Fin7: An insight into the threat actor group’s high profile attacks

• Fin7 threat group’s targets include financial, retail, restaurant, gaming, travel, education, telecommunications, construction, finance, energy, and IT sectors.
• This threat group predominantly uses CARBANAK malware. The other malware and tools used by Fin7 include PowerShell backdoor, Cobalt Strike Beacon, and HALFBAKED backdoor.

Fin7 threat actor group has been active since 2015 targeting retail, restaurant, and hospitality sectors in the United States. The threat group has also targeted other sectors in the US and Europe including gaming, travel, education, telecommunications, construction, finance, energy, and IT.

This threat group predominantly uses CARBANAK malware. The other malware and tools used by Fin7 include PowerShell backdoor, Cobalt Strike Beacon, and HALFBAKED backdoor.

In March 2017, FIN7 threat group launched a spear-phishing campaign that targeted personnel involved with U.S. Securities and Exchange Commission (SEC) filings at organizations from multiple sectors, including financial services, transportation, retail, education, IT services, and electronics.

Fin7's fileless malware campaigns

Fin7 threat group has been associated with fileless malware campaigns targeting financial institutions, government agencies, restaurants, and other organizations.

A security firm analyzed one such campaign and found out the framework used to deliver the DNS PowerShell Messenger attacks against almost 140 banks across the world.

The attacks started with phishing emails targeting organizations using a password-protected Word document that urges users to enable the content. When the victim executes a macro embedded in the Word document, a PowerShell command gets executed using Windows Management Instrumentation.

Similarly, in June 2017, Fin7 threat group targeted restaurants in the US with fileless malware.

A well-crafted phishing email was sent along with an attached RTF Word document, which upon opening, launched a fileless attack based on DNS queries that delivered the shellcode stage.

Usage of enhanced phishing techniques

FIN7 threat group was spotted using LNK files embedded in Word documents via the standard Object Linking and Embedding (OLE) technology. Researchers also noted that the group has added a new command, getNK2, to the malware’s arsenal. This new command targets the victim’s Microsoft Outlook email client autocomplete list in an effort to gain new potential phishing targets.

Payment card data put up for sale

Almost 5 million customer credit and debit cards that were stolen from Saks Fifth Avenue and Lord & Taylor by the infamous Fin7 threat group were made available for sale on the Joker’s Stash credit card marketplace.

Fin7 has also been responsible for attacks against hotel chains like Trump Hotels and Omni Hotels & Resorts, as well as retailers like Whole Foods, Jason’s Deli and Chipotle.

Arrests of FIN7 Members

On August 01, 2018, the US federal prosecutors have arrested three Ukrainian nationals of the notorious FIN7 hacking group. The defendants named Dmytro Federov, Fedir Hladyr, and Andrii Kolpakov were accused of hacking into thousands of computers systems and stealing millions of credit and debit card numbers that the group used or sold for profit on the dark web.

FIN7 threat group hit Burgerville

In October 2018, FIN7 threat group implanted malware on Burgerville’s network and compromised payment details of thousands of customers. The compromised data included customers’ names, card numbers, expiration dates and CVV numbers of both credit and debit cards.

Resurfacing with SQLRat and DNSbot

In March 2019, researchers observed the come back of FIN7 threat group along with with a new administrative panel dubbed ‘Astra’ and previously unseen malware samples. The malware samples included SQLRat and DNSbot.