FIN7

FIN7 is a financially-motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. They often use point-of-sale malware. A portion of FIN7 was run out of a front company called Combi Security. FIN7 is sometimes referred to as Carbanak Group, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. [1] [2] [3] [4]

ID: G0046
Version: 1.4
Created: 31 May 2017
Last Modified: 24 June 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .004 Application Layer Protocol: DNS

FIN7 has performed C2 using DNS via A, OPT, and TXT records.[4]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.[2][4]

Enterprise T1059 Command and Scripting Interpreter

FIN7 used SQL scripts to help perform tasks on the victim's machine.[4][9][4]

.001 PowerShell

FIN7 used a PowerShell script to launch shellcode that retrieved an additional payload.[2][6]

.003 Windows Command Shell

FIN7 used the command prompt to launch commands on the victim’s machine.[4][9]

.005 Visual Basic

FIN7 used VBS scripts to help perform tasks on the victim's machine.[4][9]

.007 JavaScript/JScript

FIN7 used JavaScript scripts to help perform tasks on the victim's machine.[4][9][4]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

FIN7 created new Windows services and added them to the startup directories for persistence.[4]

Enterprise T1546 .011 Event Triggered Execution: Application Shimming

FIN7 has used application shim databases for persistence.[7]

Enterprise T1105 Ingress Tool Transfer

FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.[2][5]

Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

FIN7 spear phishing campaigns have included malicious Word documents with DDE execution.[8]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

FIN7 has created a scheduled task named "AdobeFlashSync" to establish persistence.[6]

Enterprise T1571 Non-Standard Port

FIN7 has used port-protocol mismatches on ports such as 53, 80, 443, and 8080 during C2.[4]

Enterprise T1027 Obfuscated Files or Information

FIN7 has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.[10][4]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

FIN7 sent spearphishing emails with either malicious Microsoft Documents or RTF files attached.[2][5][9]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

FIN7 malware has created scheduled tasks to establish persistence.[2][6][4][9]

Enterprise T1113 Screen Capture

FIN7 captured screenshots and desktop video recordings.[5]

Enterprise T1218 .005 Signed Binary Proxy Execution: Mshta

FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems.[2]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

FIN7 has signed Carbanak payloads with legally purchased code signing certificates. FIN7 has also digitally signed their phishing documents, backdoors and other staging tools to bypass security controls.[3][4]

Enterprise T1204 .002 User Execution: Malicious File

FIN7 lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file.[2]

Enterprise T1125 Video Capture

FIN7 created a custom video recording capability that could be used to monitor operations in the victim's environment.[4][5]

Enterprise T1497 .002 Virtualization/Sandbox Evasion: User Activity Based Checks

FIN7 used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes.[2]

Enterprise T1102 .002 Web Service: Bidirectional Communication

FIN7 used legitimate services like Google Docs, Google Scripts, and Pastebin for C2.[4]

Software

ID Name References Techniques
S0415 BOOSTWRITE

[11]

Deobfuscate/Decode Files or Information, Hijack Execution Flow: DLL Search Order Hijacking, Obfuscated Files or Information, Shared Modules, Subvert Trust Controls: Code Signing
S0030 Carbanak

[1][4][5]

Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create Account: Local Account, Data Encoding: Standard Encoding, Data Transfer Size Limits, Email Collection: Local Email Collection, Encrypted Channel: Symmetric Cryptography, Indicator Removal on Host: File Deletion, Input Capture: Keylogging, Obfuscated Files or Information, OS Credential Dumping, Process Discovery, Process Injection: Portable Executable Injection, Query Registry, Remote Access Software, Remote Services: Remote Desktop Protocol, Screen Capture
S0417 GRIFFON

[12]

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: JavaScript/JScript, Permission Groups Discovery: Domain Groups, Scheduled Task/Job: Scheduled Task, Screen Capture, System Information Discovery, System Time Discovery
S0151 HALFBAKED

[2][4]

Command and Scripting Interpreter: PowerShell, Indicator Removal on Host: File Deletion, Process Discovery, Screen Capture, System Information Discovery, Windows Management Instrumentation
S0145 POWERSOURCE

[1]

Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Hide Artifacts: NTFS File Attributes, Ingress Tool Transfer, Query Registry
S0416 RDFSNIFFER

[11]

Indicator Removal on Host: File Deletion, Input Capture: Credential API Hooking, Native API
S0390 SQLRat

[9]

Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Deobfuscate/Decode Files or Information, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information, Scheduled Task/Job: Scheduled Task, User Execution: Malicious File
S0146 TEXTMATE

[1]

Application Layer Protocol: DNS, Command and Scripting Interpreter: Windows Command Shell

References