13 May 2019

FIN7 APT has broadened activities despite the arrest of its leaders

FIN7 APT has broadened activities despite the arrest of its leaders

It seems that the arrests last August of three key members of the notorious FIN7 cyber threat group have done little to stop its malicious activities so far. In fact, the cyber gang launched spear-phishing campaigns throughout 2018 utilising GRIFFON malware to target approximately 130 companies, showed an extensive report from Kaspersky Lab.

FIN7 is a well-known, financially motivated group that's been operating since at least 2015. It is believed to be responsible for attacks on at least 100 US-based firms, most of them in the hospitality, restaurant, and gaming industries. According to Kaspersky Lab, the group is working in close collaboration with the infamous Carbanak gang. And while the latter focuses mainly on banks FIN7 targets mostly businesses.

In 2018 campaigns FIN7 has been successfully distributing the malware via emails. Over the course of weeks, operators exchanged messages with their unsuspecting victims. After establishing this trusted connection, the cybercriminals delivered malicious documents as attachments.

In the attacks FIN7 have been using two types of malicious documents. “The first one exploits the INCLUDEPICTURE feature of Microsoft Word to get context information about the victim’s computer, and the availability and version number of Microsoft Word. The second one, which in many cases is an Office document protected with a trivial password, such as “12345”, “1234”, etc., uses macros to execute a GRIFFON implant on the target’s computer. In various cases, the associated macro also scheduled tasks to make GRIFFON persistent,” wrote the researchers.

The GRIFFON malware is a lightweight JScript implant without any persistence mechanism, which is able to receive separate modules designed for various purposes, execute them in memory and send the information to FIN7’s command and control servers. During the investigation the researchers have found four different modules. The first is designed for conducting reconnaissance on the compromised system. The second is for executing a PowerShell script, containing Meterpreter downloader “Tinymet“, the third is for capturing screenshots and the last allows to achieve persistence on the system.

The FIN7 group also has established a fraudulent company that claims to be a legitimate cybersecurity company with offices across Russia in order to hire unsuspecting freelance vulnerability researchers, program developers and pentesters. The researchers believe that some of the individuals hired by the company didn’t even suspect that they are working for cybercriminals.

The investigation showed that other criminal gangs also have been operating under FIN7 umbrella. The evidence suggests that FIN7 is closely working with AveMaria botnet operators and other groups known as CobaltGoblin and EmpireMonkey. The detailed report describing FIN7 activities and list of Indicators of compromise is available here.

Back to the list

Latest Posts

Ke3chang APT targets diplomatic missions in Slovakia and South America with new Okrum malware

Ke3chang APT targets diplomatic missions in Slovakia and South America with new Okrum malware

Okrum’ functionality includes only basic backdoor commands, such as downloading and uploading files, executing files and shell commands.
19 July 2019
StrongPity APT deploys malicious versions of WinBox and WinRAR in ongoing attacks

StrongPity APT deploys malicious versions of WinBox and WinRAR in ongoing attacks

StrongPity group has come up with new malware, which is now targeting users located in Turkey.
18 July 2019
“Agent Smith” malware infected more than 25 million Android devices

“Agent Smith” malware infected more than 25 million Android devices

The malware leverages known Android exploits and automatically replaces installed apps with malicious clones without users’ knowledge or interaction.
15 July 2019
Featured vulnerabilities
Cross-site scripting in FortiNAC webUI
Low Patched | 19 Jul, 2019
Multiple vulnerabilities in Cybozu Garoon
Medium Patched | 18 Jul, 2019
Security restrictions bypass in Drupal
High Patched | 18 Jul, 2019