Hacking group FIN7 is back with a campaign that features a new backdoor and other new malicious tools.
FIN7 is considered a key threat actor today and has severely impacted countless financial organizations around the world.
This money-motivated cyberattack group, also tracked as Carbanak, specializes in business email compromise (BEC) scams and point-of-sale (PoS) intrusions. The group attempts to steal consumer payment card data and in recent years has been constantly innovating and refining its methods of intrusion.
Active since at least 2015, FIN7 has a range of custom malware in its toolset, including backdoors, infostealers, SQLRat SQL script dropper, Loudout downloader, and has even used USB drives mailed to companies in the past to infect its victims. with malware.
Recently, cybersecurity researchers linked FIN7 to ransomware operators including REvil, Darkmatter, and Alphv.
Despite the arrests and conviction of high-level FIN7 members, waves of attacks continue, with the latest including “the use of new malware, the incorporation of new initial access vectors, and likely a change in monetization strategies,” according to Mandiant.
In a deep dive into the threat actor’s latest activities, Mandiant said FIN7 has continued to evolve its initial intrusion methods beyond BEC scams and phishing attempts. Now, the group is also leveraging supply chains, RDP, and stolen credentials to infiltrate corporate networks.
Mandiant researchers said a new “novel” backdoor was favored in recent attacks. Dubbed Powerplant, the PowerShell-based backdoor – also known as KillACK – is delivered via Griffon, a lightweight Java implant, and is used to maintain persistent access to a target system and steal information, including user information. ‘identification.
Powerplant also facilitates the deployment of other malicious modules, including the Easylook recognition tool and the Birdwatch downloader. New variants of the .NET Birdwatch downloader, tracked as Crowview and Fowlgaze by the research team, are used to fetch malicious payloads over HTTP, write them to disk, and then execute them.
The malware can also gather and send reconnaissance information to its command-and-control (C2) server, such as network configuration data, web browser usage, running process lists, and more.
Crowview is slightly different as it also includes a self-destruct mechanism, configuration changes, and unlike the original, can host a payload embedded in its code.
Another backdoor malware variant, Beacon, can be used in attacks as a backup entry mechanism. Other malicious tools include Powertrash dropper, Termite shellcode loader, Weirdloop, Diceloader, Pillowmint and Boatlaunch.
Boatlaunch is particularly noteworthy because it is a utility used to patch existing PowerShell processes to bypass Windows antimalware scanning software, AntiMalware Scan Interface (AMSI), and will also act as a “helper” module. during intrusions, according to cybersecurity researchers.
Mandiant has also tied several campaigns together as part of FIN7’s work. A total of eight distinct and uncategorized threat groups (UNCs) have been merged into FIN7 activities, and another 17 are believed to have links to the cybercrime team.
“Throughout its evolution, FIN7 has increased the speed of its operational tempo, the scope of its targeting, and even perhaps its relationship to other ransomware operations in the cybercriminal underground,” Mandiant said.
Do you have any advice? Get in touch securely via WhatsApp | Signal at +447713 025 499, or more at Keybase: charlie0