 CrackMapExec [5] Windows管理规范, 使用备用认证材料: Pass the Hash, 修改注册表, 命令与脚本解释器: PowerShell, 密码策略发现, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: NTDS, 操作系统凭证转储: LSA Secrets, 文件和目录发现, 暴力破解: Password Spraying, 暴力破解: Password Guessing, 暴力破解, 权限组发现: Domain Groups, 系统信息发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 账号发现: Domain Account, 远程系统发现, 预定任务/作业: At
S0417 GRIFFON [21][5][15][9] 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: JavaScript, 命令与脚本解释器: PowerShell, 屏幕捕获, 权限组发现: Domain Groups, 系统信息发现, 系统时间发现, 预定任务/作业: Scheduled Task
S0151 HALFBAKED [2][4] Windows管理规范, 命令与脚本解释器: PowerShell, 屏幕捕获, 移除指标: File Deletion, 系统信息发现, 进程发现
S0648 JSS Loader [5][9] 命令与脚本解释器: Visual Basic, 命令与脚本解释器: JavaScript, 命令与脚本解释器: PowerShell, 用户执行: Malicious File, 输入工具传输, 钓鱼: Spearphishing Attachment, 预定任务/作业: Scheduled Task
S0681 Lizar [22][23] 从密码存储中获取凭证: Windows Credential Manager, 从密码存储中获取凭证: Credentials from Web Browsers, 加密通道, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 屏幕捕获, 归档收集数据, 操作系统凭证转储: LSASS Memory, 本机API, 浏览器信息发现, 系统信息发现, 系统所有者/用户发现, 系统网络连接发现, 系统网络配置发现, 账号发现: Email Account, 软件发现: Security Software Discovery, 输入工具传输, 进程发现, 进程注入, 进程注入: Dynamic-link Library Injection, 进程注入: Portable Executable Injection
S0449 Maze [9] Windows管理规范, 伪装: Masquerade Task or Service, 动态解析, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 应用层协议: Web Protocols, 数据加密以实现影响, 服务停止, 本机API, 混淆文件或信息: Binary Padding, 混淆文件或信息, 移除指标, 系统二进制代理执行: Msiexec, 系统位置发现: System Language Discovery, 系统信息发现, 系统关机/重启, 系统恢复抑制, 系统网络连接发现, 进程发现, 进程注入: Dynamic-link Library Injection, 隐藏伪装: Run Virtual Instance, 预定任务/作业: Scheduled Task
S0002 Mimikatz [5] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0517 Pillowmint [24][5] 事件触发执行: Application Shimming, 从本地系统获取数据, 修改注册表, 反混淆/解码文件或信息, 命令与脚本解释器: PowerShell, 归档收集数据, 本机API, 查询注册表, 混淆文件或信息, 混淆文件或信息: Fileless Storage, 移除指标: Clear Persistence, 移除指标: File Deletion, 进程发现, 进程注入: Asynchronous Procedure Call
S0145 POWERSOURCE [1] 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: PowerShell, 应用层协议: DNS, 查询注册表, 输入工具传输, 隐藏伪装: NTFS File Attributes
S0194 PowerSploit [5][6] Windows管理规范, 从密码存储中获取凭证: Windows Credential Manager, 从本地系统获取数据, 创建或修改系统进程: Windows Service, 劫持执行流: Path Interception by PATH Environment Variable, 劫持执行流: Path Interception by Unquoted Path, 劫持执行流: DLL Search Order Hijacking, 劫持执行流: Path Interception by Search Order Hijacking, 反射性代码加载, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Security Support Provider, 命令与脚本解释器: PowerShell, 域信任发现, 屏幕捕获, 操作系统凭证转储: LSASS Memory, 未加密凭证: Credentials in Registry, 未加密凭证: Group Policy Preferences, 查询注册表, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息: Command Obfuscation, 窃取或伪造Kerberos票据: Kerberoasting, 访问令牌操控, 账号发现: Local Account, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 音频捕获, 预定任务/作业: Scheduled Task
S0416 RDFSNIFFER [18] 本机API, 移除指标: File Deletion, 输入捕获: Credential API Hooking
S0496 REvil [8][5][15][9] Loss of Productivity and Revenue, Masquerading, Remote Services, Scripting, Service Stop, Standard Application Layer Protocol, Theft of Operational Information, User Execution, Windows管理规范, 伪装: Match Legitimate Name or Location, 修改注册表, 加密通道: Asymmetric Cryptography, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Visual Basic, 妨碍防御: Safe Mode Boot, 妨碍防御: Disable or Modify Tools, 应用层协议: Web Protocols, 执行保护: Mutual Exclusion, 数据加密以实现影响, 数据销毁, 文件和目录发现, 服务停止, 本机API, 权限组发现: Domain Groups, 查询注册表, 浏览器攻击, 混淆文件或信息: Encrypted/Encoded File, 混淆文件或信息: Fileless Storage, 用户执行: Malicious File, 移除指标: File Deletion, 系统位置发现: System Language Discovery, 系统信息发现, 系统恢复抑制, 系统服务发现, 访问令牌操控: Create Process with Token, 访问令牌操控: Token Impersonation/Theft, 输入工具传输, 进程注入, 通过C2信道渗出, 钓鱼: Spearphishing Attachment
S0390 SQLRat [14] 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 混淆文件或信息: Command Obfuscation, 用户执行: Malicious File, 移除指标: File Deletion, 输入工具传输, 预定任务/作业: Scheduled Task
S0146 TEXTMATE [1] 命令与脚本解释器: Windows Command Shell, 应用层协议: DNS

References

  1. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
  2. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  3. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  4. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  5. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  6. Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.
  7. CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021.
  8. Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.
  9. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  10. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  11. eSentire. (2021, July 21). Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm Using Fake Legal Complaint Against Jack Daniels’ Owner, Brown-Forman Inc.. Retrieved September 20, 2021.
  12. Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017.
  1. Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.
  2. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
  3. The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022.
  4. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  5. Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.
  6. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019.
  7. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
  8. Waterman, S. (2017, October 16). Fin7 weaponization of DDE is just their latest slick move, say researchers. Retrieved November 21, 2017.
  9. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.
  10. Seals, T. (2021, May 14). FIN7 Backdoor Masquerades as Ethical Hacking Tool. Retrieved February 2, 2022.
  11. Gemini Advisory. (2021, October 21). FIN7 Recruits Talent For Push Into Ransomware. Retrieved February 2, 2022.
  12. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.