Skip to content

G0046 FIN7

FIN7 is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of FIN7 was run out of a front company called Combi Security. Since 2020 FIN7 shifted operations to a big game hunting (BGH) approach including use of REvil ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but there appears to be several groups using Carbanak malware and are therefore tracked separately.82137

Item Value
ID G0046
Associated Names GOLD NIAGARA, ITG14, Carbon Spider
Version 2.2
Created 31 May 2017
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
GOLD NIAGARA 4
ITG14 ITG14 shares campaign overlap with FIN7.9
Carbon Spider 7

Techniques Used

Domain ID Name Use
enterprise T1583 Acquire Infrastructure -
enterprise T1583.001 Domains FIN7 has registered look-alike domains for use in phishing campaigns.11
enterprise T1071 Application Layer Protocol -
enterprise T1071.004 DNS FIN7 has performed C2 using DNS via A, OPT, and TXT records.3
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.23
enterprise T1059 Command and Scripting Interpreter FIN7 used SQL scripts to help perform tasks on the victim’s machine.3103
enterprise T1059.001 PowerShell FIN7 used a PowerShell script to launch shellcode that retrieved an additional payload.2613
enterprise T1059.003 Windows Command Shell FIN7 used the command prompt to launch commands on the victim’s machine.310
enterprise T1059.005 Visual Basic FIN7 used VBS scripts to help perform tasks on the victim’s machine.3107
enterprise T1059.007 JavaScript FIN7 used JavaScript scripts to help perform tasks on the victim’s machine.3103
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service FIN7 created new Windows services and added them to the startup directories for persistence.3
enterprise T1486 Data Encrypted for Impact FIN7 has encrypted virtual disk volumes on ESXi servers using a version of Darkside ransomware.7
enterprise T1005 Data from Local System FIN7 has collected files and other sensitive information from a compromised network.7
enterprise T1587 Develop Capabilities -
enterprise T1587.001 Malware FIN7 has developed malware for use in operations, including the creation of infected removable media.1315
enterprise T1546 Event Triggered Execution -
enterprise T1546.011 Application Shimming FIN7 has used application shim databases for persistence.5
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage FIN7 has exfiltrated stolen data to the MEGA file sharing site.7
enterprise T1210 Exploitation of Remote Services FIN7 has exploited ZeroLogon (CVE-2020-1472) against vulnerable domain controllers.7
enterprise T1008 Fallback Channels FIN7‘s Harpy backdoor malware can use DNS as a backup channel for C2 if HTTP fails.16
enterprise T1105 Ingress Tool Transfer FIN7 has downloaded additional malware to execute on the victim’s machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.212
enterprise T1559 Inter-Process Communication -
enterprise T1559.002 Dynamic Data Exchange FIN7 spear phishing campaigns have included malicious Word documents with DDE execution.17
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service FIN7 has created a scheduled task named “AdobeFlashSync” to establish persistence.6
enterprise T1036.005 Match Legitimate Name or Location FIN7 has attempted to run Darkside ransomware with the filename sleep.exe.7
enterprise T1571 Non-Standard Port FIN7 has used port-protocol mismatches on ports such as 53, 80, 443, and 8080 during C2.3
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.010 Command Obfuscation FIN7 has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.1437
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment FIN7 sent spearphishing emails with either malicious Microsoft Documents or RTF files attached.21210117
enterprise T1566.002 Spearphishing Link FIN7 has conducted broad phishing campaigns using malicious links.7
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol FIN7 has used RDP to move laterally in victim environments.7
enterprise T1021.004 SSH FIN7 has used SSH to move laterally through victim environments.7
enterprise T1021.005 VNC FIN7 has used TightVNC to control compromised hosts.7
enterprise T1091 Replication Through Removable Media FIN7 actors have mailed USB drives to potential victims containing malware that downloads and installs various backdoors, including in some cases for ransomware operations.13
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task FIN7 malware has created scheduled tasks to establish persistence.26310
enterprise T1113 Screen Capture FIN7 captured screenshots and desktop video recordings.12
enterprise T1558 Steal or Forge Kerberos Tickets -
enterprise T1558.003 Kerberoasting FIN7 has used Kerberoasting for credential access and to enable lateral movement.7
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing FIN7 has signed Carbanak payloads with legally purchased code signing certificates. FIN7 has also digitally signed their phishing documents, backdoors and other staging tools to bypass security controls.13
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.005 Mshta FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems.2
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link FIN7 has used malicious links to lure victims into downloading malware.7
enterprise T1204.002 Malicious File FIN7 lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file.2117
enterprise T1078 Valid Accounts FIN7 has harvested valid administrative credentials for lateral movement.7
enterprise T1125 Video Capture FIN7 created a custom video recording capability that could be used to monitor operations in the victim’s environment.312
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.002 User Activity Based Checks FIN7 used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes.2
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication FIN7 used legitimate services like Google Docs, Google Scripts, and Pastebin for C2.3
enterprise T1047 Windows Management Instrumentation FIN7 has used WMI to install malware on targeted systems.11

