FIN7

FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of FIN7 was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to a big game hunting (BGH) approach including use of REvil ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but there appears to be several groups using Carbanak malware and are therefore tracked separately.[1][2][3][4][5][6]

ID: G0046
Associated Groups: GOLD NIAGARA, ITG14, Carbon Spider
Contributors: Edward Millington
Version: 3.0
Created: 31 May 2017
Last Modified: 04 October 2023

Associated Group Descriptions

Name Description
GOLD NIAGARA

[7]

ITG14

ITG14 shares campaign overlap with FIN7.[8]

Carbon Spider

[5]

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

FIN7 has registered look-alike domains for use in phishing campaigns.[9]

.006 Acquire Infrastructure: Web Services

FIN7 has set up Amazon S3 buckets to host trojanized digital products.[6]

Enterprise T1071 .004 Application Layer Protocol: DNS

FIN7 has performed C2 using DNS via A, OPT, and TXT records.[4]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.[2][4]

Enterprise T1059 Command and Scripting Interpreter

FIN7 used SQL scripts to help perform tasks on the victim's machine.[4][10][4]

.001 PowerShell

FIN7 used a PowerShell script to launch shellcode that retrieved an additional payload.[2][11][12][6]

.003 Windows Command Shell

FIN7 used the command prompt to launch commands on the victim’s machine.[4][10][6]

.005 Visual Basic

FIN7 used VBS scripts to help perform tasks on the victim's machine.[4][10][5]

.007 JavaScript

FIN7 used JavaScript scripts to help perform tasks on the victim's machine.[4][10][4]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

FIN7 created new Windows services and added them to the startup directories for persistence.[4]

Enterprise T1486 Data Encrypted for Impact

FIN7 has encrypted virtual disk volumes on ESXi servers using a version of Darkside ransomware.[5][6]

Enterprise T1005 Data from Local System

FIN7 has collected files and other sensitive information from a compromised network.[5]

Enterprise T1587 .001 Develop Capabilities: Malware

FIN7 has developed malware for use in operations, including the creation of infected removable media.[12][13]

Enterprise T1546 .011 Event Triggered Execution: Application Shimming

FIN7 has used application shim databases for persistence.[14]

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

FIN7 has exfiltrated stolen data to the MEGA file sharing site.[5]

Enterprise T1210 Exploitation of Remote Services

FIN7 has exploited ZeroLogon (CVE-2020-1472) against vulnerable domain controllers.[5]

Enterprise T1008 Fallback Channels

FIN7's Harpy backdoor malware can use DNS as a backup channel for C2 if HTTP fails.[15]

Enterprise T1105 Ingress Tool Transfer

FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.[2][16][6]

Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

FIN7 spear phishing campaigns have included malicious Word documents with DDE execution.[17]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

FIN7 has created a scheduled task named "AdobeFlashSync" to establish persistence.[11]

.005 Masquerading: Match Legitimate Name or Location

FIN7 has attempted to run Darkside ransomware with the filename sleep.exe.[5]

Enterprise T1571 Non-Standard Port

FIN7 has used port-protocol mismatches on ports such as 53, 80, 443, and 8080 during C2.[4]

Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

FIN7 has used random junk code to obfuscate malware code.[6]

.010 Obfuscated Files or Information: Command Obfuscation

FIN7 has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.[18][4][5]

Enterprise T1588 .002 Obtain Capabilities: Tool

FIN7 has utilized a variety of tools such as Cobalt Strike, PowerSploit, and the remote management tool, Atera for targeting efforts.[6]

Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

FIN7 has used the command net group "domain admins" /domain to enumerate domain groups.[6]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

FIN7 sent spearphishing emails with either malicious Microsoft Documents or RTF files attached.[2][16][10][9][5]

.002 Phishing: Spearphishing Link

FIN7 has conducted broad phishing campaigns using malicious links.[5]

Enterprise T1219 Remote Access Software

FIN7 has utilized the remote management tool Atera to download malware to a compromised system.[6]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

FIN7 has used RDP to move laterally in victim environments.[5]

.004 Remote Services: SSH

FIN7 has used SSH to move laterally through victim environments.[5]

.005 Remote Services: VNC

FIN7 has used TightVNC to control compromised hosts.[5]

Enterprise T1091 Replication Through Removable Media

FIN7 actors have mailed USB drives to potential victims containing malware that downloads and installs various backdoors, including in some cases for ransomware operations.[12]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

FIN7 malware has created scheduled tasks to establish persistence.[2][11][4][10]

Enterprise T1113 Screen Capture

FIN7 captured screenshots and desktop video recordings.[16]

Enterprise T1608 .001 Stage Capabilities: Upload Malware

FIN7 has staged legitimate software, that was trojanized to contain an Atera agent installer, on Amazon S3.[6]

.004 Stage Capabilities: Drive-by Target

FIN7 has compromised a digital product website and modified multiple download links to point to trojanized versions of offered digital products.[6]

Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

FIN7 has used Kerberoasting PowerShell commands such as, Invoke-Kerberoast for credential access and to enable lateral movement.[5][6]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

FIN7 has signed Carbanak payloads with legally purchased code signing certificates. FIN7 has also digitally signed their phishing documents, backdoors and other staging tools to bypass security controls.[3][4]

Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

FIN7 has gained initial access by compromising a victim's software supply chain.[6]

Enterprise T1218 .005 System Binary Proxy Execution: Mshta

FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems.[2]

.011 System Binary Proxy Execution: Rundll32

FIN7 has used rundll32.exe to execute malware on a compromised network.[6]

Enterprise T1033 System Owner/User Discovery

FIN7 has used the command cmd.exe /C quser to collect user session information.[6]

Enterprise T1204 .001 User Execution: Malicious Link

FIN7 has used malicious links to lure victims into downloading malware.[5]

.002 User Execution: Malicious File

FIN7 lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file.[2][9][5]

Enterprise T1078 Valid Accounts

FIN7 has harvested valid administrative credentials for lateral movement.[5]

Enterprise T1125 Video Capture

FIN7 created a custom video recording capability that could be used to monitor operations in the victim's environment.[4][16]

Enterprise T1497 .002 Virtualization/Sandbox Evasion: User Activity Based Checks

FIN7 used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes.[2]

Enterprise T1102 .002 Web Service: Bidirectional Communication

FIN7 used legitimate services like Google Docs, Google Scripts, and Pastebin for C2.[4]

Enterprise T1047 Windows Management Instrumentation

FIN7 has used WMI to install malware on targeted systems.[9]

