FIN7

FIN7 is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of FIN7 was run out of a front company called Combi Security. Since 2020 FIN7 shifted operations to a big game hunting (BGH) approach including use of REvil ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but there appears to be several groups using Carbanak malware and are therefore tracked separately.[1][2][3][4][5]

ID: G0046
Associated Groups: GOLD NIAGARA, ITG14, Carbon Spider
Version: 2.0
Created: 31 May 2017
Last Modified: 19 October 2021

Associated Group Descriptions

Name Description
GOLD NIAGARA

[6]

ITG14

ITG14 shares campaign overlap with FIN7.[7]

Carbon Spider

[5]

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

FIN7 has registered look-alike domains for use in phishing campaigns.[8]

Enterprise T1071 .004 Application Layer Protocol: DNS

FIN7 has performed C2 using DNS via A, OPT, and TXT records.[4]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.[2][4]

Enterprise T1059 Command and Scripting Interpreter

FIN7 used SQL scripts to help perform tasks on the victim's machine.[4][9][4]

.001 PowerShell

FIN7 used a PowerShell script to launch shellcode that retrieved an additional payload.[2][10]

.003 Windows Command Shell

FIN7 used the command prompt to launch commands on the victim’s machine.[4][9]

.005 Visual Basic

FIN7 used VBS scripts to help perform tasks on the victim's machine.[4][9][5]

.007 JavaScript

FIN7 used JavaScript scripts to help perform tasks on the victim's machine.[4][9][4]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

FIN7 created new Windows services and added them to the startup directories for persistence.[4]

Enterprise T1486 Data Encrypted for Impact

FIN7 has encrypted virtual disk volumes on ESXi servers using a version of Darkside ransomware.[5]

Enterprise T1005 Data from Local System

FIN7 has collected files and other sensitive information from a compromised network.[5]

Enterprise T1587 .001 Develop Capabilities: Malware

FIN7 has developed malware for use in operations, including the creation of infected removable media.[11][12]

Enterprise T1546 .011 Event Triggered Execution: Application Shimming

FIN7 has used application shim databases for persistence.[13]

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

FIN7 has exfiltrated stolen data to the MEGA file sharing site.[5]

Enterprise T1210 Exploitation of Remote Services

FIN7 has exploited ZeroLogon (CVE-2020-1472) against vulnerable domain controllers.[5]

Enterprise T1008 Fallback Channels

FIN7's Harpy backdoor malware can use DNS as a backup channel for C2 if HTTP fails.[14]

Enterprise T1105 Ingress Tool Transfer

FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.[2][15]

Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

FIN7 spear phishing campaigns have included malicious Word documents with DDE execution.[16]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

FIN7 has created a scheduled task named "AdobeFlashSync" to establish persistence.[10]

.005 Masquerading: Match Legitimate Name or Location

FIN7 has attempted to run Darkside ransomware with the filename sleep.exe.[5]

Enterprise T1571 Non-Standard Port

FIN7 has used port-protocol mismatches on ports such as 53, 80, 443, and 8080 during C2.[4]

Enterprise T1027 Obfuscated Files or Information

FIN7 has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.[17][4][5]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

FIN7 sent spearphishing emails with either malicious Microsoft Documents or RTF files attached.[2][15][9][8][5]

.002 Phishing: Spearphishing Link

FIN7 has conducted broad phishing campaigns using malicious links.[5]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

FIN7 has used RDP to move laterally in victim environments.[5]

.004 Remote Services: SSH

FIN7 has used SSH to move laterally through victim environments.[5]

.005 Remote Services: VNC

FIN7 has used TightVNC to control compromised hosts.[5]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

FIN7 malware has created scheduled tasks to establish persistence.[2][10][4][9]

Enterprise T1113 Screen Capture

FIN7 captured screenshots and desktop video recordings.[15]

Enterprise T1218 .005 Signed Binary Proxy Execution: Mshta

FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems.[2]

Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

FIN7 has used Kerberoasting for credential access and to enable lateral movement.[5]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

FIN7 has signed Carbanak payloads with legally purchased code signing certificates. FIN7 has also digitally signed their phishing documents, backdoors and other staging tools to bypass security controls.[3][4]

Enterprise T1204 .001 User Execution: Malicious Link

FIN7 has used malicious links to lure victims into downloading malware.[5]

.002 User Execution: Malicious File

FIN7 lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file.[2][8][5]

Enterprise T1078 Valid Accounts

FIN7 has harvested valid administrative credentials for lateral movement.[5]

Enterprise T1125 Video Capture

FIN7 created a custom video recording capability that could be used to monitor operations in the victim's environment.[4][15]

Enterprise T1497 .002 Virtualization/Sandbox Evasion: User Activity Based Checks

FIN7 used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes.[2]

Enterprise T1102 .002 Web Service: Bidirectional Communication

FIN7 used legitimate services like Google Docs, Google Scripts, and Pastebin for C2.[4]

Enterprise T1047 Windows Management Instrumentation

FIN7 has used WMI to install malware on targeted systems.[8]

