#FIN7 Intelligence Summary

In 

#ATT&CK Group ID: GOO46

Objectives: FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015.25 The group is characterized by their persistent targeting and large-scale theft of payment card data from victim systems, often using social engineering and spearphishing (T1566) with well-disguised lures to distribute their malware.9,11,12,26 Beyond the monetization of victim payment card data, FIN7 has used other diverse monetization tactics, including targeting finance departments within victim organizations and targeting individuals with access to material non-public information that the actors could use to gain a competitve advantage in stock trading.11,26

Target Industries: FIN7 operations have been directed against victims within the following sectors in the United States and Europe: restaurants, hospitality, casinos and gaming, energy, finance, high-tech, software, travel, education, construction, retail, telecommunications, government, and business services.11

Operations: Regarding their operational tradecraft, FIN7 is distinguished by their techincal innovation, using novel techniques and displaying characteristics of a well-rounded operation. FIN7 has been reported to employ limited use of exploits while blending publicly available and unique or altered tools.9 The group has leveraged hidden shortcut files (LNK files) (T1204.002) to initiate infection and VBScript functionality launched by mshta.exe (T1218.005) to infect the victim.25 This is a departure from previously established usage of weaponized Office macros (T1059.005) and highlights the group's ability to adapt to evade detction.11

FIN7 has been reported to use the Carbanak backdoor as a post-exploitation tool since as early as 2015.11 The group has also used creative persistence mechanisms, such as application shimming (T1546.011), to spawn a Carbanak backdoor and seprately to install a payment card harvesting utility.11,24 It has also been reported that the group has developed defense evasion techniques rapidly, such as we creating novel obfuscation methods that in some cases were modified on a daily basis while launching attacks targeting multiple victims.11 FireEye dubbed their development of a payload obfuscation style using the Windows command interpreter's native string substitution as "FINcoding."11

FIN7 has also used point-of-sale malware, such as Pillowmint, to scrape track 1 and track 2 payment card data from memory.8

#FIN7 Software

NameAssociated NamesSoftware TypeAvailabilityEmulation Notes
BABYMETALDownloader, StagerFIN7 has used BABYMETAL to stage a Meterpreter payload over HTTP(s).11
BOOSTWRITE (S0415)LoaderFIN7 has used BOOSTWRITE as a loader launched via the abuse of DLL search order of applications.11
Carbanak (S0030)AnunakBackdoorFIN7 has used Carbanak as a post-exploitation tool to cement their foothold and maintain access to victim environments.11
GRIFFON (S0417)BackdoorFIN7 has used GRIFFON to execute modules in-memory and send results to a C2.4
HALFBAKED (S0151)BackdoorFIN7 has used HALFBAKED to establish and maintain a foothold in victim networks.25
Mimikatz (S0002)Windows Credential DumperOpenly AvailableFIN7 has used Mimikatz to facilitate privilege escalation. 9
PAExecRemote ExecutionOpenly AvailableFIN7 has used PAExec to support execution of remote commands.9
Pillowmint (S0517)Point of Sale (POS) MalwareFIN7 has used Pillowmint to scrape credit card data from memory.9
SQLRat (S0390)Remote Access Tool (RAT)FIN7 has used SQLRat to drop files and execute SQL scripts on victim hosts.5

#FIN7 ATT&CK Navigator

#The following behaviors are in scope for an emulation of actions attributed to FIN7 as referenced by MITRE ATT&CK

/Attack_Layers/FIN7_G0046.png
/Attack_Layers/FIN7_G0046.png

#The following behaviors are in scope for an emulation of actions attributed to FIN7, as implemented in Scenario 1, in the referenced reporting

/Attack_Layers/FIN7_Scenario1.png
/Attack_Layers/FIN7_Scenario1.png

#The following behaviors are in scope for an emulation of actions attributed to FIN7, as implemented in Scenario 2, in the referenced reporting

/Attack_Layers/FIN7_Scenario2.png
/Attack_Layers/FIN7_Scenario2.png

#The following behaviors are in scope for an emulation of actions performed by FIN7 using BOOSTWRITE, exclusively based on current intelligence within ATT&CK for the given software

