1. Home
  2. Groups
  3. FIN7

FIN7

FIN7 is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of FIN7 was run out of a front company called Combi Security. Since 2020 FIN7 shifted operations to a big game hunting (BGH) approach including use of REvil ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but there appears to be several groups using Carbanak malware and are therefore tracked separately.[1][2][3][4][5]

ID: G0046
Associated Groups: GOLD NIAGARA, ITG14, Carbon Spider
Version: 2.0
Created: 31 May 2017
Last Modified: 19 October 2021

Associated Group Descriptions

Name Description
GOLD NIAGARA

[6]
ITG14

ITG14 shares campaign overlap with FIN7.[7]
Carbon Spider

[5]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1583 .001 Acquire Infrastructure: Domains

FIN7 has registered look-alike domains for use in phishing campaigns.[8]
Enterprise T1071 .004 Application Layer Protocol: DNS

FIN7 has performed C2 using DNS via A, OPT, and TXT records.[4]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.[2][4]
Enterprise T1059 Command and Scripting Interpreter

FIN7 used SQL scripts to help perform tasks on the victim's machine.[4][9][4]
.001 PowerShell

FIN7 used a PowerShell script to launch shellcode that retrieved an additional payload.[2][10]
.003 Windows Command Shell

FIN7 used the command prompt to launch commands on the victim’s machine.[4][9]

.005 Visual Basic

FIN7 used VBS scripts to help perform tasks on the victim's machine.[4][9][5]
.007 JavaScript

FIN7 used JavaScript scripts to help perform tasks on the victim's machine.[4][9][4]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

FIN7 created new Windows services and added them to the startup directories for persistence.[4]
Enterprise T1486 Data Encrypted for Impact

FIN7 has encrypted virtual disk volumes on ESXi servers using a version of Darkside ransomware.[5]
Enterprise T1005 Data from Local System

FIN7 has collected files and other sensitive information from a compromised network.[5]
Enterprise T1587 .001 Develop Capabilities: Malware

FIN7 has developed malware for use in operations, including the creation of infected removable media.[11][12]
Enterprise T1546 .011 Event Triggered Execution: Application Shimming

FIN7 has used application shim databases for persistence.[13]
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

FIN7 has exfiltrated stolen data to the MEGA file sharing site.[5]
Enterprise T1210 Exploitation of Remote Services

FIN7 has exploited ZeroLogon (CVE-2020-1472) against vulnerable domain controllers.[5]
Enterprise T1008 Fallback Channels

FIN7's Harpy backdoor malware can use DNS as a backup channel for C2 if HTTP fails.[14]
Enterprise T1105 Ingress Tool Transfer

FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.[2][15]
Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

FIN7 spear phishing campaigns have included malicious Word documents with DDE execution.[16]
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

FIN7 has created a scheduled task named "AdobeFlashSync" to establish persistence.[10]
.005 Masquerading: Match Legitimate Name or Location

FIN7 has attempted to run Darkside ransomware with the filename sleep.exe.[5]
Enterprise T1571 Non-Standard Port

FIN7 has used port-protocol mismatches on ports such as 53, 80, 443, and 8080 during C2.[4]
Enterprise T1027 Obfuscated Files or Information

FIN7 has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.[17][4][5]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

FIN7 sent spearphishing emails with either malicious Microsoft Documents or RTF files attached.[2][15][9][8][5]
.002 Phishing: Spearphishing Link

FIN7 has conducted broad phishing campaigns using malicious links.[5]
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

FIN7 has used RDP to move laterally in victim environments.[5]
.004 Remote Services: SSH

FIN7 has used SSH to move laterally through victim environments.[5]
.005 Remote Services: VNC

FIN7 has used TightVNC to control compromised hosts.[5]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

FIN7 malware has created scheduled tasks to establish persistence.[2][10][4][9]
Enterprise T1113 Screen Capture

FIN7 captured screenshots and desktop video recordings.[15]
Enterprise T1218 .005 Signed Binary Proxy Execution: Mshta

FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems.[2]
Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

FIN7 has used Kerberoasting for credential access and to enable lateral movement.[5]
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

FIN7 has signed Carbanak payloads with legally purchased code signing certificates. FIN7 has also digitally signed their phishing documents, backdoors and other staging tools to bypass security controls.[3][4]
Enterprise T1204 .001 User Execution: Malicious Link

FIN7 has used malicious links to lure victims into downloading malware.[5]
.002 User Execution: Malicious File

FIN7 lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file.[2][8][5]
Enterprise T1078 Valid Accounts

FIN7 has harvested valid administrative credentials for lateral movement.[5]
Enterprise T1125 Video Capture

FIN7 created a custom video recording capability that could be used to monitor operations in the victim's environment.[4][15]
Enterprise T1497 .002 Virtualization/Sandbox Evasion: User Activity Based Checks

FIN7 used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes.[2]
Enterprise T1102 .002 Web Service: Bidirectional Communication

FIN7 used legitimate services like Google Docs, Google Scripts, and Pastebin for C2.[4]
Enterprise T1047 Windows Management Instrumentation

FIN7 has used WMI to install malware on targeted systems.[8]

