FIN7

πŸ”΄ High

Last Updated

Also known as: Anunak, ATK32, Calcium, Carbanak, Carbanak - APT-C-11, Carbanak Group, Carbon Spider, CARBON SPIDER, CarbonSpider, Coreid, Coried, ELBRUS, FIN7, G0008, G0046, GOLD NIAGARA, ITG14, JokerStash, Navigator Group, Sangria Tempest

FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately. FireEye FIN7 March 2017 FireEye FIN7 April 2017 FireEye CARBANAK June 2017 FireEye FIN7 Aug 2018 CrowdStrike Carbon Spider August 2021 Mandiant FIN7 Apr 2022 BiZone Lizar May 2021

🌍 Country Unknown
πŸ“… Activity 2015 β€” 2024
πŸ“ Last Updated
⚑ Risk Level High
🎯 Incident Type Financial Theft
🧭 ATT&CK G0046
Retail Hospitality Financial
2015
2024

Associated Operations

Odinaff

Introduction

FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately. FireEye FIN7 March 2017 FireEye FIN7 April 2017 FireEye CARBANAK June 2017 FireEye FIN7 Aug 2018 CrowdStrike Carbon Spider August 2021 Mandiant FIN7 Apr 2022 BiZone Lizar May 2021

Activities and Tactics

Targeted Sectors: Retail, Hospitality, Financial

Country of Origin: 🏳️ Unknown

Risk Level: High

First Seen: 2015

Last Activity: 2024

Incident Type: Financial Theft

Notable Campaigns

  • Odinaff

Tactics, Techniques, and Procedures (TTPs)

Ransomware Vulnerability Matrix observations

Category Vendor Product CVEs
Applications Veeam Backup & Replication CVE-2023-27532

ATT&CK technique IDs (denormalized)

Notable Indicators of Compromise (IOCs)

No atomic indicators are listed in this profile. The APTnotes snapshot indexes 13 public reports that may contain IOCs; see Source Attribution for dataset links.

Malware and Tools

  • PowerSource:
  • Mimikatz:
  • MBR Eraser:
  • SoftPerfect Network Scanner:
  • SSHd with BackDoor:
  • Ammy Admin:
  • CVE-2012-2539 and CVE-2012-0158:
  • Netscan:
  • PsExec:
  • Backdoor Batel:
  • Bateleur JScript Backdoor:
  • Cobalt Strike:
  • Sekur:
  • Agent ORM:
  • VB Flash:
  • JS FLash:
  • Bateleur:

MITRE ATT&CK Software

Attribution and Evidence

Country of Origin: Unknown Additional attribution information pending cataloguing.

References

[1] mitre-attack [7] Mandiant FIN7 Apr 2022 Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022. [8] FireEye CARBANAK June 2017 Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018. [9] BiZone Lizar May 2021 BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022. [10] FireEye FIN7 April 2017 Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017. [11] FireEye FIN7 Aug 2018 Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018. [12] Secureworks GOLD NIAGARA Threat Profile CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021. [13] FireEye FIN7 Shim Databases Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017. [14] Morphisec FIN7 June 2017 Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017. [16] CrowdStrike Carbon Spider August 2021 Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. [17] Microsoft Threat Actor Naming July 2023 Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. [18] Microsoft Ransomware as a Service Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023. [19] FireEye FIN7 March 2017 Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017. [20] IBM Ransomware Trends September 2020 Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021. [21] mitre-attack [24] Kaspersky Carbanak Kaspersky Lab’s Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018. [25] Europol Cobalt Mar 2018 Europol. (2018, March 26). Mastermind Behind EUR 1 Billion Cyber Bank Robbery Arrested in Spain. Retrieved October 10, 2018. [26] Secureworks GOLD KINGSWOOD Threat Profile Secureworks. (n.d.). GOLD KINGSWOOD. Retrieved October 18, 2021. [27] Fox-It Anunak Feb 2015 Prins, R. (2015, February 16). Anunak (aka Carbanak) Update. Retrieved January 20, 2017.