# FIN7 Intelligence Summary

# ATT&CK Group ID: GOO46

Objectives: FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015.²⁵ The group is characterized by their persistent targeting and large-scale theft of payment card data from victim systems, often using social engineering and spearphishing (T1566) with well-disguised lures to distribute their malware.^9,11,12,26 Beyond the monetization of victim payment card data, FIN7 has used other diverse monetization tactics, including targeting finance departments within victim organizations and targeting individuals with access to material non-public information that the actors could use to gain a competitve advantage in stock trading.^11,26

Target Industries: FIN7 operations have been directed against victims within the following sectors in the United States and Europe: restaurants, hospitality, casinos and gaming, energy, finance, high-tech, software, travel, education, construction, retail, telecommunications, government, and business services.¹¹

Operations: Regarding their operational tradecraft, FIN7 is distinguished by their techincal innovation, using novel techniques and displaying characteristics of a well-rounded operation. FIN7 has been reported to employ limited use of exploits while blending publicly available and unique or altered tools.⁹ The group has leveraged hidden shortcut files (LNK files) (T1204.002) to initiate infection and VBScript functionality launched by mshta.exe (T1218.005) to infect the victim.²⁵ This is a departure from previously established usage of weaponized Office macros (T1059.005) and highlights the group's ability to adapt to evade detction.¹¹

FIN7 has been reported to use the Carbanak backdoor as a post-exploitation tool since as early as 2015.¹¹ The group has also used creative persistence mechanisms, such as application shimming (T1546.011), to spawn a Carbanak backdoor and seprately to install a payment card harvesting utility.^11,24 It has also been reported that the group has developed defense evasion techniques rapidly, such as we creating novel obfuscation methods that in some cases were modified on a daily basis while launching attacks targeting multiple victims.¹¹ FireEye dubbed their development of a payload obfuscation style using the Windows command interpreter's native string substitution as "FINcoding."¹¹

FIN7 has also used point-of-sale malware, such as Pillowmint, to scrape track 1 and track 2 payment card data from memory.⁸

# FIN7 Software

Name	Associated Names	Software Type	Availability	Emulation Notes
BABYMETAL		Downloader, Stager		FIN7 has used BABYMETAL to stage a Meterpreter payload over HTTP(s).¹¹
BOOSTWRITE (S0415)		Loader		FIN7 has used BOOSTWRITE as a loader launched via the abuse of DLL search order of applications.¹¹
Carbanak (S0030)	Anunak	Backdoor		FIN7 has used Carbanak as a post-exploitation tool to cement their foothold and maintain access to victim environments.¹¹
GRIFFON (S0417)		Backdoor		FIN7 has used GRIFFON to execute modules in-memory and send results to a C2.⁴
HALFBAKED (S0151)		Backdoor		FIN7 has used HALFBAKED to establish and maintain a foothold in victim networks.²⁵
Mimikatz (S0002)		Windows Credential Dumper	Openly Available	FIN7 has used Mimikatz to facilitate privilege escalation. ⁹
PAExec		Remote Execution	Openly Available	FIN7 has used PAExec to support execution of remote commands.⁹
Pillowmint (S0517)		Point of Sale (POS) Malware		FIN7 has used Pillowmint to scrape credit card data from memory.⁹
SQLRat (S0390)		Remote Access Tool (RAT)		FIN7 has used SQLRat to drop files and execute SQL scripts on victim hosts.⁵

# FIN7 ATT&CK Navigator

# The following behaviors are in scope for an emulation of actions attributed to FIN7 as referenced by MITRE ATT&CK.

# Scenario 1

# The following behaviors are in scope for an emulation of actions attributed to FIN7, as implemented in Scenario 1, in the referenced reporting.

# Scenario 2

# The following behaviors are in scope for an emulation of actions attributed to FIN7, as implemented in Scenario 2, in the referenced reporting.

# BOOSTWRITE

# The following behaviors are in scope for an emulation of actions performed by FIN7 using BOOSTWRITE, exclusively based on current intelligence within ATT&CK for the given software.

# Carbanak

# The following behaviors are in scope for an emulation of actions performed by FIN7 using Carbanak, exclusively based on current intelligence within ATT&CK for the given software.

# GRIFFON

# The following behaviors are in scope for an emulation of actions performed by FIN7 using GRIFFON, exclusively based on current intelligence within ATT&CK for the given software.

# HALFBAKED

# The following behaviors are in scope for an emulation of actions performed by FIN7 using HALFBAKED, exclusively based on current intelligence within ATT&CK for the given software.

# Pillowmint

# The following behaviors are in scope for an emulation of actions performed by FIN7 using Pillowmint, exclusively based on current intelligence within ATT&CK for the given software.

# SQLRat

# The following behaviors are in scope for an emulation of actions performed by FIN7 using SQLRat, exclusively based on current intelligence within ATT&CK for the given software.

# References

The Intelligence Summary summarizes 26 publicly available sources, as well as the results of an open call for contributions. The following organizations participated in the community cyber threat intelligence contribution process:

Microsoft

ID	Source	Publisher	Date
1	Cyberthreats to Financial Institutions 2020: Overview and Predictions	Kaspersky	December 2019
2	Mahalo Fin7: Responding to the Criminal Operator's New Tools and Techniques	FireEye	October 2019
3	Deep Insight into "Fin7" Malware Chain: From Office Macro Malware to Lightweight js Loader	SentinelOne	October 2019
4	FIN7.5: The Infamous CyberCrime RIG "FIN7" Continues its Activities	Kaspersky	May 2019
5	Fin7 Revisited Inside Astra Panel and SQLRat Malware	Kaspersky	May 2019
6	Profile of an Adversary - FIN7	DeepWatch	May 2019
7	CARBANAK Week Part Four: The CARBANAK Desktop Video Player	FireEye	April 2019
8	Fin7 Not Finished Morphisec Spots New Campaign	FireEye	November 2018
9	ATT&CKing FIN7: The Value of Using Frameworks for Threat Intelligence	FireEye	October 2018
10	Carbanak! A Look Inside the Carbanak Source Code	FireEye	October 2018
11	On The Hunt for Fin7: Pursuing an Enigmatic and Evasive Global Crime Operation	FireEye	August 2018
12	How FIN7 Attacked & Stole Data	Doj	August 2018
13	The Carbanak/Fin7 Syndicate: A Historical Overview of an Evolving Threat	RSA	November 2017
14	Footprints of Fin7: Pushing New Techniques to Evade Detection	Gigamon	October 2017
15	Fin7 Weaponization of DDE is just their Latest Slick Move, Say Researchers	CyberScoop	October 2017
16	Fin7 Dissected: Hackers Accelerate Pace of Innovation	Morphisec Lab	October 2017
17	FIN7 Group Uses JavaScript and Stealer DLL Variant in New Attacks	Talos	September 2017
18	Fin7/Carbanak Threat Actor Unleashes Bateleur jScript Backdoor	Proofpoint	July 2017
19	Footprints of Fin7: Tracking Actor Patterns (part 2)	Gigamon	July 2017
20	Footprints of Fin7: Tracking Actor Patterns (part 1)	Gigamon	July 2017
21	Behind The CARBANAK Backdoor	FireEye	June 2017
22	Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques	FireEye	June 2017
23	FIN7 Takes Another Bite at The Resturant Industry	morphisec	June 2017
24	To SDB, or Not To SDB: Fin7 Leveraging Shim Databases for Persistence	FireEye	May 2017
25	Fin7 Evolution and the Phishing LNK	FireEye	April 2017
26	Fin7 Spearphishing Campaign Targets Personnel Involved in SEC Filings	FireEye	April 2017