Software

ID Name References Techniques
S0552 AdFind [5] Account Discovery: Domain Account, Domain Trust Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, System Network Configuration Discovery
S0415 BOOSTWRITE [12] Deobfuscate/Decode Files or Information, Hijack Execution Flow: DLL Search Order Hijacking, Obfuscated Files or Information, Shared Modules, Subvert Trust Controls: Code Signing
S0030 Carbanak [1][4][15][7][5] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create Account: Local Account, Data Encoding: Standard Encoding, Data Transfer Size Limits, Email Collection: Local Email Collection, Encrypted Channel: Symmetric Cryptography, Indicator Removal on Host: File Deletion, Input Capture: Keylogging, Obfuscated Files or Information, OS Credential Dumping, Process Discovery, Process Injection: Portable Executable Injection, Query Registry, Remote Access Software, Remote Services: Remote Desktop Protocol, Screen Capture
S0154 Cobalt Strike [5] Abuse Elevation Control Mechanism: Bypass User Account Control, Abuse Elevation Control Mechanism: Sudo and Sudo Caching, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, BITS Jobs, Browser Session Hijacking, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: JavaScript, Commonly Used Port, Create or Modify System Process: Windows Service, Data Encoding: Standard Encoding, Data from Local System, Data Obfuscation: Protocol Impersonation, Data Transfer Size Limits, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Multiband Communication, Native API, Network Service Scanning, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSASS Memory, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Process Discovery, Process Injection, Process Injection: Process Hollowing, Process Injection: Dynamic-link Library Injection, Protocol Tunneling, Proxy: Internal Proxy, Proxy: Domain Fronting, Query Registry, Reflective Code Loading, Remote Services: SMB/Windows Admin Shares, Remote Services: Windows Remote Management, Remote Services: SSH, Remote Services: Remote Desktop Protocol, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Signed Binary Proxy Execution: Rundll32, Software Discovery, Subvert Trust Controls: Code Signing, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Local Accounts, Valid Accounts: Domain Accounts, Windows Management Instrumentation
S0488 CrackMapExec [5] Account Discovery: Domain Account, Brute Force: Password Guessing, Brute Force, Brute Force: Password Spraying, Command and Scripting Interpreter: PowerShell, File and Directory Discovery, Modify Registry, Network Share Discovery, OS Credential Dumping: NTDS, OS Credential Dumping: LSA Secrets, OS Credential Dumping: Security Account Manager, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, Scheduled Task/Job: At (Windows), System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, Use Alternate Authentication Material: Pass the Hash, Windows Management Instrumentation
S0417 GRIFFON [18][5] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: JavaScript, Permission Groups Discovery: Domain Groups, Scheduled Task/Job: Scheduled Task, Screen Capture, System Information Discovery, System Time Discovery
S0151 HALFBAKED [2][4] Command and Scripting Interpreter: PowerShell, Indicator Removal on Host: File Deletion, Process Discovery, Screen Capture, System Information Discovery, Windows Management Instrumentation
S0648 JSS Loader [5] Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: JavaScript, Ingress Tool Transfer, Phishing: Spearphishing Attachment, Scheduled Task/Job: Scheduled Task, User Execution: Malicious File
S0002 Mimikatz [5] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0517 Pillowmint [19][5] Archive Collected Data, Command and Scripting Interpreter: PowerShell, Data from Local System, Deobfuscate/Decode Files or Information, Event Triggered Execution: Application Shimming, Indicator Removal on Host: File Deletion, Indicator Removal on Host, Modify Registry, Native API, Obfuscated Files or Information, Process Discovery, Process Injection: Asynchronous Procedure Call, Query Registry
S0145 POWERSOURCE [1] Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Hide Artifacts: NTFS File Attributes, Ingress Tool Transfer, Query Registry
S0194 PowerSploit [5] Access Token Manipulation, Account Discovery: Local Account, Audio Capture, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Create or Modify System Process: Windows Service, Credentials from Password Stores: Windows Credential Manager, Data from Local System, Domain Trust Discovery, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by Unquoted Path, Input Capture: Keylogging, Obfuscated Files or Information, Obfuscated Files or Information: Indicator Removal from Tools, OS Credential Dumping: LSASS Memory, Path Interception, Process Discovery, Process Injection: Dynamic-link Library Injection, Query Registry, Reflective Code Loading, Scheduled Task/Job: Scheduled Task, Screen Capture, Steal or Forge Kerberos Tickets: Kerberoasting, Unsecured Credentials: Credentials in Registry, Unsecured Credentials: Group Policy Preferences, Windows Management Instrumentation
S0416 RDFSNIFFER [12] Indicator Removal on Host: File Deletion, Input Capture: Credential API Hooking, Native API
S0496 REvil [7][5] Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Create Process with Token, Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Data Destruction, Data Encrypted for Impact, Deobfuscate/Decode Files or Information, Drive-by Compromise, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Impair Defenses: Safe Mode Boot, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Inhibit System Recovery, Masquerading: Match Legitimate Name or Location, Modify Registry, Native API, Obfuscated Files or Information, Permission Groups Discovery: Domain Groups, Phishing: Spearphishing Attachment, Process Injection, Query Registry, Service Stop, System Information Discovery, System Location Discovery: System Language Discovery, System Service Discovery, User Execution: Malicious File, Windows Management Instrumentation
S0390 SQLRat [9] Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Deobfuscate/Decode Files or Information, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information, Scheduled Task/Job: Scheduled Task, User Execution: Malicious File
S0146 TEXTMATE [1] Application Layer Protocol: DNS, Command and Scripting Interpreter: Windows Command Shell

References

  1. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
  2. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  3. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  4. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  5. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  6. CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021.
  7. Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.
  8. eSentire. (2021, July 21). Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm Using Fake Legal Complaint Against Jack Daniels’ Owner, Brown-Forman Inc.. Retrieved September 20, 2021.
  9. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
  10. Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.
  1. Federal Bureau of Investigation, Cyber Division. (2020, March 26). FIN7 Cyber Actors Targeting US Businesses Through USB Keystroke Injection Attacks. Retrieved October 14, 2020.
  2. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019.
  3. Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017.
  4. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  5. Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.
  6. Waterman, S. (2017, October 16). Fin7 weaponization of DDE is just their latest slick move, say researchers. Retrieved November 21, 2017.
  7. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
  8. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.
  9. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.