#
FIN7 Intelligence Summary
#
ATT&CK Group ID: GOO46
Objectives: FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015.25 The group is characterized by their persistent targeting and large-scale theft of payment card data from victim systems, often using social engineering and spearphishing (T1566) with well-disguised lures to distribute their malware.9,11,12,26 Beyond the monetization of victim payment card data, FIN7 has used other diverse monetization tactics, including targeting finance departments within victim organizations and targeting individuals with access to material non-public information that the actors could use to gain a competitve advantage in stock trading.11,26
Target Industries: FIN7 operations have been directed against victims within the following sectors in the United States and Europe: restaurants, hospitality, casinos and gaming, energy, finance, high-tech, software, travel, education, construction, retail, telecommunications, government, and business services.11
Operations: Regarding their operational tradecraft, FIN7 is distinguished by their techincal innovation, using novel techniques and displaying characteristics of a well-rounded operation. FIN7 has been reported to employ limited use of exploits while blending publicly available and unique or altered tools.9 The group has leveraged hidden shortcut files (LNK files) (T1204.002) to initiate infection and VBScript functionality launched by mshta.exe (T1218.005) to infect the victim.25 This is a departure from previously established usage of weaponized Office macros (T1059.005) and highlights the group's ability to adapt to evade detction.11
FIN7 has been reported to use the Carbanak backdoor as a post-exploitation tool since as early as 2015.11 The group has also used creative persistence mechanisms, such as application shimming (T1546.011), to spawn a Carbanak backdoor and seprately to install a payment card harvesting utility.11,24 It has also been reported that the group has developed defense evasion techniques rapidly, such as we creating novel obfuscation methods that in some cases were modified on a daily basis while launching attacks targeting multiple victims.11 FireEye dubbed their development of a payload obfuscation style using the Windows command interpreter's native string substitution as "FINcoding."11
FIN7 has also used point-of-sale malware, such as Pillowmint, to scrape track 1 and track 2 payment card data from memory.8
#
FIN7 Software
#
FIN7 ATT&CK Navigator
#
The following behaviors are in scope for an emulation of actions attributed to FIN7 as referenced by MITRE ATT&CK
#
Scenario 1
#
The following behaviors are in scope for an emulation of actions attributed to FIN7, as implemented in Scenario 1, in the referenced reporting
#
Scenario 2
#
The following behaviors are in scope for an emulation of actions attributed to FIN7, as implemented in Scenario 2, in the referenced reporting
#
BOOSTWRITE
#
The following behaviors are in scope for an emulation of actions performed by FIN7 using BOOSTWRITE, exclusively based on current intelligence within ATT&CK for the given software
#
Carbanak
#
The following behaviors are in scope for an emulation of actions performed by FIN7 using Carbanak, exclusively based on current intelligence within ATT&CK for the given software
#
GRIFFON
#
The following behaviors are in scope for an emulation of actions performed by FIN7 using GRIFFON, exclusively based on current intelligence within ATT&CK for the given software
#
HALFBAKED
#
The following behaviors are in scope for an emulation of actions performed by FIN7 using HALFBAKED, exclusively based on current intelligence within ATT&CK for the given software
#
Pillowmint
#
The following behaviors are in scope for an emulation of actions performed by FIN7 using Pillowmint, exclusively based on current intelligence within ATT&CK for the given software
#
SQLRat
#
The following behaviors are in scope for an emulation of actions performed by FIN7 using SQLRat, exclusively based on current intelligence within ATT&CK for the given software
#
References
The Intelligence Summary summarizes 26 publicly available sources, as well as the results of an open call for contributions. The following organizations participated in the community cyber threat intelligence contribution process:
- Microsoft