Security news that informs and inspires

FIN7 Evolves With New Malware, Initial Access Tactics


A recent FIN7 campaign, which deployed a novel backdoor, reveals how the infamous cybercrime group continues to evolve its tactics for initial access, first-stage malware delivery and more.

FIN7 was observed compromising a website that sells digital products, in order to modify multiple download links to make them point to an Amazon S3 bucket hosting a legitimate remote management tool, which then deployed a new malware called PowerPlant to the victim’s system. Researchers with Mandiant, who have observed PowerPlant being used increasingly as first-stage malware by FIN7, said the incident represents a marked shift from the group’s initial access techniques, typically centered around phishing.

“This was the first time Mandiant observed FIN7 leverage supply chain compromise,” said researchers in a Monday analysis. “FIN7’s time-tested Carbanak and DiceLoader (also known as Lizar) malware continue to be in use; however, we have noticed FIN7 depend more on the PowerPlant backdoor during recent intrusions.”

After looking at both historical and recent intrusions by FIN7 over the last two years, Mandiant researchers said they merged eight previously uncovered “UNC” groups with the threat group in January. “UNC,” or uncategorized actor entity, is Mandiant’s term for unclassified activity clusters that have not yet been officially assigned to a known actor.

Though FIN7 has historically relied on the Carbanak tool, researchers said the actors have been developing and using PowerPlant since 2020. The PowerShell-based backdoor has a wide breadth of capabilities, including the ability to deploy a known reconnaissance utility that captures a range of data (including operating system version, domain information and hardware specifications); as well as a utility that helps attackers bypass the Windows Anti-Malware Scan Interface (AMSI).

"Despite indictments of members of FIN7 in 2018 and a related sentencing in 2021 announced by the U.S. Department of Justice, at least some members of FIN7 have remained active and continue to evolve their criminal operations over time."

Researchers also found FIN7 using updated versions of a known .NET downloader called BirdWatch, which is known to retrieve payloads over HTTP, write them to disk and then execute them. One of the newer variants, CrowView, can house embedded payloads, self-delete and support additional arguments, for instance.

In addition to new tools and access vectors, researchers said that data theft extortion or ransomware deployment has been observed following FIN7-attributed activity at multiple organizations. This could represent a possible shift in monetization of FIN7 intrusions from payment card data to extortion operations, said researchers. For instance, in 2020, FIN7 intrusions were identified prior to the deployment of the Maze and Ryuk ransomware families, and in 2021 FIN7 activity was uncovered during an incident response by Mandiant involving the ALPHV ransomware. While this may suggest FIN7 actors may have been associated with ransomware operations, researchers stressed that Mandiant has not attributed any direct deployment of ransomware to FIN7.

“In all these cases, the ransomware deployment is currently attributed to separately tracked threat groups due to factors of the investigation and our visibility,” said researchers. “However, the possibility that FIN7 actors are engaging in ransomware operations is also substantiated by evidence outside of our intrusion data holdings and includes code usage, actor infrastructure, and trusted third party sources.”

FIN7, which has been around since at least 2015, started out as a financially motivated group targeting the retail, banking and hospitality sectors with point-of-sale malware. However, the group over the years has continued to build out its operations, target new companies and actively develop new malware. Recently, for instance, FIN7 attackers mailed USB thumb drives to U.S. organizations in an attempt to infect their environments with the DiceLoader framework, a known toolkit that helps attackers gain a foothold in infected systems and perform reconnaissance.

“Despite indictments of members of FIN7 in 2018 and a related sentencing in 2021 announced by the U.S. Department of Justice, at least some members of FIN7 have remained active and continue to evolve their criminal operations over time,” said researchers.