Group: FIN7

From enterprise
Jump to: navigation, search
FIN7
Group
ID G0046
Aliases FIN7

FIN7 is a financially motivated threat group that has primarily targeted the retail and hospitality sectors, often using point-of-sale malware. It is sometimes referred to as Carbanak Group, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately.12

Alias Descriptions

Techniques Used

  • PowerShell - FIN7 uses a PowerShell script to launch shellcode that retrieves an additional payload.23
  • Remote File Copy - FIN7 uses a PowerShell script to launch shellcode that retrieves an additional payload.2
  • Masquerading - FIN7 has created a scheduled task named “AdobeFlashSync” to establish persistence.3
  • Mshta - FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems.2
  • Obfuscated Files or Information - FIN7 has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commmands.6

Software