FOCUS MODE
EXTRACT IOC
Threat Research

Emulating the Financially Motivated Criminal Adversary FIN7 – Part 2

AttackIQ
Emulating the Financially Motivated Criminal Adversary FIN7 – Part 2
FIN7, also known as Carbon Spider, is a financially motivated cybercriminal group that has evolved from targeting Russian financial institutions to a wide range of sectors globally. They employ sophisticated techniques such as ransomware and malware for financial gains, including the notable DarkSide and Black Basta ransomware attacks. In their recent operations, they have collaborated with other threat actors, showcasing a continuous adaptation of their tactics. Affected: financial services, hospitality, retail, healthcare, technology, transportation, manufacturing, media, professional services, energy

Keypoints :

  • FIN7, began operations in 2013 targeting Russian financial institutions.
  • Expanded to Middle East, Europe, North America, focusing on payment card data.
  • Utilized PoS malware for card data harvesting.
  • In 2020, shifted to Big Game Hunting, employing ransomware tactics.
  • Colonial Pipeline attack in May 2021 heavily disrupted fuel supply chains.
  • Introduced Ransomware-as-a-Service (RaaS) models with DarkSide and BlackMatter.
  • Collaborated with former Conti members in 2023 to develop the Minodo backdoor.
  • Targeted various sectors including financial services and energy, showcasing versatility.
  • Released attack graphs to emulate FIN7’s behavior for enhancing security assessments.

MITRE Techniques :

  • Ingress Tool Transfer (T1105): Delivery of malicious samples to test network and endpoint defenses.
  • System Owner/User Discovery (T1033): Used GetUserNameA API to retrieve the current user’s name.
  • System Information Discovery (T1082): Employed GetComputerNameExA to acquire system information.
  • Process Discovery (T1057): Utilized Windows API to enumerate running processes.
  • Reflective DLL Injection (T1620): Loaded code into its own process for executing malicious payloads.
  • Native API (T1106): Executed CreateProcessA to launch new processes.
  • Process Injection (T1055): Injected code into legitimate processes for evasion and execution.
  • Remote System Discovery (T1018): Conducted Active Directory reconnaissance using AdFind.
  • Security Software Discovery (T1518.001): Identified installed security tools via WMI commands.
  • Create Account: Local Account (T1136.001): Established persistence by creating a local user.
  • Account Manipulation: Additional Local or Domain Groups (T1098.007): Elevated privileges by adding users to local groups.
  • Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001): Created a registry entry for persistence.
  • Data Encrypted for Impact (T1486): Encrypted files during Black Basta ransomware deployment.

Indicator of Compromise :

  • [Domain] joker’s stash
  • [Technique] Reflective DLL Injection – AttackIQ DLL
  • [Hash] 7d6d96e181033b9c8398e682ed3fd054
  • [Domain] itg23.com
  • [Domain] colonelpipeline.com

Full Story: https://www.attackiq.com/2025/02/14/emulating-fin7-part-2/

Views: 19

Tags: HUNTING, FINANCIAL, WINDOWS, DNS, CVE, RECONNAISSANCE, FIREWALL, PROXY