|
| ATK32, Carbanak, Carbon Spider, Calcium, Coreid, ELBRUS, G0008, G0046, Sangria Tempest |
| |
| |
| Russian state-sponsored threat group |
| |
| |
| Carbanak
Bateleur
Pillowmint
JSSLoader
BOOSTWRITE
BIOLOAD
Astra Panel |
| GOLD NIAGARA, ALPHV and BlackCat |
| FIN7 primarily targets systems running Microsoft Windows operating systems. |
| |
Overview
FIN7, also known by its aliases like Carbon Spider or Carbanak Group, represents a highly sophisticated and persistent cybercrime syndicate with origins traced back to at least 2013. Operating predominantly from Russia, FIN7 has garnered global notoriety for its relentless targeting of businesses across diverse sectors, aiming primarily at financial gain through the theft of credit card information and sensitive data. What sets FIN7 apart is its operational maturity and organization, resembling corporate structures with roles, regular work schedules, and performance-based bonuses for successful cyber operatives.
The group’s modus operandi is characterized by meticulous planning and execution of targeted spear-phishing campaigns. They craft convincing emails laden with malicious attachments or links designed to exploit vulnerabilities in common software like Microsoft Office (e.g., CVE-2017-11882). Once a victim opens these attachments or clicks on links, FIN7 gains initial access to the target’s network, from where they proceed to deploy custom malware and tools tailored for remote access, data exfiltration, and persistence.
Among their arsenal of malicious tools, Carbanak stands out as a sophisticated backdoor trojan used for espionage and remote control of compromised systems. Other tools like Bateleur, Pillowmint, and JSSLoader facilitate various stages of their operations, from initial compromise to lateral movement within networks. This diverse toolkit underscores FIN7’s technical prowess and adaptability in circumventing security measures.
In recent years, FIN7 has evolved beyond its origins in financial theft to embrace ransomware operations under names like Darkside Ransomware. This shift, often referred to as “big game hunting,” involves targeting larger corporations with ransomware attacks that encrypt data and demand hefty ransoms. The group’s involvement in high-profile incidents like the Colonial Pipeline ransomware attack in 2021 has cemented their reputation as a formidable cyber threat capable of causing significant disruptions and financial losses on a global scale.
Geopolitically, FIN7’s activities have drawn attention not only for their financial impact but also for their connections to other threat groups and potentially state-sponsored actors. The group’s resilience, adaptability, and ability to evade law enforcement despite previous arrests highlight the ongoing challenges in combating cybercrime at such a sophisticated level. As organizations continue to fortify their defenses against evolving cyber threats, understanding and mitigating the tactics of groups like FIN7 remain critical priorities in the cybersecurity landscape.
Common targets
FIN7 has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S., Europe, Brazil, Canada, United Kingdom, Australia
Attack Vectors
Spearphishing Emails, Social Engineering, Point-of-Sale (POS) Intrusions, Watering Hole Attacks, Exploitation of Remote Desktop Protocols (RDP), Fileless Malware, Supply Chain Compromise, Credential Theft, Use of Custom Tools
How they operate
At the core of FIN7’s strategy is their meticulous approach to initial access. The group often employs spear-phishing campaigns, tailored to target specific individuals within organizations using compelling emails containing malicious attachments or links. These phishing attempts are crafted with careful attention to detail, mimicking legitimate communications from trusted sources to increase the likelihood of engagement. Once a victim interacts with the malicious content, FIN7 exploits vulnerabilities in software or operating systems to gain a foothold within the victim’s network.
Upon gaining initial access, FIN7 employs various techniques to ensure persistence within the compromised network. They frequently leverage registry run keys, startup folders, or create malicious Windows services to establish persistence mechanisms that allow them to maintain access over extended periods. This persistence enables the group to conduct reconnaissance and move laterally across networked systems, identifying valuable assets and exfiltrating sensitive information discreetly.
To facilitate their malicious activities, FIN7 utilizes a range of tools and techniques. These include PowerShell scripts for executing commands, remote access trojans (RATs) for maintaining control over compromised systems, and sophisticated obfuscation methods to evade detection by security measures. The group is also known for leveraging legitimate tools and protocols such as Windows Management Instrumentation (WMI) and Remote Desktop Protocol (RDP) to further their objectives without raising suspicion.
Exfiltration of stolen data represents a critical phase in FIN7’s operations. The group employs encrypted channels and non-standard ports to exfiltrate sensitive information securely, often using cloud storage services or other web-based platforms to conceal their activities. This careful orchestration of operations underscores FIN7’s capabilities in bypassing traditional cybersecurity defenses and underscores the ongoing challenges faced by organizations in safeguarding against such sophisticated threats.
MITRE Tactics and Techniques Used
T1583.001 – Acquire Infrastructure: Domains
T1071.004 – Application Layer Protocol: DNS
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1059.001 – Command and Scripting Interpreter: PowerShell
T1059.003 – Command and Scripting Interpreter: Windows Command Shell
T1059.005 – Command and Scripting Interpreter: Visual Basic
T1059.007 – Command and Scripting Interpreter: JavaScript
T1543.003 – Create or Modify System Process: Windows Service
T1486 – Data Encrypted for Impact
T1005 – Data from Local System
T1587.001 – Develop Capabilities: Malware
T1546.011 – Event Triggered Execution: Application Shimming
T1567.002 – Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1210 – Exploitation of Remote Services
T1008 – Fallback Channels
T1105 – Ingress Tool Transfer
T1559.002 – Inter-Process Communication: Dynamic Data Exchange
T1036.004 – Masquerading: Masquerade Task or Service
T1036.005 – Masquerading: Match Legitimate Name or Location
T1571 – Non-Standard Port
T1027.010 – Obfuscated Files or Information: Command Obfuscation
T1566.001 – Phishing: Spearphishing Attachment
T1566.002 – Phishing: Spearphishing Link
T1021.001 – Remote Services: Remote Desktop Protocol
T1021.004 – Remote Services: SSH
T1021.005 – Remote Services: VNC
T1091 – Replication Through Removable Media
T1053.005 – Scheduled Task/Job: Scheduled Task
T1113 – Screen Capture
T1558.003 – Steal or Forge Kerberos Tickets: Kerberoasting
T1553.002 – Subvert Trust Controls: Code Signing
T1218.005 – System Binary Proxy Execution: Mshta
T1204.001 – User Execution: Malicious Link
T1204.002 – User Execution: Malicious File
T1078 – Valid Accounts
T1125 – Video Capture
T1497.002 – Virtualization/Sandbox Evasion: User Activity Based Checks
T1102.002 – Web Service: Bidirectional Communication
T1047 – Windows Management Instrumentation
References
