Register to stream ATT&CKcon 2.0 October 29-30

FIN7

FIN7 is a financially-motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. They often use point-of-sale malware. A portion of FIN7 was run out of a front company called Combi Security. FIN7 is sometimes referred to as Carbanak Group, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. [1] [2] [3] [4]

ID: G0046
Version: 1.2

Techniques Used

Domain ID Name Use
Enterprise T1138 Application Shimming FIN7 has used application shim databases for persistence. [7]
Enterprise T1116 Code Signing FIN7 has signed Carbanak payloads with legally purchased code signing certificates. FIN7 has also digitally signed their phishing documents, backdoors and other staging tools to bypass security controls. [3] [4]
Enterprise T1059 Command-Line Interface FIN7 used cmd.exe to launch commands on the victim’s machine. [4]
Enterprise T1043 Commonly Used Port FIN7 has used ports 53, 80, 443, and 8080 for C2. [4]
Enterprise T1173 Dynamic Data Exchange FIN7 spear phishing campaigns have included malicious Word documents with DDE execution. [8]
Enterprise T1036 Masquerading FIN7 has created a scheduled task named “AdobeFlashSync” to establish persistence. [6]
Enterprise T1170 Mshta FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems. [2]
Enterprise T1050 New Service FIN7 created new Windows services and added them to the startup directories for persistence. [4]
Enterprise T1027 Obfuscated Files or Information FIN7 has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands. [10] [4]
Enterprise T1086 PowerShell FIN7 uses a PowerShell script to launch shellcode that retrieves an additional payload. [2] [6]
Enterprise T1060 Registry Run Keys / Startup Folder FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder. [2] [4]
Enterprise T1105 Remote File Copy FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload. [2] [5]
Enterprise T1053 Scheduled Task FIN7 malware has created scheduled tasks to establish persistence. [2] [6] [4] [9]
Enterprise T1113 Screen Capture FIN7 captured screenshots and desktop video recordings. [5]
Enterprise T1064 Scripting FIN7 used SQL, VBS and JavaScript scripts to help perform tasks on the victim's machine. [4] [9]
Enterprise T1023 Shortcut Modification FIN7 created several .LNK files on the victim's machine. [4]
Enterprise T1193 Spearphishing Attachment FIN7 sent spearphishing emails with either malicious Microsoft Documents or RTF files attached. [2] [5] [9]
Enterprise T1071 Standard Application Layer Protocol FIN7 has performed C2 using DNS via A, OPT, and TXT records. [4]
Enterprise T1204 User Execution FIN7 lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file. [2]
Enterprise T1125 Video Capture FIN7 created a custom video recording capability that could be used to monitor operations in the victim's environment. [4] [5]
Enterprise T1497 Virtualization/Sandbox Evasion FIN7 used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes. [2]
Enterprise T1102 Web Service FIN7 used legitimate services like Google Docs, Google Scripts, and Pastebin for C2. [4]

Software

ID Name References Techniques
S0030 Carbanak [1] [4] [5] Command-Line Interface, Commonly Used Port, Create Account, Credential Dumping, Custom Command and Control Protocol, Custom Cryptographic Protocol, Data Transfer Size Limits, Email Collection, File Deletion, Input Capture, Obfuscated Files or Information, Process Discovery, Process Injection, Query Registry, Registry Run Keys / Startup Folder, Remote Access Tools, Remote Desktop Protocol, Screen Capture, Standard Application Layer Protocol, Standard Cryptographic Protocol
S0151 HALFBAKED [2] [4] File Deletion, PowerShell, Process Discovery, Screen Capture, System Information Discovery, Windows Management Instrumentation
S0145 POWERSOURCE [1] NTFS File Attributes, PowerShell, Query Registry, Registry Run Keys / Startup Folder, Remote File Copy, Standard Application Layer Protocol
S0390 SQLRat [9] Deobfuscate/Decode Files or Information, File Deletion, Obfuscated Files or Information, PowerShell, Remote File Copy, Scheduled Task, Scripting, User Execution
S0146 TEXTMATE [1] Command-Line Interface, Standard Application Layer Protocol

References