FIN7 is a financially motivated threat group that has primarily targeted the retail and hospitality sectors, often using point-of-sale malware. It is sometimes referred to as Carbanak Group, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately.12
- PowerShell - FIN7 uses a PowerShell script to launch shellcode that retrieves an additional payload.23
- Remote File Copy - FIN7 uses a PowerShell script to launch shellcode that retrieves an additional payload.2
- Registry Run Keys / Start Folder - FIN7 malware has created a Registry Run key pointing to its malicious LNK file to establish persistence.2
- Dynamic Data Exchange - FIN7 spear phishing campaigns have included malicious Word documents with DDE execution.5
- Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
- Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
- Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.