FIN7 hackers evolve operations with ransomware, novel backdoor

Researchers have explored the shift in the sophisticated group's latest tactics.
Written by Charlie Osborne, Contributing Writer

The FIN7 hacking group is back with a campaign that shows off a novel backdoor and other new malicious tools.

FIN7 is considered a key threat actor today and has severely impacted countless financial organizations worldwide.

This money-motivated cyberattack group, also tracked as Carbanak, specializes in Business Email Compromise (BEC) scams and point-of-sale (PoS) system intrusions. The group attempts to steal consumer payment card data and, in recent years, has continued to innovate and refine its intrusion methods.

Active since at least 2015, FIN7 has a range of custom malware in its toolset, including backdoors, information stealers, the SQLRat SQL script dropper, the Loudout downloader, and has even used mailed USB drives sent to businesses in the past to infect its victims with malware.

Recently, cybersecurity researchers tied FIN7 to ransomware operators, including REvil, Darkmatter, and Alphv.

Despite arrests and the sentencing of high-level FIN7 members, the attack waves continue, with the latest including the "use of novel malware, incorporation of new initial access vectors, and likely shift in monetization strategies," according to Mandiant.

In a deep dive on the threat actor's latest activities, Mandiant said that FIN7 had continued to evolve its initial intrusion methods beyond BEC scams and phishing attempts. Now, the group is also leveraging supply chains, RDP, and stolen credentials to infiltrate enterprise networks.

Mandiant researchers said that a new 'novel' backdoor is being favored in recent attacks. Dubbed Powerplant, the PowerShell-based backdoor -- also known as KillACK -- is delivered via Griffon, a lightweight Java implant, and is used to maintain persistent access to a target system and steal information, including credentials.

Powerplant also facilitates the deployment of other malicious modules, including the Easylook reconnaissance tool and the Birdwatch downloader. New variants of the .NET Birdwatch downloader, tracked as Crowview and Fowlgaze by the research team, are being used to grab malicious payloads via HTTP, write them to disk, and then execute them.

The malware can also package and send reconnaissance information to its command-and-control (C2) server, such as network configuration data, web browser usage, running process lists, and more.

Crowview is slightly different as it also includes a self-destruct mechanism, configuration changes, and unlike the original, can house a payload embedded in its code.

Another backdoor malware variant, Beacon, may be used in attacks as a backup entry mechanism. Other malicious tools include the Powertrash dropper, the Termite shellcode loader, Weirdloop, Diceloader, Pillowmint, and Boatlaunch.

Boatlaunch is of particular note as it is a utility used to patch existing PowerShell processes to bypass Window's antimalware scanning software, AntiMalware Scan Interface (AMSI), and will also act as a "helper" module during intrusions, according to the cybersecurity researchers.

Mandiant has also tied several campaigns together as the work of FIN7. In total, eight separate, uncategorized (UNC) threat groups have been merged into FIN7 activities, and a further 17 are suspected of links with the cybercriminal outfit.

"Throughout their evolution, FIN7 has increased the speed of their operational tempo, the scope of their targeting, and even possibly their relationships with other ransomware operations in the cybercriminal underground," Mandiant said.

See also

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards