FIN7 is a financially-motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. They often use point-of-sale malware. A portion of FIN7 was run out of a front company called Combi Security. FIN7 is sometimes referred to as Carbanak Group, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately.    
|Enterprise||T1138||Application Shimming||FIN7 has used application shim databases for persistence. |
|Enterprise||T1116||Code Signing||FIN7 has signed Carbanak payloads with legally purchased code signing certificates. FIN7 has also digitally signed their phishing documents, backdoors and other staging tools to bypass security controls.  |
|Enterprise||T1059||Command-Line Interface||FIN7 used cmd.exe to launch commands on the victim’s machine. |
|Enterprise||T1043||Commonly Used Port||FIN7 has used ports 53, 80, 443, and 8080 for C2. |
|Enterprise||T1173||Dynamic Data Exchange||FIN7 spear phishing campaigns have included malicious Word documents with DDE execution. |
|Enterprise||T1036||Masquerading||FIN7 has created a scheduled task named “AdobeFlashSync” to establish persistence. |
|Enterprise||T1170||Mshta||FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems. |
|Enterprise||T1050||New Service||FIN7 created new Windows services and added them to the startup directories for persistence. |
|Enterprise||T1027||Obfuscated Files or Information||FIN7 has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.  |
|Enterprise||T1086||PowerShell||FIN7 uses a PowerShell script to launch shellcode that retrieves an additional payload.  |
|Enterprise||T1060||Registry Run Keys / Startup Folder||FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.  |
|Enterprise||T1105||Remote File Copy||FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.  |
|Enterprise||T1053||Scheduled Task||FIN7 malware has created scheduled tasks to establish persistence.    |
|Enterprise||T1113||Screen Capture||FIN7 captured screenshots and desktop video recordings. |
|Enterprise||T1023||Shortcut Modification||FIN7 created several .LNK files on the victim's machine. |
|Enterprise||T1193||Spearphishing Attachment||FIN7 sent spearphishing emails with either malicious Microsoft Documents or RTF files attached.   |
|Enterprise||T1071||Standard Application Layer Protocol||FIN7 has performed C2 using DNS via A, OPT, and TXT records. |
|Enterprise||T1204||User Execution||FIN7 lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file. |
|Enterprise||T1125||Video Capture||FIN7 created a custom video recording capability that could be used to monitor operations in the victim's environment.  |
|Enterprise||T1497||Virtualization/Sandbox Evasion||FIN7 used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes. |
|Enterprise||T1102||Web Service||FIN7 used legitimate services like Google Docs, Google Scripts, and Pastebin for C2. |
- Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
- Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
- Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
- Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
- Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.
- Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.
- Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017.
- Waterman, S. (2017, October 16). Fin7 weaponization of DDE is just their latest slick move, say researchers. Retrieved November 21, 2017.
- Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
- Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.