Software

ID Name References Techniques
S0552 AdFind 7 Domain Account:Account Discovery Domain Trust Discovery Domain Groups:Permission Groups Discovery Remote System Discovery System Network Configuration Discovery
S0415 BOOSTWRITE 15 Deobfuscate/Decode Files or Information DLL Search Order Hijacking:Hijack Execution Flow Obfuscated Files or Information Shared Modules Code Signing:Subvert Trust Controls
S0030 Carbanak 83129713 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Local Account:Create Account Standard Encoding:Data Encoding Data Transfer Size Limits Local Email Collection:Email Collection Symmetric Cryptography:Encrypted Channel File Deletion:Indicator Removal Keylogging:Input Capture Obfuscated Files or Information OS Credential Dumping Process Discovery Portable Executable Injection:Process Injection Query Registry Remote Access Software Remote Desktop Protocol:Remote Services Screen Capture
S0154 Cobalt Strike 713 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Domain Account:Account Discovery Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Application Layer Protocol BITS Jobs Browser Session Hijacking Visual Basic:Command and Scripting Interpreter Python:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Process Hollowing:Process Injection Process Injection Dynamic-link Library Injection:Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services SSH:Remote Services Remote Desktop Protocol:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0488 CrackMapExec
7 Domain Account:Account Discovery Brute Force Password Guessing:Brute Force Password Spraying:Brute Force PowerShell:Command and Scripting Interpreter File and Directory Discovery Modify Registry Network Share Discovery LSA Secrets:OS Credential Dumping NTDS:OS Credential Dumping Security Account Manager:OS Credential Dumping Password Policy Discovery Domain Groups:Permission Groups Discovery Remote System Discovery At:Scheduled Task/Job System Information Discovery System Network Configuration Discovery System Network Connections Discovery Pass the Hash:Use Alternate Authentication Material Windows Management Instrumentation
S0417 GRIFFON 18713 Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution JavaScript:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Domain Groups:Permission Groups Discovery Scheduled Task:Scheduled Task/Job Screen Capture System Information Discovery System Time Discovery
S0151 HALFBAKED 23 PowerShell:Command and Scripting Interpreter File Deletion:Indicator Removal Process Discovery Screen Capture System Information Discovery Windows Management Instrumentation
S0648 JSS Loader 7 JavaScript:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Ingress Tool Transfer Spearphishing Attachment:Phishing Scheduled Task:Scheduled Task/Job Malicious File:User Execution
S0681 Lizar 2120 Email Account:Account Discovery Archive Collected Data Browser Information Discovery PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Deobfuscate/Decode Files or Information Encrypted Channel Ingress Tool Transfer Native API LSASS Memory:OS Credential Dumping Process Discovery Portable Executable Injection:Process Injection Dynamic-link Library Injection:Process Injection Process Injection Screen Capture Security Software Discovery:Software Discovery System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery
S0002 Mimikatz 7 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0517 Pillowmint 197 Archive Collected Data PowerShell:Command and Scripting Interpreter Data from Local System Deobfuscate/Decode Files or Information Application Shimming:Event Triggered Execution Clear Persistence:Indicator Removal File Deletion:Indicator Removal Modify Registry Native API Fileless Storage:Obfuscated Files or Information Obfuscated Files or Information Process Discovery Asynchronous Procedure Call:Process Injection Query Registry
S0145 POWERSOURCE 8 DNS:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter NTFS File Attributes:Hide Artifacts Ingress Tool Transfer Query Registry
S0194 PowerSploit 7 Access Token Manipulation Local Account:Account Discovery Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Windows Credential Manager:Credentials from Password Stores Data from Local System Domain Trust Discovery DLL Search Order Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow Path Interception by Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Keylogging:Input Capture Indicator Removal from Tools:Obfuscated Files or Information Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Dynamic-link Library Injection:Process Injection Query Registry Reflective Code Loading Scheduled Task:Scheduled Task/Job Screen Capture Kerberoasting:Steal or Forge Kerberos Tickets Credentials in Registry:Unsecured Credentials Group Policy Preferences:Unsecured Credentials Windows Management Instrumentation
S0416 RDFSNIFFER 15 File Deletion:Indicator Removal Credential API Hooking:Input Capture Native API
S0496 REvil 9713 Token Impersonation/Theft:Access Token Manipulation Create Process with Token:Access Token Manipulation Web Protocols:Application Layer Protocol PowerShell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Data Destruction Data Encrypted for Impact Deobfuscate/Decode Files or Information Drive-by Compromise Asymmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery Safe Mode Boot:Impair Defenses Disable or Modify Tools:Impair Defenses File Deletion:Indicator Removal Ingress Tool Transfer Inhibit System Recovery Loss of Productivity and Revenue Match Legitimate Name or Location:Masquerading Masquerading Modify Registry Native API Obfuscated Files or Information Fileless Storage:Obfuscated Files or Information Domain Groups:Permission Groups Discovery Spearphishing Attachment:Phishing Process Injection Query Registry Remote Services Scripting Service Stop Service Stop Standard Application Layer Protocol System Information Discovery System Language Discovery:System Location Discovery System Service Discovery Theft of Operational Information Malicious File:User Execution User Execution Windows Management Instrumentation
S0390 SQLRat 10 PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Deobfuscate/Decode Files or Information File Deletion:Indicator Removal Ingress Tool Transfer Command Obfuscation:Obfuscated Files or Information Scheduled Task:Scheduled Task/Job Malicious File:User Execution
S0146 TEXTMATE 8 DNS:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter

References

  1. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018. 

  2. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017. 

  3. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018. 

  4. CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021. 

  5. Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017. 

  6. Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017. 

  7. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. 

  8. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017. 

  9. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019. 

  10. eSentire. (2021, July 21). Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm Using Fake Legal Complaint Against Jack Daniels’ Owner, Brown-Forman Inc.. Retrieved September 20, 2021. 

  11. Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018. 

  12. The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022. 

  13. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018. 

  14. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019. 

  15. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. 

  16. Waterman, S. (2017, October 16). Fin7 weaponization of DDE is just their latest slick move, say researchers. Retrieved November 21, 2017. 

  17. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019. 

  18. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020. 

  19. Gemini Advisory. (2021, October 21). FIN7 Recruits Talent For Push Into Ransomware. Retrieved February 2, 2022. 

  20. Seals, T. (2021, May 14). FIN7 Backdoor Masquerades as Ethical Hacking Tool. Retrieved February 2, 2022.