Summary :
FIN7, also known as Carbon Spider, is a sophisticated cybercriminal group targeting various sectors worldwide since 2013. They utilize advanced techniques like ransomware and malware delivery to steal sensitive data and disrupt operations. #FIN7 #CyberSecurity #Ransomware
Keypoints :
- FIN7 started operations in 2013, initially targeting Russian financial institutions.
- Expanded targeting to include regions like the Middle East, Europe, and North America for payment card data.
- Utilizes Point-of-Sale (PoS) malware and has monetized stolen data on credit card markets.
- Engaged in Big Game Hunting (BGH) activities using ransomware like REvil and DarkSide.
- Launched a Ransomware-as-a-Service (RaaS) model with DarkSide and later BlackMatter.
- Targeted various sectors including financial services, healthcare, retail, and more.
- Recent activities involve deploying NetSupport RAT and POWERTRASH through phishing campaigns.
- AttackIQ has released attack graphs to emulate FIN7 behaviors for security validation.
MITRE Techniques :
- Ingress Tool Transfer (T1105): Downloads malware to test network and endpoint controls.
- System Information Discovery (T1082): Collects operating system information using WMI classes.
- Security Software Discovery (T1518.001): Identifies installed security software through WMI.
- Command and Control: Deploys NetSupport RAT for remote access.
- Scheduled Task/Job (T1053.005): Creates scheduled tasks for persistence.
- Process Injection (T1055): Injects code into running processes to remain hidden.
- Command and Scripting Interpreter: PowerShell (T1059.001): Executes encoded PowerShell scripts.
Indicator of Compromise :
- [domain] malicious-website.example.com
- [url] fake-browser-extension.example.com
- [file name] msix-file.msix
- [file name] POWERTRASH.exe
- [tool name] NetSupport RAT
- Check the article for all found IoCs.
Full Research: https://www.attackiq.com/2024/12/12/emulating-fin7-part-1/