It seems that the arrests last August of three key members of the notorious FIN7 cyber threat group have done little to stop its malicious activities so far. In fact, the cyber gang launched spear-phishing campaigns throughout 2018 utilising GRIFFON malware to target approximately 130 companies, showed an extensive report from Kaspersky Lab.
FIN7 is a well-known, financially motivated group that's been operating since at least 2015. It is believed to be responsible for attacks on at least 100 US-based firms, most of them in the hospitality, restaurant, and gaming industries. According to Kaspersky Lab, the group is working in close collaboration with the infamous Carbanak gang. And while the latter focuses mainly on banks FIN7 targets mostly businesses.
In 2018 campaigns FIN7 has been successfully distributing the malware via emails. Over the course of weeks, operators exchanged messages with their unsuspecting victims. After establishing this trusted connection, the cybercriminals delivered malicious documents as attachments.
In the attacks FIN7 have been using two types of malicious documents. “The first one exploits the INCLUDEPICTURE feature of Microsoft Word to get context information about the victim’s computer, and the availability and version number of Microsoft Word. The second one, which in many cases is an Office document protected with a trivial password, such as “12345”, “1234”, etc., uses macros to execute a GRIFFON implant on the target’s computer. In various cases, the associated macro also scheduled tasks to make GRIFFON persistent,” wrote the researchers.
The GRIFFON malware is a lightweight JScript implant without any persistence mechanism, which is able to receive separate modules designed for various purposes, execute them in memory and send the information to FIN7’s command and control servers. During the investigation the researchers have found four different modules. The first is designed for conducting reconnaissance on the compromised system. The second is for executing a PowerShell script, containing Meterpreter downloader “Tinymet“, the third is for capturing screenshots and the last allows to achieve persistence on the system.
The FIN7 group also has established a fraudulent company that claims to be a legitimate cybersecurity company with offices across Russia in order to hire unsuspecting freelance vulnerability researchers, program developers and pentesters. The researchers believe that some of the individuals hired by the company didn’t even suspect that they are working for cybercriminals.
The investigation showed that other criminal gangs also have been operating under FIN7 umbrella. The evidence suggests that FIN7 is closely working with AveMaria botnet operators and other groups known as CobaltGoblin and EmpireMonkey. The detailed report describing FIN7 activities and list of Indicators of compromise is available here.