Once again, the known cybercrime organization FIN7 has made news for creating new tools that enable them to bypass endpoint detection and response (EDR) systems and launch automated attacks. This data demonstrates the group’s continued growth and expertise in the realm of cybercrime.
FIN7 is also known by the handle Carbanak. Carbanak has been active since at least 2012 and is well-known for its financially motivated hacks that target a range of industries, including banking, high-tech, retail, energy, and hotels.
With partnerships with known ransomware-as-a-service (RaaS) gangs like REvil and Conti, as well as the creation of its own RaaS programs like Darkside and BlackMatter, the gang has recently entered the ransomware business. The group’s first focus was on financial fraud via point-of-sale (POS) malware.
New EDR Bypass Tools
Recent investigations have revealed that FIN7 has developed a highly specialized tool called AvNeutralizer, also known as AuKill. This application, which has been marketed in the criminal underground with the intention of tampering with security systems, is used by numerous ransomware groups.
FIN7 Hackers’ Tools for Ignoring EDR Protection and Performing Automated Attacks:
AvNeutralizer (aka AuKill)
FIN7 developed a specially designed tool to work with security solutions. It has been marketed in the criminal underground and has been utilized by several ransomware gangs.
The utility causes protected processes to suffer a denial of service, which disables endpoint security solutions. It does this by using the built-in Windows driver ProcLaunchMon.sys.
Powertrash
A heavily encrypted PowerShell script loads an embedded PE file reflectively in memory. This allows FIN7 to execute backdoor payloads and surreptitiously get around security measures. In some FIN7 intrusions, Powertrash has been used to load other malicious programs.
Diceloader (aka Lizar, IceBot)
Attackers get access to the system with a straightforward backdoor that establishes a position-independent code module-based command-and-control (C2) channel. It is typically launched via Powertrash loaders and is used to load more modules on compromised systems.
Core Impact
It is a penetration testing tool meant for use in illegal activities. It creates Position Independent Code (PIC) implants and offers a library of commercial-grade exploits to take over vulnerable systems. FIN7 uses Core Impact loaders provided by Powertrash for their campaigns.
SSH-based Backdoor
FIN7 keeps access to compromised systems via a persistence mechanism based on OpenSSH and 7zip. It creates an SFTP server that allows attackers to covertly exfiltrate files by using a reverse SSH tunnel. This technique is usually used in intrusions that aim to gather personal information.
SentinelLabs has discovered a new version of AvNeutralizer that employs an unprecedented technique to disable security solutions. It uses the built-in Windows driver ProcLaunchMon.sys (TTD Monitor Driver).
FIN7 has embraced both EDR evasion tools and automated attack approaches, including automated SQL injection attacks targeted at publicly available applications.
The group has developed a platform called Checkmarks that does extensive vulnerability detection and exploitation on Microsoft Exchange servers using the ProxyShell exploit. Furthermore, in the event of a SQL injection attack, this platform’s Auto-SQLi module enables remote access to the victim computers.
One distinguishing feature of FIN7’s operations is their employment of multiple identities in order to hide their identity and carry out their illicit activities in underground markets. The group has been linked to other ransomware families, including as Cl0p, DarkSide, Black Basta, and LockBit, indicating their extensive network and collaboration with other cybercriminal groups.
The organization’s ability to innovate and modify its tactics, techniques, and procedures (TTPs) makes it a perpetual threat in the cybersecurity environment.
In their spear-phishing attacks, FIN7 uses living-off-the-land binaries, scripts, and libraries (LOLBAS) to penetrate target networks and introduce the Carbanak backdoor into the American auto industry.
The group’s versatility and creativity in terms of attack techniques are demonstrated by the fact that it has been observed disseminating DiceLoader malware and NetSupport RAT using phony Google Ads.
FIN7’s continuous creativity in developing intricate tools to circumvent security measures and initiate automated attacks showcases the group’s technical proficiency and adaptability.
Their use of multiple identities and collaboration with other cybercrime groups complicate attribution efforts and reveal their advanced operational strategies. As FIN7 progresses, organizations will need to be vigilant and continue putting comprehensive security measures in place to lessen the threats posed by these highly skilled threat actors.
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
