FIN7 Cybercrime Operation Continues to Evolve Despite Arrests

Despite recent arrests and convictions, the FIN7 cybercrime operation has continued to evolve, with hackers updating their tools and techniques and changing monetization strategies, according to cybersecurity firm Mandiant.

Also referred to as Anunak, and Carbanak, FIN7 has been around since at least 2015, mainly focused on the theft of credit card information from businesses worldwide. There are multiple groups of hackers that operate under the FIN7 umbrella, and even more of them can be associated with the gang.

The group has targeted organizations in numerous sectors, including cloud services providers, consulting, financial services, food and beverages, media, medical equipment, software, transportation, and utilities.

Two FIN7 hackers – both Ukrainian nationals – were sentenced to prison in the United States last year.

According to Mandiant, over the past couple of years, some of the groups that show overlaps with FIN7 have transitioned toward targeted ransomware, including REvil, DarkSide, BlackMatter, and Alphv.

During this time, however, FIN7 continued to use PowerShell in attacks, and also employed updated versions of the Birdwatch downloader (tracked as Crowview and Fowlgaze). The group was also seen using a new backdoor called Powerplant, which has received constant updates over the last two years.

During this period of time, FIN7 also adopted new initial access techniques – which now include software supply chain compromise and stolen credentials, in addition to phishing – and replaced Loadout and Griffon first stage malware with Powerplant.

[ READ: FIN7 Hackers Use New Malware in Recent Attacks ]

Mandiant also notes that FIN7 activity was often followed by ransomware deployment or data theft extortion, suggesting association with various ransomware operations. Furthermore, one group believed to be working under the FIN7 umbrella was seen conducting a BadUSB campaign that led to the delivery of Diceloader malware.

Continuous tracking of the activity associated with the hacking gang also allowed Mandiant to merge eight groups into the core FIN7 cluster. Additionally, the company’s researchers suspect that there are 17 more groups affiliated to FIN7, although they haven’t been merged into the crime ring yet.

In 2020, FIN7 was seen deploying malware such as Loadout and Griffon. The former is an obfuscated VBScript-based downloader designed to gather large amounts of information from the compromised systems and send it to a command and control (C&C) server.

In response, the server sends Griffon, a JavaScript-based downloader that can retrieve additional modules and run them in memory. In the second half of 2020, the group started using Powerplant (also known as KillACK), a PowerShell-based backdoor, initially as the next stage in Griffon infections.

[READ: FIN7 Hackers Use LNK Embedded Objects in Fileless Attacks ]

In 2021, the group moved away from Loadout, Griffon, and Carbanak and started deploying Powerplant directly. FIN7 was also seen relying on Cobalt Strike Beacon as a secondary mode of access.

During their analysis of FIN7, Mandiant also observed that the group has been using other PowerShell malware, including Powertrash, an in-memory dropper designed to execute an embedded payload, including Carbanak, Diceloader, Supersoft, Cobalt Strike Beacon, and Pillowmint.

As part of an attack, the hackers used compromised remote desktop protocol (RDP) credentials for initial access, and then executed reconnaissance scripts, followed by a Termite loader, which was used to execute Cobalt Strike. Next, FIN7 executed a victim-customized version of Powerplant and then attempted to steal credentials and further compromise the target environment.

“Between the two days of FIN7 operations on the victim system, FIN12 was also active on the same victim for multiple hours using the same RDP account, but much different infrastructure and tradecraft, attempting to install Beacon using the Weirdloop in-memory dropper before the intrusion was remediated,” Mandiant notes.

[ READ: Member of FIN7 Cybercrime Gang Sentenced to Prison in U.S. ]

In a recent incident, the hackers compromised a website that sells digital products and changed download links to point to an Amazon S3 bucket where trojanized installers were hosted. The installers contained the Atera agent, a remote management tool that was then used to deploy Powerplant.

FIN7, Mandiant says, is actively developing the Powerplant backdoor, and was even observed deploying an updated version of the malware within a 10-minute window during the same attack.

Since at least 2019, FIN7 was also seen employing the Easylook reconnaissance tool in attacks, to capture a broad range of data from the compromised systems. In some intrusions, the group would use the Boatlaunch utility, which patches PowerShell processes to bypass Windows AntiMalware Scan Interface (AMSI).

FIN7 also paid a lot of attention to the development of Birdwatch, a .NET-based downloader that was also ported to C++, just as its variant Crowview. Both are designed to harvest various types of information from the victim system and send it to the C&C server, but Crowview can also house an embedded payload, supports arguments, and can self-delete.

In October 2021, the researchers identified an attack where BadUSB removable drives were sent to victim organizations, mainly in the United States. The malicious USB drives were designed to download Stoneboat, which would deploy the Diceloader framework.

[ READ: FBI: Cybercriminals Mailing Malicious USB Devices to Victims ]

Stoneboat is a new, .NET-based in-memory dropper designed to decrypt an embedded shellcode payload that is mapped into memory and executed. As part of the observed attack, Stoneboat executed the Daveshell intermediate loader (an open-source launcher) that in turn deployed Diceloader.

Mandiant notes that, while it hasn’t attributed the deployment of ransomware to FIN7, there is evidence suggesting that the group’s activities at least in some part overlap with known ransomware operations. In at least two incidents in 2020, FIN7 activity was identified on systems that were then encrypted with ransomware such as Maze and Ryuk.

In 2021, FIN7 intrusion preceded the deployment of Alphv ransomware, and there is also evidence suggesting that the group played at least a role in Darkside ransomware operations. A code signing certificate that the group used to sign Beacon and Beakdrop samples was also used to sign multiple Darkside samples seen in the wild.

“Despite indictments of members of FIN7 in 2018 and a related sentencing in 2021 announced by the U.S. Department of Justice, at least some members of FIN7 have remained active and continue to evolve their criminal operations over time. Throughout their evolution, FIN7 has increased the speed of their operational tempo, the scope of their targeting, and even possibly their relationships with other ransomware operations in the cybercriminal underground,” Mandiant concludes.

Related: Member of FIN7 Hacking Group Sentenced to US Prison

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *