Show vulnerabilities with patch / with exploit
13 May 2019

FIN7 APT has broadened activities despite the arrest of its leaders


FIN7 APT has broadened activities despite the arrest of its leaders

It seems that the arrests last August of three key members of the notorious FIN7 cyber threat group have done little to stop its malicious activities so far. In fact, the cyber gang launched spear-phishing campaigns throughout 2018 utilising GRIFFON malware to target approximately 130 companies, showed an extensive report from Kaspersky Lab.

FIN7 is a well-known, financially motivated group that's been operating since at least 2015. It is believed to be responsible for attacks on at least 100 US-based firms, most of them in the hospitality, restaurant, and gaming industries. According to Kaspersky Lab, the group is working in close collaboration with the infamous Carbanak gang. And while the latter focuses mainly on banks FIN7 targets mostly businesses.

In 2018 campaigns FIN7 has been successfully distributing the malware via emails. Over the course of weeks, operators exchanged messages with their unsuspecting victims. After establishing this trusted connection, the cybercriminals delivered malicious documents as attachments.

In the attacks FIN7 have been using two types of malicious documents. “The first one exploits the INCLUDEPICTURE feature of Microsoft Word to get context information about the victim’s computer, and the availability and version number of Microsoft Word. The second one, which in many cases is an Office document protected with a trivial password, such as “12345”, “1234”, etc., uses macros to execute a GRIFFON implant on the target’s computer. In various cases, the associated macro also scheduled tasks to make GRIFFON persistent,” wrote the researchers.

The GRIFFON malware is a lightweight JScript implant without any persistence mechanism, which is able to receive separate modules designed for various purposes, execute them in memory and send the information to FIN7’s command and control servers. During the investigation the researchers have found four different modules. The first is designed for conducting reconnaissance on the compromised system. The second is for executing a PowerShell script, containing Meterpreter downloader “Tinymet“, the third is for capturing screenshots and the last allows to achieve persistence on the system.

The FIN7 group also has established a fraudulent company that claims to be a legitimate cybersecurity company with offices across Russia in order to hire unsuspecting freelance vulnerability researchers, program developers and pentesters. The researchers believe that some of the individuals hired by the company didn’t even suspect that they are working for cybercriminals.

The investigation showed that other criminal gangs also have been operating under FIN7 umbrella. The evidence suggests that FIN7 is closely working with AveMaria botnet operators and other groups known as CobaltGoblin and EmpireMonkey. The detailed report describing FIN7 activities and list of Indicators of compromise is available here.

Back to the list

Latest Posts

Updated ComRAT malware uses Gmail web UI to receive commands and exfiltrate data

Updated ComRAT malware uses Gmail web UI to receive commands and exfiltrate data

The ComRAT v4 malware includes two new features, such as the ability to exfiltrate antivirus logs and the ability to control the malware using a Gmail inbox.
26 May 2020
25 million Mathway user records leak online

25 million Mathway user records leak online

Since the start of this month, ShinyHunters has been offering access to databases containing millions user records obtained from hacks of various companies.
26 May 2020
Hackers put up for sale SQL databases stolen from online shops

Hackers put up for sale SQL databases stolen from online shops

More than half of hacked databases are from online shops in Germany, others are from Brazil, the U.S., Italy, India, Spain, and Belarus.
26 May 2020
Featured vulnerabilities
Stored cross-site scripting in Composr CMS
Low Not Patched | 26 May, 2020
Denial of service in GoldWave
Medium Not Patched | 26 May, 2020
OS Command Injection in Online Discussion Forum Site
Medium Not Patched | 26 May, 2020