1. Home
  2. Software
  3. GRIFFON

GRIFFON

GRIFFON is a JavaScript backdoor used by FIN7. [1]

ID: S0417
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 11 October 2019
Last Modified: 23 June 2020
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

GRIFFON has used a persistence module that stores the implant inside the Registry, which executes at logon.[1]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

GRIFFON has used PowerShell to execute the Meterpreter downloader TinyMet.[1]
.007 Command and Scripting Interpreter: JavaScript

GRIFFON is written in and executed as JavaScript.[1]

Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

GRIFFON has used a reconnaissance module that can be used to retrieve Windows domain membership information.[1]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

GRIFFON has used sctasks for persistence. [1]
Enterprise T1113 Screen Capture

GRIFFON has used a screenshot module that can be used to take a screenshot of the remote system.[1]
Enterprise T1082 System Information Discovery

GRIFFON has used a reconnaissance module that can be used to retrieve information about a victim's computer, including the resolution of the workstation .[1]
Enterprise T1124 System Time Discovery

GRIFFON has used a reconnaissance module that can be used to retrieve the date and time of the system.[1]

Groups That Use This Software

ID Name References
G0046 FIN7

[1][2][3]

References

  1. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.
  2. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  1. The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022.