/Attack_Layers/BOOSTWRITE_S0415.png
/Attack_Layers/BOOSTWRITE_S0415.png

#The following behaviors are in scope for an emulation of actions performed by FIN7 using Carbanak, exclusively based on current intelligence within ATT&CK for the given software

/Attack_Layers/Carbanak_S0030.png
/Attack_Layers/Carbanak_S0030.png

#The following behaviors are in scope for an emulation of actions performed by FIN7 using GRIFFON, exclusively based on current intelligence within ATT&CK for the given software

/Attack_Layers/GRIFFON_S0417.png
/Attack_Layers/GRIFFON_S0417.png

#The following behaviors are in scope for an emulation of actions performed by FIN7 using HALFBAKED, exclusively based on current intelligence within ATT&CK for the given software

/Attack_Layers/HALFBAKED_S0151.png
/Attack_Layers/HALFBAKED_S0151.png

#The following behaviors are in scope for an emulation of actions performed by FIN7 using Pillowmint, exclusively based on current intelligence within ATT&CK for the given software

/Attack_Layers/Pillowmint_S0517.png
/Attack_Layers/Pillowmint_S0517.png

#The following behaviors are in scope for an emulation of actions performed by FIN7 using SQLRat, exclusively based on current intelligence within ATT&CK for the given software

/Attack_Layers/SQLRat_S0390.png
/Attack_Layers/SQLRat_S0390.png

#References

The Intelligence Summary summarizes 26 publicly available sources, as well as the results of an open call for contributions. The following organizations participated in the community cyber threat intelligence contribution process:

  • Microsoft
IDSourcePublisherDate
1Cyberthreats to Financial Institutions 2020: Overview and PredictionsKasperskyDecember 2019
2Mahalo Fin7: Responding to the Criminal Operator's New Tools and TechniquesFireEyeOctober 2019
3Deep Insight into "Fin7" Malware Chain: From Office Macro Malware to Lightweight js LoaderSentinelOneOctober 2019
4FIN7.5: The Infamous CyberCrime RIG "FIN7" Continues its ActivitiesKasperskyMay 2019
5Fin7 Revisited Inside Astra Panel and SQLRat MalwareKasperskyMay 2019
6Profile of an Adversary - FIN7DeepWatchMay 2019
7CARBANAK Week Part Four: The CARBANAK Desktop Video PlayerFireEyeApril 2019
8Fin7 Not Finished Morphisec Spots New CampaignFireEyeNovember 2018
9ATT&CKing FIN7: The Value of Using Frameworks for Threat IntelligenceFireEyeOctober 2018
10Carbanak! A Look Inside the Carbanak Source CodeFireEyeOctober 2018
11On The Hunt for Fin7: Pursuing an Enigmatic and Evasive Global Crime OperationFireEyeAugust 2018
12How FIN7 Attacked & Stole DataDojAugust 2018
13The Carbanak/Fin7 Syndicate: A Historical Overview of an Evolving ThreatRSANovember 2017
14Footprints of Fin7: Pushing New Techniques to Evade DetectionGigamonOctober 2017
15Fin7 Weaponization of DDE is just their Latest Slick Move, Say ResearchersCyberScoopOctober 2017
16Fin7 Dissected: Hackers Accelerate Pace of InnovationMorphisec LabOctober 2017
17FIN7 Group Uses JavaScript and Stealer DLL Variant in New AttacksTalosSeptember 2017
18Fin7/Carbanak Threat Actor Unleashes Bateleur jScript BackdoorProofpointJuly 2017
19Footprints of Fin7: Tracking Actor Patterns (part 2)GigamonJuly 2017
20Footprints of Fin7: Tracking Actor Patterns (part 1)GigamonJuly 2017
21Behind The CARBANAK BackdoorFireEyeJune 2017
22Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion TechniquesFireEyeJune 2017
23FIN7 Takes Another Bite at The Resturant IndustrymorphisecJune 2017
24To SDB, or Not To SDB: Fin7 Leveraging Shim Databases for PersistenceFireEyeMay 2017
25Fin7 Evolution and the Phishing LNKFireEyeApril 2017
26Fin7 Spearphishing Campaign Targets Personnel Involved in SEC FilingsFireEyeApril 2017