Hacker group FIN7 expands arsenal with ransomware and new backdoor

top cybersecurity companies

The group now also relies on stolen credentials and RDP connections. A new PowerShell-based backdoor is used.

Hacking group FIN7 is back with a campaign that includes a novel backdoor and other new malicious tools. FIN7 is considered to be one of the top threat actors and has severely damaged numerous financial companies worldwide.

Also known as Carbanak, the money-focused group specializes in BEC (business email compromise) fraud and POS (point-of-sale) breaches. The group seeks to steal consumer payment card details and has continually evolved and refined its attack methods over the past several years.

Recently, cybersecurity researchers linked FIN7 to ransomware operators, including REvil, Darkmatter, and Alphv. Despite the arrests and convictions of senior FIN7 members, waves of attacks continue, with the most recent involving the use of novel malware, the incorporation of “new initial access vectors and a likely shift in monetization strategies,” according to Mandiant.

In a detailed report on the threat actor’s recent activities, Mandiant noted that FIN7 has evolved its initial intrusion methods beyond BEC scams and phishing attempts. Now the group is also using supply chains, RDP, and stolen credentials to break into corporate networks.

Researchers also found that a new “novel” backdoor is favored in recent attacks. Delivered via Griffon, a lightweight Java implant, the PowerShell-based backdoor — also known as KillACK — is designed to maintain persistent access to a target system and steal information, including credentials.

Mandiant has also identified several campaigns as FIN7’s work. In all, eight separate Uncategorized (UNC) threat groups have been associated with FIN7 activities, and another 17 are suspected of having links to the cybercriminal organization.

“As it has evolved, FIN7 has increased the pace of its operations, the scope of its attacks, and possibly even its relationships with other ransomware operations in the cybercriminal underground,” Mandiant said.

Leave a Reply

Your email address will not be published.