FIN7 is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of FIN7 was run out of a front company called Combi Security. Since 2020 FIN7 shifted operations to a big game hunting (BGH) approach including use of REvil ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but there appears to be several groups using Carbanak malware and are therefore tracked separately.[1][2][3][4][5]
Name | Description |
---|---|
GOLD NIAGARA | |
ITG14 |
ITG14 shares campaign overlap with FIN7.[7] |
Carbon Spider |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1583 | .001 | Acquire Infrastructure: Domains |
FIN7 has registered look-alike domains for use in phishing campaigns.[8] |
Enterprise | T1071 | .004 | Application Layer Protocol: DNS |
FIN7 has performed C2 using DNS via A, OPT, and TXT records.[4] |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.[2][4] |
Enterprise | T1059 | Command and Scripting Interpreter |
FIN7 used SQL scripts to help perform tasks on the victim's machine.[4][9][4] |
|
.001 | PowerShell |
FIN7 used a PowerShell script to launch shellcode that retrieved an additional payload.[2][10] |
||
.003 | Windows Command Shell |
FIN7 used the command prompt to launch commands on the victim’s machine.[4][9] |
||
.005 | Visual Basic |
FIN7 used VBS scripts to help perform tasks on the victim's machine.[4][9][5] |
||
.007 | JavaScript |
FIN7 used JavaScript scripts to help perform tasks on the victim's machine.[4][9][4] |
||
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
FIN7 created new Windows services and added them to the startup directories for persistence.[4] |
Enterprise | T1486 | Data Encrypted for Impact |
FIN7 has encrypted virtual disk volumes on ESXi servers using a version of Darkside ransomware.[5] |
|
Enterprise | T1005 | Data from Local System |
FIN7 has collected files and other sensitive information from a compromised network.[5] |
|
Enterprise | T1587 | .001 | Develop Capabilities: Malware |
FIN7 has developed malware for use in operations, including the creation of infected removable media.[11][12] |
Enterprise | T1546 | .011 | Event Triggered Execution: Application Shimming |
FIN7 has used application shim databases for persistence.[13] |
Enterprise | T1567 | .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
FIN7 has exfiltrated stolen data to the MEGA file sharing site.[5] |
Enterprise | T1210 | Exploitation of Remote Services |
FIN7 has exploited ZeroLogon (CVE-2020-1472) against vulnerable domain controllers.[5] |
|
Enterprise | T1008 | Fallback Channels |
FIN7's Harpy backdoor malware can use DNS as a backup channel for C2 if HTTP fails.[14] |
|
Enterprise | T1105 | Ingress Tool Transfer |
FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.[2][15] |
|
Enterprise | T1559 | .002 | Inter-Process Communication: Dynamic Data Exchange |
FIN7 spear phishing campaigns have included malicious Word documents with DDE execution.[16] |
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
FIN7 has created a scheduled task named "AdobeFlashSync" to establish persistence.[10] |
.005 | Masquerading: Match Legitimate Name or Location |
FIN7 has attempted to run Darkside ransomware with the filename sleep.exe.[5] |
||
Enterprise | T1571 | Non-Standard Port |
FIN7 has used port-protocol mismatches on ports such as 53, 80, 443, and 8080 during C2.[4] |
|
Enterprise | T1027 | Obfuscated Files or Information |
FIN7 has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.[17][4][5] |
|
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
FIN7 sent spearphishing emails with either malicious Microsoft Documents or RTF files attached.[2][15][9][8][5] |
.002 | Phishing: Spearphishing Link |
FIN7 has conducted broad phishing campaigns using malicious links.[5] |
||
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
FIN7 has used RDP to move laterally in victim environments.[5] |
.004 | Remote Services: SSH |
FIN7 has used SSH to move laterally through victim environments.[5] |
||
.005 | Remote Services: VNC | |||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
FIN7 malware has created scheduled tasks to establish persistence.[2][10][4][9] |
Enterprise | T1113 | Screen Capture | ||
Enterprise | T1218 | .005 | Signed Binary Proxy Execution: Mshta |
FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems.[2] |
Enterprise | T1558 | .003 | Steal or Forge Kerberos Tickets: Kerberoasting |
FIN7 has used Kerberoasting for credential access and to enable lateral movement.[5] |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
FIN7 has signed Carbanak payloads with legally purchased code signing certificates. FIN7 has also digitally signed their phishing documents, backdoors and other staging tools to bypass security controls.[3][4] |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
FIN7 has used malicious links to lure victims into downloading malware.[5] |
.002 | User Execution: Malicious File |
FIN7 lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file.[2][8][5] |
||
Enterprise | T1078 | Valid Accounts |
FIN7 has harvested valid administrative credentials for lateral movement.[5] |
|
Enterprise | T1125 | Video Capture |
FIN7 created a custom video recording capability that could be used to monitor operations in the victim's environment.[4][15] |
|
Enterprise | T1497 | .002 | Virtualization/Sandbox Evasion: User Activity Based Checks |
FIN7 used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes.[2] |
Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
FIN7 used legitimate services like Google Docs, Google Scripts, and Pastebin for C2.[4] |
Enterprise | T1047 | Windows Management Instrumentation |
FIN7 has used WMI to install malware on targeted systems.[8] |