Analysis Summary

FIN7, a financially driven threat actor, has been seen advertising a tool known to be utilized by ransomware gangs like Black Basta on different underground forums under various pseudonyms.

According to cybersecurity researchers, FIN7 developed a highly sophisticated tool called AvNeutralizer (also known as AuKill) to tamper with security systems. It has been distributed in the criminal underground and utilized by many ransomware gangs.

From its beginnings as an attacker of point-of-sale (PoS) terminals to serving as a ransomware affiliate for now-defunct gangs like REvil and Conti, to the launch of its ransomware-as-a-service (RaaS) programs DarkSide and BlackMatter, FIN7, an e-crime group of Russian and Ukrainian origin, has been a consistent threat since at least 2012. The threat actor has a history of using front companies like Combi Security and Bastion Secure to lure unsuspecting software engineers into ransomware schemes under the guise of penetration testing. It is also tracked under the names Carbanak, Carbon Spider, Gold Niagara, and Sangria Tempest (formerly Elbrus).

Despite the arrests and sentencing of some of its members, FIN7 has proven its high degree of adaptability, sophistication, and technical expertise over the years by retooling its malware arsenal, which includes POWERTRASH, DICELOADER (also known as IceBot, Lizar, or Tirion), and a penetration testing tool called Core Impact that is delivered via the POWERTRASH loader.

According to a recent analysis, this is demonstrated by the group's extensive phishing activities, which use thousands of "shell" websites imitating reputable media and technological companies in an attempt to spread ransomware and other malware families. Alternatively, these shell domains have not infrequently been employed in a traditional redirect chain to spoof login pages purporting to be property management portals.

These typosquat versions are promoted on search engines such as Google, leading people who are looking for well-known software to download a version that is infected with malware. Targeted tools include Bitwarden, Rest Proxy, Python, Sublime Text, AnyDesk, pgAdmin, Advanced IP Scanner, 7-Zip, PuTTY, AIMP, Notepad++, and Node.js.

It is noteworthy that in May 2024, researchers exposed FIN7's usage of malvertising techniques, with the attack chains culminating in the installation of NetSupport RAT. Large numbers of dedicated IPs are rented by FIN7 from several hosts, but mostly from Stark Industries, a well-known bulletproof hosting company connected to DDoS attacks in Europe and Ukraine. Researchers’ most recent results demonstrate that FIN7 has not only modified AvNeutralizer with more features but has also utilized many personas on forums dedicated to cybercrime to advertise the product.

This is predicated on the fact that, as of January 2023, other ransomware groups started utilizing upgraded versions of the EDR impairment program, which up until that point had only been utilized by the Black Basta group. Without more proof, the promotion of AvNeutralizer on dark web forums shouldn't be interpreted as FIN7's latest use of malware-as-a-service (MaaS).

FIN7 has a track record of creating and utilizing complex technologies for internal operations. Selling tools to other cybercriminals, however, can be considered a logical progression of their strategies for revenue generation and diversification. FIN7 has implemented automated SQL injection attacks to target servers with publicly exposed content in its campaigns. Its creation and marketing of specialized tools, such as AvNeutralizer, on underground forums for criminal activity also greatly amplifies the group's influence.

Impact

• Financial Loss
• Unauthorized Access
• Security Bypass
• Data Theft

Indicators of Compromise

IP

• 45.87.154.208
• 213.109.192.198
• 194.180.174.86
• 91.199.147.152
• 194.180.191.85
• 80.71.157.173
• 195.123.218.99

URL

• http://45.87.154.208/work_53m8.ps1
• http://45.87.154.208/icsnd3b_64refl.ps1

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure that all operating systems, software, and applications are regularly updated with the latest security patches.
• Conduct regular security awareness training for users to recognize and avoid phishing emails.
• Enable antivirus and anti-malware software and update signature definitions promptly. Using multi-layered protection is necessary to secure vulnerable assets.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Implement network segmentation to limit lateral movement within the network.
• Implement continuous monitoring of network traffic and endpoint activities to detect any unusual or suspicious behavior.
• Develop and regularly test an incident response plan to ensure a swift and effective response in case of a security incident.
• Implement SIEM solutions to centralize log collection and analysis. This can help in identifying patterns of suspicious behavior and provide timely alerts for potential security incidents.
• Regularly back up critical data and ensure that the backup copies are stored securely.