13 May 2019

FIN7 APT has broadened activities despite the arrest of its leaders

FIN7 APT has broadened activities despite the arrest of its leaders

It seems that the arrests last August of three key members of the notorious FIN7 cyber threat group have done little to stop its malicious activities so far. In fact, the cyber gang launched spear-phishing campaigns throughout 2018 utilising GRIFFON malware to target approximately 130 companies, showed an extensive report from Kaspersky Lab.

FIN7 is a well-known, financially motivated group that's been operating since at least 2015. It is believed to be responsible for attacks on at least 100 US-based firms, most of them in the hospitality, restaurant, and gaming industries. According to Kaspersky Lab, the group is working in close collaboration with the infamous Carbanak gang. And while the latter focuses mainly on banks FIN7 targets mostly businesses.

In 2018 campaigns FIN7 has been successfully distributing the malware via emails. Over the course of weeks, operators exchanged messages with their unsuspecting victims. After establishing this trusted connection, the cybercriminals delivered malicious documents as attachments.

In the attacks FIN7 have been using two types of malicious documents. “The first one exploits the INCLUDEPICTURE feature of Microsoft Word to get context information about the victim’s computer, and the availability and version number of Microsoft Word. The second one, which in many cases is an Office document protected with a trivial password, such as “12345”, “1234”, etc., uses macros to execute a GRIFFON implant on the target’s computer. In various cases, the associated macro also scheduled tasks to make GRIFFON persistent,” wrote the researchers.

The GRIFFON malware is a lightweight JScript implant without any persistence mechanism, which is able to receive separate modules designed for various purposes, execute them in memory and send the information to FIN7’s command and control servers. During the investigation the researchers have found four different modules. The first is designed for conducting reconnaissance on the compromised system. The second is for executing a PowerShell script, containing Meterpreter downloader “Tinymet“, the third is for capturing screenshots and the last allows to achieve persistence on the system.

The FIN7 group also has established a fraudulent company that claims to be a legitimate cybersecurity company with offices across Russia in order to hire unsuspecting freelance vulnerability researchers, program developers and pentesters. The researchers believe that some of the individuals hired by the company didn’t even suspect that they are working for cybercriminals.

The investigation showed that other criminal gangs also have been operating under FIN7 umbrella. The evidence suggests that FIN7 is closely working with AveMaria botnet operators and other groups known as CobaltGoblin and EmpireMonkey. The detailed report describing FIN7 activities and list of Indicators of compromise is available here.

Back to the list

Latest Posts

New Mirai variant utilises 13 different exploits to attack more routers and video recording devices

New Mirai variant utilises 13 different exploits to attack more routers and video recording devices

This marks the first time when all of them have been used in a single campaign together.
24 May 2019
Researchers shed some light on commands used by Zebrocy toolkit

Researchers shed some light on commands used by Zebrocy toolkit

Malware operators run commands manually to collect a vast amount of data from infected systems.
23 May 2019
Malware sample uploaded to VirusTotal linked to ongoing APT28 attack

Malware sample uploaded to VirusTotal linked to ongoing APT28 attack

The attacks have been linked to a cyber espionage group APT28.
22 May 2019
Featured vulnerabilities
Privilege escalation in libvirt
Low Patched | 24 May, 2019
Multiple vulnerabilities in OpenEMR
Medium Patched | 23 May, 2019
CSRF in WP Open Graph plugin for WordPress
Medium Patched | 23 May, 2019
Multiple vulnerabilities in cURL
High Patched | 23 May, 2019