Skip to content

S0417 GRIFFON

GRIFFON is a JavaScript backdoor used by FIN7. 1

Item Value
ID S0417
Associated Names
Type MALWARE
Version 1.1
Created 11 October 2019
Last Modified 23 June 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder GRIFFON has used a persistence module that stores the implant inside the Registry, which executes at logon.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell GRIFFON has used PowerShell to execute the Meterpreter downloader TinyMet.1
enterprise T1059.007 JavaScript GRIFFON is written in and executed as JavaScript.1
enterprise T1069 Permission Groups Discovery -
enterprise T1069.002 Domain Groups GRIFFON has used a reconnaissance module that can be used to retrieve Windows domain membership information.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task GRIFFON has used sctasks for persistence. 1
enterprise T1113 Screen Capture GRIFFON has used a screenshot module that can be used to take a screenshot of the remote system.1
enterprise T1082 System Information Discovery GRIFFON has used a reconnaissance module that can be used to retrieve information about a victim’s computer, including the resolution of the workstation .1
enterprise T1124 System Time Discovery GRIFFON has used a reconnaissance module that can be used to retrieve the date and time of the system.1

Groups That Use This Software

ID Name References
G0046 FIN7 123

References

  1. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019. 

  2. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. 

  3. The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022.