Mandiant's Research of FIN7

Industry: Financial Services, Food, Medical, Technology, Transportation, Utilities | Level: Tactical | Source: Mandiant

Mandiant provided updated research tracking the evolution of threat activity from threat group FIN7 between late 2021 to early 2022. The threat group has many associations with overlaps in many ransomware operations including Maze, Darkside, Blackmatter and ALPHV/Blackcat. Added by Mandiant, activity linking FIN7 and ransomware is identified though "Data theft extortion or ransomware deployment following FIN7-attributed activity at multiple organizations, as well as technical overlaps, suggests that FIN7 actors have been associated with various ransomware operations over time." A variety of industries are targeted by FIN7 including financial services, food, medical, technology, transportation, and utilities. Activity associated with FIN7 is abundant and Mandiant has been tracking multiple UNCs (Uncategorized threat groups), appearing to be affiliated with FIN7. The threat group has continuously refined its arsenal, for example, their PowerShell backdoor called PowerPlant has gone through multiple iterations since 2022 and has been observed more frequently in newer intrusions as opposed to older malware such as LOADOUT and/or GRIFFON.

• Anvilogic Use Cases:
• Suspicious Executable by CMD.exe
• Windows Admin$ Share Access
• Windows Service Created
• Executable Process from Suspicious Folder
• Common Reconnaissance Commands
• RDP Connection
• RDP Logon/Logoff Event
• Rundll32 Command Line
• Create/Add Local/Domain User
• Query Registry