The notorious cybercrime group FIN7 has once again made headlines with the development of new tools designed to bypass Endpoint Detection and Response (EDR) solutions and conduct automated attacks. This revelation underscores the group’s continued evolution and sophistication in the cybercrime landscape.
FIN7, also known as Carbanak, has been active since at least 2012 and is known for its financially motivated cyberattacks targeting various industry sectors, including hospitality, energy, finance, high-tech, and retail.
The group initially focused on Point of Sale (POS) malware for financial fraud but has since shifted towards ransomware operations, affiliating with notorious Ransomware-as-a-Service (RaaS) groups such as REvil and Conti and launching its own RaaS programs like Darkside and BlackMatter.
Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files
Recent investigations have uncovered that FIN7 has developed a highly specialized tool known as AvNeutralizer (also referred to as AuKill). This tool is designed to tamper with security solutions and has been marketed in the criminal underground, used by multiple ransomware groups.
Tools Used by FIN7 Hackers to Bypass EDR Solutions and Conduct Automated Attacks
1. AvNeutralizer (aka AuKill)
FIN7 developed a specialized tool to tamper with security solutions. It has been marketed in the criminal underground and used by multiple ransomware groups.
The tool leverages the Windows built-in driver ProcLaunchMon.sys to disable endpoint security solutions by creating a denial of service condition in protected processes.
2. Powertrash
A heavily obfuscated PowerShell script designed to load an embedded PE file in memory reflectively. This allows FIN7 to execute backdoor payloads, evading defenses stealthily. Powertrash has been used in various FIN7 intrusions to load other malicious tools.
3. Diceloader (aka Lizar, IceBot)
A minimal backdoor that establishes a command-and-control (C2) channel, allowing attackers to control the system by sending position-independent code modules. It is typically deployed through Powertrash loaders and is used to load additional modules on compromised systems.
4. Core Impact
A penetration testing tool used for exploitation activities. It offers a library of commercial-grade exploits and generates Position Independent Code (PIC) implants to take control of exploited systems. FIN7 uses Core Impact loaders delivered through Powertrash in their campaigns.
5. SSH-based Backdoor
A persistence tool based on OpenSSH and 7zip, used by FIN7 to maintain access to compromised systems. It sets up an SFTP server through a reverse SSH tunnel, allowing attackers to exfiltrate files stealthily. This tool is typically used in intrusions aimed at gathering sensitive information.
SentinelLabs discovered a new version of AvNeutralizer that employs a previously unseen technique to disable security solutions. It leverages the Windows built-in driver ProcLaunchMon.sys (TTD Monitor Driver).
In addition to EDR evasion tools, FIN7 has adopted automated attack methods, particularly automated SQL injection attacks targeting public-facing applications.
The group has developed a platform called Checkmarks, which conducts extensive scanning and exploitation of vulnerabilities in Microsoft Exchange servers using the ProxyShell exploit. This platform also includes an Auto-SQLi module for SQL Injection attacks, providing remote access to victim systems.
FIN7’s operations are marked by their use of multiple pseudonyms to mask their identity and sustain criminal activities in underground markets. The group has been linked to various ransomware families, including Black Basta, Cl0p, DarkSide, and LockBit, indicating their extensive reach and collaboration with other cybercriminal entities.
The group’s ability to innovate and adapt their tactics, techniques, and procedures (TTPs) makes them a persistent threat in the cybersecurity landscape.
Recent campaigns by FIN7 have targeted the U.S. automotive industry through spear-phishing attacks, delivering the Carbanak backdoor and leveraging living-off-the-land binaries, scripts, and libraries (LOLBAS) to gain initial footholds in target networks.
The group has also been observed using malicious Google Ads to deliver NetSupport RAT and DiceLoader malware, further demonstrating their versatility and resourcefulness in attack vectors.
FIN7’s continuous innovation in developing sophisticated tools to bypass security measures and conduct automated attacks highlights the group’s technical expertise and adaptability.
Their use of multiple pseudonyms and collaboration with other cybercriminal entities complicates attribution efforts and demonstrates their advanced operational strategies. As FIN7 continues to evolve, it remains crucial for organizations to stay vigilant and adopt comprehensive security measures to mitigate the risks posed by such advanced threat actors.
“Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!”- Free Demo