The sub-techniques beta is now live! Read the release blog post for more info.


FIN7 is a financially-motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. They often use point-of-sale malware. A portion of FIN7 was run out of a front company called Combi Security. FIN7 is sometimes referred to as Carbanak Group, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. [1] [2] [3] [4]

ID: G0046
Version: 1.3
Created: 31 May 2017
Last Modified: 15 October 2019

Techniques Used

Domain ID Name Use
Enterprise T1138 Application Shimming

FIN7 has used application shim databases for persistence.[7]

Enterprise T1116 Code Signing

FIN7 has signed Carbanak payloads with legally purchased code signing certificates. FIN7 has also digitally signed their phishing documents, backdoors and other staging tools to bypass security controls.[3][4]

Enterprise T1059 Command-Line Interface

FIN7 used cmd.exe to launch commands on the victim’s machine.[4]

Enterprise T1043 Commonly Used Port

FIN7 has used ports 53, 80, 443, and 8080 for C2.[4]

Enterprise T1173 Dynamic Data Exchange

FIN7 spear phishing campaigns have included malicious Word documents with DDE execution.[8]

Enterprise T1036 Masquerading

FIN7 has created a scheduled task named "AdobeFlashSync" to establish persistence.[6]

Enterprise T1170 Mshta

FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems.[2]

Enterprise T1050 New Service

FIN7 created new Windows services and added them to the startup directories for persistence.[4]

Enterprise T1027 Obfuscated Files or Information

FIN7 has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.[10][4]

Enterprise T1086 PowerShell

FIN7 uses a PowerShell script to launch shellcode that retrieves an additional payload.[2][6]

Enterprise T1060 Registry Run Keys / Startup Folder

FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.[2][4]

Enterprise T1105 Remote File Copy

FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.[2][5]

Enterprise T1053 Scheduled Task

FIN7 malware has created scheduled tasks to establish persistence.[2][6][4][9]

Enterprise T1113 Screen Capture

FIN7 captured screenshots and desktop video recordings.[5]

Enterprise T1064 Scripting

FIN7 used SQL, VBS and JavaScript scripts to help perform tasks on the victim's machine.[4][9]

Enterprise T1023 Shortcut Modification

FIN7 created several .LNK files on the victim's machine.[4]

Enterprise T1193 Spearphishing Attachment

FIN7 sent spearphishing emails with either malicious Microsoft Documents or RTF files attached.[2][5][9]

Enterprise T1071 Standard Application Layer Protocol

FIN7 has performed C2 using DNS via A, OPT, and TXT records.[4]

Enterprise T1204 User Execution

FIN7 lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file.[2]

Enterprise T1125 Video Capture

FIN7 created a custom video recording capability that could be used to monitor operations in the victim's environment.[4][5]

Enterprise T1497 Virtualization/Sandbox Evasion

FIN7 used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes.[2]

Enterprise T1102 Web Service

FIN7 used legitimate services like Google Docs, Google Scripts, and Pastebin for C2.[4]


ID Name References Techniques
S0415 BOOSTWRITE [11] Code Signing, Deobfuscate/Decode Files or Information, DLL Search Order Hijacking, Execution through Module Load, Obfuscated Files or Information
S0030 Carbanak [1] [4] [5] Command-Line Interface, Commonly Used Port, Create Account, Credential Dumping, Custom Command and Control Protocol, Custom Cryptographic Protocol, Data Transfer Size Limits, Email Collection, File Deletion, Input Capture, Obfuscated Files or Information, Process Discovery, Process Injection, Query Registry, Registry Run Keys / Startup Folder, Remote Access Tools, Remote Desktop Protocol, Screen Capture, Standard Application Layer Protocol, Standard Cryptographic Protocol
S0417 GRIFFON [12] Permission Groups Discovery, PowerShell, Registry Run Keys / Startup Folder, Scheduled Task, Screen Capture, System Information Discovery, System Time Discovery
S0151 HALFBAKED [2] [4] File Deletion, PowerShell, Process Discovery, Screen Capture, System Information Discovery, Windows Management Instrumentation
S0145 POWERSOURCE [1] NTFS File Attributes, PowerShell, Query Registry, Registry Run Keys / Startup Folder, Remote File Copy, Standard Application Layer Protocol
S0416 RDFSNIFFER [11] Execution through API, File Deletion, Hooking
S0390 SQLRat [9] Deobfuscate/Decode Files or Information, File Deletion, Obfuscated Files or Information, PowerShell, Remote File Copy, Scheduled Task, Scripting, User Execution
S0146 TEXTMATE [1] Command-Line Interface, Standard Application Layer Protocol