Threat group FIN7 adapts with new tactics and tools, researchers say


The elusive Russian threat group FIN7 appears to be injecting itself back into the 2024 ransomware game with upgraded tools and some never-before-seen tactics – that is, if it ever really left.

FIN7, once declared extinct by the US government, has been found to have resurfaced on the dark markets selling upgraded versions of its well-used attack tools, according to threat researchers at SentinelLabs, who released a fresh analysis of the group Wednesday.

The strictly financially motivated group has been operating for over two decades in mainly credit card payment attacks targeting industries such as hospitality, energy, finance, high-tech, and retail worldwide until about 2020.

ADVERTISEMENT

Researchers say that’s when FIN7 began shifting its focus to ransomware as its modus operandi.

The group began to affiliate itself with “notorious RaaS [ransomware-as-a-service] groups such as REvil and Conti as well as launching its own RaaS programs under the names Darkside and, subsequently, BlackMatter,” Sentinel researchers said.

In 2022, SentinelLabs linked FIN7 to the “well-sourced” Black Basta ransomware gang due to similarities in its TTPs (tactics techniques and procedures), specifically the use of EDR evasion tools dubbed "AvNeutralizer" (aka AuKill).

The ‘AvNeutralizer’ tool is used by threat actors to “target multiple endpoint security solutions” and was found to be “used exclusively by the BlackBasta for six months” in 2022, further cementing Sentinel’s connection theory.

By early 2023, new iterations of the tool eventually made it into the hands of other active ransomware groups, including nearly a dozen instances attributed to “human-operated ransomware intrusions that deployed well-known RaaS payloads including AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit.”

What’s new with FIN7?

ADVERTISEMENT

Jump to SentinelLab’s latest FIN7 Reboot analysis, and the researchers say they have gained even more insight into FIN7’s methodology, further highlighting the cartel’s “adaptability, persistence, and ongoing evolution as a threat group.”

Highlights of the findings include new evidence that the group has been selling a highly specialized version of its ‘AvNeutralizer’ attack tool that utilizes a technique previously unseen in the wild – one that allows an attacker to tamper with security solutions by leveraging the Windows built-in driver ProcLaunchMon.sys (TTD Monitor Driver), the report said.

The upgraded version is being actively marketed to other criminal gangs across various underground markets under several different user names, which researchers say is how the group is able to stay under the radar, masking its true identity.

Using pseudonyms such as “goodsoft,” “lefroggy,” and “killerAV,” the group was seen advertising their malicious wares to buy with prices ranging from $4,000 to $15,000.

“The development and commercialization of specialized tools like AvNeutralizer within criminal underground forums significantly enhance the group’s impact,” researchers explain.

Furthermore, researchers say the group’s ability to continuously innovate by creating “sophisticated techniques for evading security measures showcases its technical expertise…and advanced operational strategies.”

The latest findings also show that FIN7 has successfully developed an additional attack method that uses “automated SQL injection attacks for exploiting public-facing applications.”

SentinelLabs FIN7 attack tools for sale dark forums
Researchers find FIN7 advertising its attack tools for sale on underground criminal forums. Image by SentinelLabs.

FIN7 background

Established in 2012 – and sometimes referred to as Carbanak or Navigator – FIN7 is best known for its highly sophisticated malware campaign targeting US companies in the hospitality and gaming industries.

ADVERTISEMENT

The attackers made off with a reported $20 million credit and debit card numbers using its ‘at-the-time’ signature point-of-sale (POS) attacks, which it has since evolved away from.

The stolen info was eventually sold on the dark web, costing banks, credit card companies, and consumers an estimated $3 billion in damages.

In April 2021, the US government handed down its first of several indictments against FBI-identified high-level managers of the gang’s highly organized cybercriminal business model.

The FBI had said that at the time, FIN7 was found operating under the guise of several fake cybersecurity companies, including one named Combi Security, complete with a phony website and no legitimate customers.

SentinelLabs said it hopes the fresh analysys “will inspire further efforts to understand and mitigate FIN7’s evolving tactics.”