Despite a high-profile investigation by the Department of Justice last year that resulted in the arrests of several members of the prolific FIN7 attack team, elements of the group are still quite active and continue to run multiple campaigns targeting dozens of companies.
FIN7 is one of the more prolific and persistent organized attack groups and is known mainly for going after payment-card data and other financial information. The group has ties to Eastern Europe and has targeted companies around the world, including many in the U.S., and is probably best-known for its use of the Carbanak backdoor. FIN7 doesn’t discriminate in terms of its targets, having gone after companies in many industries, including technology, software, education, restaurants, government agencies, and others.
In August 2018, the Justice Department announced the arrests of three Ukrainian nationals who are alleged members of FIN7 in connection with intrusions at more than 100 companies in the U.S. At the time, officials said the arrests were the beginning of the end for the attack group.
“The naming of these FIN7 leaders marks a major step towards dismantling this sophisticated criminal enterprise,” said Special Agent in Charge Jay Tabb Jr. of the FBI.
Unfortunately, it hasn’t turned out that way. In March, researchers at Flashpoint revealed that FIN7 attackers were using new malware known as SQLRat and also had a new attack panel at their disposal. In nearly all of the campaigns, FIN7 operators start out with the use of spear-phishing emails, which are typically well-researched and expertly crafted. The messages include malicious documents that will install malware on the victim’s machine. In the campaigns Flashpoint analyzed, the documents were installing previously unseen malware.
“One of the documents spreads what analysts are calling SQLRat, previously unseen malware that drops files and executes SQL scripts on the host system. The use of SQL scripts is ingenious in that they don’t leave artifacts behind the way traditional malware does. Once they are deleted by the attackers’ code, there is nothing left to be forensically recovered. This technique has not been observed in previous campaigns associated with FIN7,” Joshua Platt and Jason Reaves of Flashpoint said in an analysis of those campaigns.
More recently, researchers at Kaspersky Lab have uncovered a series of new campaigns from FIN7 attackers that are utilizing the familiar spear-phishing technique, but with a different implant that’s placed on compromised machines. These campaigns appear to be separate from earlier ones but are using many of the same tactics and techniques of earlier FIN7 operations.
“One may say CobaltGoblin and FIN7 have even extended the number of groups operating under their umbrella."
“We have seen two types of documents sent to victims in these spear phishing campaigns. The first one exploits the INCLUDEPICTURE feature of Microsoft Word to get context information about the victim’s computer, and the availability and version number of Microsoft Word. The second one, which in many cases is an Office document protected with a trivial password, such as ‘12345’, ‘1234’, etc., uses macros to execute a GRIFFON implant on the target’s computer. In various cases, the associated macro also scheduled tasks to make GRIFFON persistent,” a new analysis by Yury Namestnikov and Felix Aime of Kaspersky says.
“Interestingly, following some open-source publications about them, the FIN7 operators seems to have developed a homemade builder of malicious Office document using ideas from ThreadKit, which they employed during the summer of 2018. The new builder inserts random values in the Author and Company metadata fields. Moreover, the builder allows these to modify different IOCs, such as the filenames of wscript.exe or sctasks.exe copies, etc.”
In the intrusions Kaspersky analyzed, the FIN7 attackers used the Griffon implant to download and install a number of individual modules, including one that performs reconnaissance and another that’s used to take screenshots of the infected system. A third module is used to maintain persistence on the target machine, but only in certain situations.
“If the victim appears valuable to the attackers, a GRIFFON implant installer is pushed to the victim’s workstation. This module stores another instance of the GRIFFON implant inside the registry to achieve persistence. Here is a PowerLinks-style method used by the attackers to achieve persistence and execute the GRIFFON implant at each user logon. The new GRIFFON implant is written to the hard drive before each execution, limiting the “file-less” aspect of this method,” Namestnikov and Aime said.
FIN7, like most organized attack groups, doesn’t consist of just one team. There often are several smaller groups of operators working under the auspices of a larger team and sharing some tools and tactics. The Kaspersky researchers said the most recent campaigns they analyzed revealed some overlap with the group known as CobaltGoblin and another that the researchers dubbed CopyPaste. The groups use some of the same tools and some highly specific tactics, as well.
Although the 2018 arrests of alleged FIN7 operators looked at the time like a major blow to the group, things have gone another way since then.
“One may say CobaltGoblin and FIN7 have even extended the number of groups operating under their umbrella. We observe, with various level of confidence, that there are several interconnected groups using very similar toolkits and the same infrastructure to conduct their cyberattacks,” Namestnikov and Aime said.