# FIN7 Intelligence Summary


# ATT&CK Group ID: GOO46

Objectives: FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015.25 The group is characterized by their persistent targeting and large-scale theft of payment card data from victim systems, often using social engineering and spearphishing (T1566) with well-disguised lures to distribute their malware.9,11,12,26 Beyond the monetization of victim payment card data, FIN7 has used other diverse monetization tactics, including targeting finance departments within victim organizations and targeting individuals with access to material non-public information that the actors could use to gain a competitve advantage in stock trading.11,26

Target Industries: FIN7 operations have been directed against victims within the following sectors in the United States and Europe: restaurants, hospitality, casinos and gaming, energy, finance, high-tech, software, travel, education, construction, retail, telecommunications, government, and business services.11

Operations: Regarding their operational tradecraft, FIN7 is distinguished by their techincal innovation, using novel techniques and displaying characteristics of a well-rounded operation. FIN7 has been reported to employ limited use of exploits while blending publicly available and unique or altered tools.9 The group has leveraged hidden shortcut files (LNK files) (T1204.002) to initiate infection and VBScript functionality launched by mshta.exe (T1218.005) to infect the victim.25 This is a departure from previously established usage of weaponized Office macros (T1059.005) and highlights the group's ability to adapt to evade detction.11

FIN7 has been reported to use the Carbanak backdoor as a post-exploitation tool since as early as 2015.11 The group has also used creative persistence mechanisms, such as application shimming (T1546.011), to spawn a Carbanak backdoor and seprately to install a payment card harvesting utility.11,24 It has also been reported that the group has developed defense evasion techniques rapidly, such as we creating novel obfuscation methods that in some cases were modified on a daily basis while launching attacks targeting multiple victims.11 FireEye dubbed their development of a payload obfuscation style using the Windows command interpreter's native string substitution as "FINcoding."11

FIN7 has also used point-of-sale malware, such as Pillowmint, to scrape track 1 and track 2 payment card data from memory.8


# FIN7 Software

Name Associated Names Software Type Availability Emulation Notes
BABYMETAL Downloader, Stager FIN7 has used BABYMETAL to stage a Meterpreter payload over HTTP(s).11
BOOSTWRITE (S0415) Loader FIN7 has used BOOSTWRITE as a loader launched via the abuse of DLL search order of applications.11
Carbanak (S0030) Anunak Backdoor FIN7 has used Carbanak as a post-exploitation tool to cement their foothold and maintain access to victim environments.11
GRIFFON (S0417) Backdoor FIN7 has used GRIFFON to execute modules in-memory and send results to a C2.4
HALFBAKED (S0151) Backdoor FIN7 has used HALFBAKED to establish and maintain a foothold in victim networks.25
Mimikatz (S0002) Windows Credential Dumper Openly Available FIN7 has used Mimikatz to facilitate privilege escalation. 9
PAExec Remote Execution Openly Available FIN7 has used PAExec to support execution of remote commands.9
Pillowmint (S0517) Point of Sale (POS) Malware FIN7 has used Pillowmint to scrape credit card data from memory.9
SQLRat (S0390) Remote Access Tool (RAT) FIN7 has used SQLRat to drop files and execute SQL scripts on victim hosts.5

# FIN7 ATT&CK Navigator

# The following behaviors are in scope for an emulation of actions attributed to FIN7 as referenced by MITRE ATT&CK

/Attack_Layers/FIN7_G0046.png
/Attack_Layers/FIN7_G0046.png

# Scenario 1

# The following behaviors are in scope for an emulation of actions attributed to FIN7, as implemented in Scenario 1, in the referenced reporting

/Attack_Layers/FIN7_Scenario1.png
/Attack_Layers/FIN7_Scenario1.png

# Scenario 2

# The following behaviors are in scope for an emulation of actions attributed to FIN7, as implemented in Scenario 2, in the referenced reporting

/Attack_Layers/FIN7_Scenario2.png
/Attack_Layers/FIN7_Scenario2.png

# BOOSTWRITE

# The following behaviors are in scope for an emulation of actions performed by FIN7 using BOOSTWRITE, exclusively based on current intelligence within ATT&CK for the given software