Software

ID Name References Techniques
S0552 AdFind [5] Account Discovery: Domain Account, Domain Trust Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, System Network Configuration Discovery
S0415 BOOSTWRITE [13] Deobfuscate/Decode Files or Information, Hijack Execution Flow: DLL Search Order Hijacking, Obfuscated Files or Information, Shared Modules, Subvert Trust Controls: Code Signing
S0030 Carbanak [1][4][16][8][5][12][6] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Create Account: Local Account, Data Encoding: Standard Encoding, Data Transfer Size Limits, Email Collection: Local Email Collection, Encrypted Channel: Symmetric Cryptography, Indicator Removal: File Deletion, Input Capture: Keylogging, Obfuscated Files or Information, OS Credential Dumping, Process Discovery, Process Injection: Portable Executable Injection, Query Registry, Remote Access Software, Remote Services: Remote Desktop Protocol, Screen Capture
S0154 Cobalt Strike [5][12][6] Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Asymmetric Cryptography, Encrypted Channel: Symmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Hide Artifacts: Process Argument Spoofing, Impair Defenses: Disable or Modify Tools, Indicator Removal: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Native API, Network Service Discovery, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection: Dynamic-link Library Injection, Process Injection: Process Hollowing, Process Injection, Protocol Tunneling, Proxy: Domain Fronting, Proxy: Internal Proxy, Query Registry, Reflective Code Loading, Remote Services: Remote Desktop Protocol, Remote Services: SSH, Remote Services: Windows Remote Management, Remote Services: SMB/Windows Admin Shares, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Software Discovery, Subvert Trust Controls: Code Signing, System Binary Proxy Execution: Rundll32, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Domain Accounts, Valid Accounts: Local Accounts, Windows Management Instrumentation
S0488 CrackMapExec [5] Account Discovery: Domain Account, Brute Force: Password Spraying, Brute Force: Password Guessing, Brute Force, Command and Scripting Interpreter: PowerShell, File and Directory Discovery, Modify Registry, Network Share Discovery, OS Credential Dumping: Security Account Manager, OS Credential Dumping: NTDS, OS Credential Dumping: LSA Secrets, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, Scheduled Task/Job: At, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, Use Alternate Authentication Material: Pass the Hash, Windows Management Instrumentation
S0417 GRIFFON [19][5][12] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: PowerShell, Permission Groups Discovery: Domain Groups, Scheduled Task/Job: Scheduled Task, Screen Capture, System Information Discovery, System Time Discovery
S0151 HALFBAKED [2][4] Command and Scripting Interpreter: PowerShell, Indicator Removal: File Deletion, Process Discovery, Screen Capture, System Information Discovery, Windows Management Instrumentation
S0648 JSS Loader [5] Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: JavaScript, Command and Scripting Interpreter: PowerShell, Ingress Tool Transfer, Phishing: Spearphishing Attachment, Scheduled Task/Job: Scheduled Task, User Execution: Malicious File
S0681 Lizar [20][21] Account Discovery: Email Account, Archive Collected Data, Browser Information Discovery, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Credentials from Password Stores: Windows Credential Manager, Credentials from Password Stores: Credentials from Web Browsers, Deobfuscate/Decode Files or Information, Encrypted Channel, Ingress Tool Transfer, Native API, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Process Injection: Dynamic-link Library Injection, Process Injection: Portable Executable Injection, Screen Capture, Software Discovery: Security Software Discovery, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery
S0002 Mimikatz [5] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Authentication Certificates, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0517 Pillowmint [22][5] Archive Collected Data, Command and Scripting Interpreter: PowerShell, Data from Local System, Deobfuscate/Decode Files or Information, Event Triggered Execution: Application Shimming, Indicator Removal: Clear Persistence, Indicator Removal: File Deletion, Modify Registry, Native API, Obfuscated Files or Information, Obfuscated Files or Information: Fileless Storage, Process Discovery, Process Injection: Asynchronous Procedure Call, Query Registry
S0145 POWERSOURCE [1] Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Hide Artifacts: NTFS File Attributes, Ingress Tool Transfer, Query Registry
S0194 PowerSploit [5][6] Access Token Manipulation, Account Discovery: Local Account, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Security Support Provider, Command and Scripting Interpreter: PowerShell, Create or Modify System Process: Windows Service, Credentials from Password Stores: Windows Credential Manager, Data from Local System, Domain Trust Discovery, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Path Interception by Search Order Hijacking, Input Capture: Keylogging, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information: Command Obfuscation, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Reflective Code Loading, Scheduled Task/Job: Scheduled Task, Screen Capture, Steal or Forge Kerberos Tickets: Kerberoasting, Unsecured Credentials: Credentials in Registry, Unsecured Credentials: Group Policy Preferences, Windows Management Instrumentation
S0416 RDFSNIFFER [13] Indicator Removal: File Deletion, Input Capture: Credential API Hooking, Native API
S0496 REvil [8][5][12] Access Token Manipulation: Create Process with Token, Access Token Manipulation: Token Impersonation/Theft, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Data Destruction, Data Encrypted for Impact, Deobfuscate/Decode Files or Information, Drive-by Compromise, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Impair Defenses: Safe Mode Boot, Impair Defenses: Disable or Modify Tools, Indicator Removal: File Deletion, Ingress Tool Transfer, Inhibit System Recovery, Loss of Productivity and Revenue, Masquerading: Match Legitimate Name or Location, Masquerading, Modify Registry, Native API, Obfuscated Files or Information, Obfuscated Files or Information: Fileless Storage, Permission Groups Discovery: Domain Groups, Phishing: Spearphishing Attachment, Process Injection, Query Registry, Remote Services, Scripting, Service Stop, Service Stop, Standard Application Layer Protocol, System Information Discovery, System Location Discovery: System Language Discovery, System Service Discovery, Theft of Operational Information, User Execution: Malicious File, User Execution, Windows Management Instrumentation
S0390 SQLRat [10] Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Deobfuscate/Decode Files or Information, Indicator Removal: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information: Command Obfuscation, Scheduled Task/Job: Scheduled Task, User Execution: Malicious File
S0146 TEXTMATE [1] Application Layer Protocol: DNS, Command and Scripting Interpreter: Windows Command Shell

References