FIN7 is a financially-motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. They often use point-of-sale malware. A portion of FIN7 was run out of a front company called Combi Security. FIN7 is sometimes referred to as Carbanak Group, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. [1] [2] [3] [4]

ID: G0046
Version: 1.1

Techniques Used

EnterpriseT1138Application ShimmingFIN7 has used application shim databases for persistence.[5]
EnterpriseT1116Code SigningFIN7 has signed Carbanak payloads with legally purchased code signing certificates. FIN7 has also digitally signed their phishing documents, backdoors and other staging tools to bypass security controls.[3][4]
EnterpriseT1059Command-Line InterfaceFIN7 used cmd.exe to launch commands on the victim’s machine.[4]
EnterpriseT1043Commonly Used PortFIN7 has used ports 53, 80, 443, and 8080 for C2.[4]
EnterpriseT1173Dynamic Data ExchangeFIN7 spear phishing campaigns have included malicious Word documents with DDE execution.[6]
EnterpriseT1036MasqueradingFIN7 has created a scheduled task named “AdobeFlashSync” to establish persistence.[7]
EnterpriseT1170MshtaFIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems.[2]
EnterpriseT1050New ServiceFIN7 created new Windows services and added them to the startup directories for persistence.[4]
EnterpriseT1027Obfuscated Files or InformationFIN7 has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.[8][4]
EnterpriseT1086PowerShellFIN7 uses a PowerShell script to launch shellcode that retrieves an additional payload.[2][7]
EnterpriseT1060Registry Run Keys / Startup FolderFIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.[2][4]
EnterpriseT1105Remote File CopyFIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.[2][9]
EnterpriseT1053Scheduled TaskFIN7 malware has created scheduled tasks to establish persistence.[2][7][4]
EnterpriseT1113Screen CaptureFIN7 captured screenshots and desktop video recordings.[9]
EnterpriseT1064ScriptingFIN7 used VBS and JavaScript scripts to help perform tasks on the victim's machine.[4]
EnterpriseT1023Shortcut ModificationFIN7 created several .LNK files on the victim's machine.[4]
EnterpriseT1193Spearphishing AttachmentFIN7 sent spearphishing emails with either malicious Microsoft Documents or RTF files attached.[2][9]
EnterpriseT1071Standard Application Layer ProtocolFIN7 has performed C2 using DNS via A, OPT, and TXT records.[4]
EnterpriseT1204User ExecutionFIN7 lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file.[2]
EnterpriseT1125Video CaptureFIN7 created a custom video recording capability that could be used to monitor operations in the victim's environment.[4][9]
EnterpriseT1497Virtualization/Sandbox EvasionFIN7 used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes.[2]
EnterpriseT1102Web ServiceFIN7 used legitimate services like Google Docs, Google Scripts, and Pastebin for C2.[4]


S0030Carbanak[1][4][9]Command-Line Interface, Commonly Used Port, Create Account, Credential Dumping, Custom Command and Control Protocol, Custom Cryptographic Protocol, Data Transfer Size Limits, Email Collection, File Deletion, Input Capture, Obfuscated Files or Information, Process Discovery, Process Injection, Query Registry, Registry Run Keys / Startup Folder, Remote Access Tools, Remote Desktop Protocol, Screen Capture, Standard Application Layer Protocol, Standard Cryptographic Protocol
S0151HALFBAKED[2][4]File Deletion, PowerShell, Process Discovery, Screen Capture, System Information Discovery, Windows Management Instrumentation
S0145POWERSOURCE[1]NTFS File Attributes, PowerShell, Query Registry, Registry Run Keys / Startup Folder, Remote File Copy, Standard Application Layer Protocol
S0146TEXTMATE[1]Command-Line Interface, Standard Application Layer Protocol