/Attack_Layers/BOOSTWRITE_S0415.png
/Attack_Layers/BOOSTWRITE_S0415.png

# Carbanak

# The following behaviors are in scope for an emulation of actions performed by FIN7 using Carbanak, exclusively based on current intelligence within ATT&CK for the given software

/Attack_Layers/Carbanak_S0030.png
/Attack_Layers/Carbanak_S0030.png

# GRIFFON

# The following behaviors are in scope for an emulation of actions performed by FIN7 using GRIFFON, exclusively based on current intelligence within ATT&CK for the given software

/Attack_Layers/GRIFFON_S0417.png
/Attack_Layers/GRIFFON_S0417.png

# HALFBAKED

# The following behaviors are in scope for an emulation of actions performed by FIN7 using HALFBAKED, exclusively based on current intelligence within ATT&CK for the given software

/Attack_Layers/HALFBAKED_S0151.png
/Attack_Layers/HALFBAKED_S0151.png

# Pillowmint

# The following behaviors are in scope for an emulation of actions performed by FIN7 using Pillowmint, exclusively based on current intelligence within ATT&CK for the given software

/Attack_Layers/Pillowmint_S0517.png
/Attack_Layers/Pillowmint_S0517.png

# SQLRat

# The following behaviors are in scope for an emulation of actions performed by FIN7 using SQLRat, exclusively based on current intelligence within ATT&CK for the given software

/Attack_Layers/SQLRat_S0390.png
/Attack_Layers/SQLRat_S0390.png


# References

The Intelligence Summary summarizes 26 publicly available sources, as well as the results of an open call for contributions. The following organizations participated in the community cyber threat intelligence contribution process:

  • Microsoft
ID Source Publisher Date
1 Cyberthreats to Financial Institutions 2020: Overview and Predictions Kaspersky December 2019
2 Mahalo Fin7: Responding to the Criminal Operator's New Tools and Techniques FireEye October 2019
3 Deep Insight into "Fin7" Malware Chain: From Office Macro Malware to Lightweight js Loader SentinelOne October 2019
4 FIN7.5: The Infamous CyberCrime RIG "FIN7" Continues its Activities Kaspersky May 2019
5 Fin7 Revisited Inside Astra Panel and SQLRat Malware Kaspersky May 2019
6 Profile of an Adversary - FIN7 DeepWatch May 2019
7 CARBANAK Week Part Four: The CARBANAK Desktop Video Player FireEye April 2019
8 Fin7 Not Finished Morphisec Spots New Campaign FireEye November 2018
9 ATT&CKing FIN7: The Value of Using Frameworks for Threat Intelligence FireEye October 2018
10 Carbanak! A Look Inside the Carbanak Source Code FireEye October 2018
11 On The Hunt for Fin7: Pursuing an Enigmatic and Evasive Global Crime Operation FireEye August 2018
12 How FIN7 Attacked & Stole Data Doj August 2018
13 The Carbanak/Fin7 Syndicate: A Historical Overview of an Evolving Threat RSA November 2017
14 Footprints of Fin7: Pushing New Techniques to Evade Detection Gigamon October 2017
15 Fin7 Weaponization of DDE is just their Latest Slick Move, Say Researchers CyberScoop October 2017
16 Fin7 Dissected: Hackers Accelerate Pace of Innovation Morphisec Lab October 2017
17 FIN7 Group Uses JavaScript and Stealer DLL Variant in New Attacks Talos September 2017
18 Fin7/Carbanak Threat Actor Unleashes Bateleur jScript Backdoor Proofpoint July 2017
19 Footprints of Fin7: Tracking Actor Patterns (part 2) Gigamon July 2017
20 Footprints of Fin7: Tracking Actor Patterns (part 1) Gigamon July 2017
21 Behind The CARBANAK Backdoor FireEye June 2017
22 Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques FireEye June 2017
23 FIN7 Takes Another Bite at The Resturant Industry morphisec June 2017
24 To SDB, or Not To SDB: Fin7 Leveraging Shim Databases for Persistence FireEye May 2017
25 Fin7 Evolution and the Phishing LNK FireEye April 2017
26 Fin7 Spearphishing Campaign Targets Personnel Involved in SEC Filings FireEye April 2017

# Additional Plan Resources