New research shows that the notorious cybercrime group FIN7 has broadened its initial access vectors to include compromise of the software supply chain and the use of stolen credentials.
As well as technical overlaps, the data theft extortion and ransomware deployment following FIN7-attributed activity at several organizations suggest FIN7 actors have been associated with various ransomware operations over time, incident response firm Mandiant said in a Monday analysis."
A large-scale malware campaign targeting point of sale (POS) systems aimed at the restaurant, gambling, and hospitality industries with credit card-stealing malware has gained notoriety for the cybercriminal group since its emergence in the mid-2010s
Recorded Future Gemini Advisory unit found in October 2021 that the adversary had set up a fake front company, called Bastion Secure, to recruit unwitting penetration testers in advance of a ransomware attack. FIN7's shift to ransomware follows this report.
According to the FBI's Flash Alert earlier this year, the financially motivated gang was sending malicious USB drives (aka BadUSB) to U.S. business targets in the transportation, insurance, and defense industries to infect systems with ransomware.
As of 2020, the actor has been using PowerShell backdoor framework POWERPLANT to stage intrusions, continuing the group's penchant for using PowerShell-based malware for its attacks on the Internet.
"PowerShell is FIN7's love language, there is no doubt about it," Mandiant researchers stated.
Atera Agent, an authentic remote management tool, was delivered to the victim's system after FIN7 hacked into a website that sells digital products and altered multiple download links to point to an Amazon S3 bucket hosting trojanized versions of the tool.
First-stage malware payloads have traditionally been deployed via phishing schemes, but the supply chain attack shows the group's evolving tradecraft for gaining initial access and doing so.
These other tools include EASYLOOK, a reconnaissance utility; BOATLAUNCH, a helper module designed to evade Windows AntiMalware Scan Interface (AMSI); and BIRDWATCH, an.NET-based downloader that fetches and executes next-stage binaries received over HTTP from a remote server.
Although the US Department of Justice has announced indictments of FIN7 members in 2018 and a related sentencing date in 2021, at least some members of FIN7 have continued to operate and evolve their criminal operations over time, according to Mandiant researchers.
This ransomware group has evolved over time, and it's possible that they've formed connections with other ransomware groups in the cybercriminal underground, according to researchers.
Post a Comment
Your suggestions and comments are welcome