FIN7 APT Group Updates: Incorporating Software Supply Chain Compromise, Enhancing Operations

FIN7, a financially motivated Russia-linked hacking group that has been active for almost a decade now, enhances its arsenal. FIN7 operations in general fall into two categories: Business Email Compromise (BEC) scams and point-of-sale (PoS) system intrusions. The threat actor is known for focusing their interest on financial organizations, even achieving the status of one of the most prolific financial threat groups of the past decade.

In their latest campaign, FIN7 actors strike faster and harder, expanding the range of their attack vectors, for example, also introducing a supply chain attack into their arsenal.

Detect FIN7 Activity in Your System

FIN7 activities present an ever-growing threat to many industries worldwide. The APT is actively progressing, moving on to new horizons, introducing a new backdoor and other new malicious tools. Utilize the following rules provided by the seasoned experts of SOC Prime Team and our skilled Threat Bounty developer Aytek Aytemur to identify suspicious parent-child process relationships previously observed by FIN7:

Possible Fin7 (G0046) Defense Evasion by Parent and Child Process Pattern (via process_creation)

This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Microsoft Defender ATP, Sysmon, Apache Kafka ksqlDB, AWS OpenSearch, Microsoft PowerShell, and Open Distro.

The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Defense Evasion tactic with Signed Binary Proxy Execution as the main technique (T1218).

FIN7(Financial Threat Group) uses Multiple Tools in its New Campaign (via process_creation)

This detection has translations for the following SIEM, EDR & XDR platforms: Microsoft Sentinel, Elastic Stack, Splunk, Humio, Sumo Logic, ArcSight, QRadar, FireEye, LogPoint, Graylog, Regex Grep, RSA NetWitness, Microsoft Defender ATP, Sysmon, Apache Kafka ksqlDB, AWS OpenSearch, Microsoft PowerShell, and Open Distro.

The rule is aligned with the latest MITRE ATT&CK® framework v.10, addressing the Discovery tactic with Process Discovery as the main technique (T1057).

The FIN7 APT group first surfaced in 2013, and today the cluster is going strong, with about 17 additional UNCs affiliating with FIN7. To detect intrusion attempts, such as FIN7’s evasion, and other complex cyber threats, use the detection content available in SOC Prime’s Detection as Code platform. Working on threat detection content? Join the world’s largest bounty program for cyber defenders. Share your detection content via our Detection as Code platform and earn recurring revenue for your contributions while fighting for a safer cyber world.

View All Сontent Join Threat Bounty

Evolution of FIN7

The FIN7 group (aka Anunak, or Cobalt Group) has been on the radar since at least 2013. The FIN7 hackers are often associated with Carbanak group on the basis of the malware utilized, but researchers argue about several different hacker organizations.

The FIN7 hacking group is known to pursue financial organizations worldwide as their main targets, employing an arsenal of constantly evolving hacker tools and techniques. The FIN7 APT has been focusing on large-scale theft in the United States and Europe. Despite high-profile ringleaders’ arrests in 2018, FIN7 cybercrooks continue to operate and grow their businesses.

Researchers at Mandiant identified that in their intrusions, FIN7 had used phishing, hacking third-party systems, and other means to gain initial and secondary access to victim networks. For instance, to infect and compromise targets, FIN7 has developed phishing lures with hidden shortcut files. Also new to FIN7’s technique is the group’s use of supply chain compromise to gain additional system access.

The hacking organization employed a Java Script backdoor to run its operations during the first few years of FIN7 existence, customizing it on the go. CARBANAK, DICELOADER (also known as Lizar), and a PowerShell-based POWERPLANT backdoor malware are also widely used. Upon establishing initial access, FIN7 is famous for employing a lot of different tools and techniques based on the customer environment.

Join SOC Prime’s Detection as Code platform to unlock access to the world’s largest live pool of detection content created by the industry leaders and resist the attacks boosted with the most sophisticated hacker tools used by APTs. SOC Prime, headquartered in Boston, US, is powered by an international team of top-tier experts dedicated to enabling collaborative cyber defense. Withstand attacks faster and more efficiently with SOC Prime.