FIN7 | APT Profile

Description

[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022)

Techniques Used (TTPs)

T1204.001 — Malicious Link (execution)
T1553.002 — Code Signing (defense-evasion)
T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1059 — Command and Scripting Interpreter (execution)
T1021.004 — SSH (lateral-movement)
T1190 — Exploit Public-Facing Application (initial-access)
T1027.016 — Junk Code Insertion (defense-evasion)
T1033 — System Owner/User Discovery (discovery)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1021.005 — VNC (lateral-movement)
T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
T1566.002 — Spearphishing Link (initial-access)
T1036.004 — Masquerade Task or Service (defense-evasion)
T1218.011 — Rundll32 (defense-evasion)
T1047 — Windows Management Instrumentation (execution)
T1059.005 — Visual Basic (execution)
T1219 — Remote Access Tools (command-and-control)
T1059.001 — PowerShell (execution)
T1546.011 — Application Shimming (privilege-escalation, persistence)
T1559.002 — Dynamic Data Exchange (execution)
T1069.002 — Domain Groups (discovery)
T1021.001 — Remote Desktop Protocol (lateral-movement)
T1674 — Input Injection (execution)
T1486 — Data Encrypted for Impact (impact)
T1588.002 — Tool (resource-development)
T1583.006 — Web Services (resource-development)
T1497.002 — User Activity Based Checks (defense-evasion, discovery)
T1059.007 — JavaScript (execution)
T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
T1608.004 — Drive-by Target (resource-development)
T1125 — Video Capture (collection)
T1571 — Non-Standard Port (command-and-control)
T1027.010 — Command Obfuscation (defense-evasion)
T1204.002 — Malicious File (execution)
T1218.005 — Mshta (defense-evasion)
T1102.002 — Bidirectional Communication (command-and-control)
T1105 — Ingress Tool Transfer (command-and-control)
T1078.003 — Local Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1583.001 — Domains (resource-development)
T1005 — Data from Local System (collection)
T1543.003 — Windows Service (persistence, privilege-escalation)
T1091 — Replication Through Removable Media (lateral-movement, initial-access)
T1071.004 — DNS (command-and-control)
T1059.003 — Windows Command Shell (execution)
T1566.001 — Spearphishing Attachment (initial-access)
T1608.001 — Upload Malware (resource-development)
T1008 — Fallback Channels (command-and-control)
T1558.003 — Kerberoasting (credential-access)
T1195.002 — Compromise Software Supply Chain (initial-access)
T1113 — Screen Capture (collection)
T1567.002 — Exfiltration to Cloud Storage (exfiltration)
T1210 — Exploitation of Remote Services (lateral-movement)
T1587.001 — Malware (resource-development)

Total TTPs: 53

Malware & Tools

Malware: BOOSTWRITE, Carbanak, Cobalt Strike, GRIFFON, HALFBAKED, JSS Loader, Lizar, Maze, POWERSOURCE, Pillowmint, RDFSNIFFER, REvil, SQLRat, TEXTMATE

Tools: AdFind, CrackMapExec, Mimikatz, PowerSploit

← Return to Home ← Back to APT Search