Highlights: 

  • Since its inception in mid-2010, the group has been targeting POS solutions implemented at restaurants, gambling venues, and hospitality industries with credit card stealing malware.
  • In one of their attack techniques, FIN7 was observed to send malicious links that looked similar to Amazon S3 bucket launch hosting.

A new report has suggested that FIN7, a notorious group of cybercriminals, has expanded its initial access vectors to incorporate software supply chain compromise and utilize the stolen credentials.

Mandiant, an incident response firm, said in a Monday analysis, “Data theft extortion or ransomware deployment following FIN7-attributed activity at multiple organizations and technical overlaps, suggests that FIN7 actors have been associated with various ransomware operations over time.”

Since its inception in the mid-2010s, this troop of cybercriminals has gained notoriety for large-scale malware campaigns targeting the point of sale (POS) software aimed at restaurants, gambling venues, and hospitality industries with credit card stealing malware.

FIN7’s change in the monetization technique towards ransomware follows an October 2021 report from Recorded Future’s Gemini Advisory unit that found the adversary setting up a fraudulent front company named Bastion Secure to recruit unwitting penetration testers in the lead up to a ransomware breach.

Post that, at the start of this year, the U.S. Federal Bureau of Investigation (FBI) circulated a Flash Alert, warning organizations that a gang of cybercriminals with the motif of minting money was sending malicious USB drives (aka BadUSB) to businesses in industries such as transportation, insurance, and defense industries to infect the systems with malware, including ransomware.

Since 2020, the latest intrusions staged by actors include the deployment of a vast PowerShell backdoor algorithm called POWERPLANT, continuing the group’s penchant for using PowerShell-based Malware for its offensive operations.

The researchers at Mandiant said, “There is no doubt about it; PowerShell is FIN7’s love language.”

In one of their attacks, FIN7 was noticed compromising an eCommerce site that sells digital products to alter the various download links to make them point to an Amazon S3 bucket hosting trojanized versions that include Atera Agent, a legitimate remote management tool, that can provide POWERPLANT to the targets system.

The supply chain attack marks the troops evolving tradecraft for initial access and first stage malware payload deployments which are peculiarly focused on phishing schemes.

EASYLOOK, a reconnaissance utility, is an additional tool that these cybercriminals use to facilitate infiltrations. They also use BOAT LAUNCH, a helper module developed to bypass Windows Antimalware Scan Interface (AMSI), and BIRDWATCH, a .NET-based downloader employed to find and execute next-stage binaries received over HTTP.

 Experts’ view:

“Despite indictments of members of FIN7 in 2018 and related sentencing in 2021 announced by the U.S. Department of Justice, at least some members of FIN7 have remained active and continue to evolve their criminal operations over time. Throughout their evolution, FIN7 has increased the speed of their operational tempo, the scope of their targeting, and even possibly their relationships with other ransomware operations in the cybercriminal underground,” Mandiant researchers said.