Software

ID Name References Techniques
S0552 AdFind [5] Account Discovery: Domain Account, Domain Trust Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, System Network Configuration Discovery
S0415 BOOSTWRITE [12] Deobfuscate/Decode Files or Information, Hijack Execution Flow: DLL Search Order Hijacking, Obfuscated Files or Information, Shared Modules, Subvert Trust Controls: Code Signing
S0030 Carbanak [1][4][15][7][5] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create Account: Local Account, Data Encoding: Standard Encoding, Data Transfer Size Limits, Email Collection: Local Email Collection, Encrypted Channel: Symmetric Cryptography, Indicator Removal on Host: File Deletion, Input Capture: Keylogging, Obfuscated Files or Information, OS Credential Dumping, Process Discovery, Process Injection: Portable Executable Injection, Query Registry, Remote Access Software, Remote Services: Remote Desktop Protocol, Screen Capture
S0154 Cobalt Strike [5] Abuse Elevation Control Mechanism: Bypass User Account Control, Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: JavaScript, Commonly Used Port, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Multiband Communication, Native API, Network Service Scanning, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection, Process Injection: Process Hollowing, Process Injection: Dynamic-link Library Injection, Protocol Tunneling, Proxy: Internal Proxy, Proxy: Domain Fronting, Query Registry, Reflective Code Loading, Remote Services: SMB/Windows Admin Shares, Remote Services: Windows Remote Management, Remote Services: SSH, Remote Services: Remote Desktop Protocol, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Signed Binary Proxy Execution: Rundll32, Software Discovery, Subvert Trust Controls: Code Signing, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Local Accounts, Valid Accounts: Domain Accounts, Windows Management Instrumentation
S0488 CrackMapExec [5] Account Discovery: Domain Account, Brute Force: Password Guessing, Brute Force, Brute Force: Password Spraying, Command and Scripting Interpreter: PowerShell, File and Directory Discovery, Modify Registry, Network Share Discovery, OS Credential Dumping: NTDS, OS Credential Dumping: LSA Secrets, OS Credential Dumping: Security Account Manager, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, Scheduled Task/Job: At (Windows), System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, Use Alternate Authentication Material: Pass the Hash, Windows Management Instrumentation
S0417 GRIFFON [18][5] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: JavaScript, Permission Groups Discovery: Domain Groups, Scheduled Task/Job: Scheduled Task, Screen Capture, System Information Discovery, System Time Discovery
S0151 HALFBAKED [2][4] Command and Scripting Interpreter: PowerShell, Indicator Removal on Host: File Deletion, Process Discovery, Screen Capture, System Information Discovery, Windows Management Instrumentation
S0648 JSS Loader [5] Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: JavaScript, Ingress Tool Transfer, Phishing: Spearphishing Attachment, Scheduled Task/Job: Scheduled Task, User Execution: Malicious File
S0002 Mimikatz [5] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0517 Pillowmint [19][5] Archive Collected Data, Command and Scripting Interpreter: PowerShell, Data from Local System, Deobfuscate/Decode Files or Information, Event Triggered Execution: Application Shimming, Indicator Removal on Host: File Deletion, Indicator Removal on Host, Modify Registry, Native API, Obfuscated Files or Information, Process Discovery, Process Injection: Asynchronous Procedure Call, Query Registry
S0145 POWERSOURCE [1] Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Hide Artifacts: NTFS File Attributes, Ingress Tool Transfer, Query Registry
S0194 PowerSploit [5] Access Token Manipulation, Account Discovery: Local Account, Audio Capture, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Create or Modify System Process: Windows Service, Credentials from Password Stores: Windows Credential Manager, Data from Local System, Domain Trust Discovery, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by Unquoted Path, Input Capture: Keylogging, Obfuscated Files or Information, Obfuscated Files or Information: Indicator Removal from Tools, OS Credential Dumping: LSASS Memory, Path Interception, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Reflective Code Loading, Scheduled Task/Job: Scheduled Task, Screen Capture, Steal or Forge Kerberos Tickets: Kerberoasting, Unsecured Credentials: Credentials in Registry, Unsecured Credentials: Group Policy Preferences, Windows Management Instrumentation
S0416 RDFSNIFFER [12] Indicator Removal on Host: File Deletion, Input Capture: Credential API Hooking, Native API
S0496 REvil [7][5] Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Create Process with Token, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Data Destruction, Data Encrypted for Impact, Deobfuscate/Decode Files or Information, Drive-by Compromise, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Impair Defenses: Safe Mode Boot, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Inhibit System Recovery, Masquerading: Match Legitimate Name or Location, Modify Registry, Native API, Obfuscated Files or Information, Permission Groups Discovery: Domain Groups, Phishing: Spearphishing Attachment, Process Injection, Query Registry, Service Stop, System Information Discovery, System Location Discovery: System Language Discovery, System Service Discovery, User Execution: Malicious File, Windows Management Instrumentation
S0390 SQLRat [9] Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Deobfuscate/Decode Files or Information, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information, Scheduled Task/Job: Scheduled Task, User Execution: Malicious File
S0146 TEXTMATE [1] Application Layer Protocol: DNS, Command and Scripting Interpreter: Windows Command Shell

References