← threatfilter.dev / all groups / FIN7
FIN7
Also known as: GOLD NIAGARA · ITG14 · Carbon Spider · ELBRUS · Sangria Tempest
Overview
FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.
Capabilities
- Supply-chain compromise — ATT&CK T1195.002
- Exploitation of public-facing / client applications — ATT&CK T1190
- Custom malware/implant development — ATT&CK: 15 attributed custom malware families
TTPs — 67 techniques across 15 tactics
Reconnaissance
-
T1591Gather Victim Org Information -
T1591.004Identify Roles
Resource Development
-
T1583.001Domains -
T1583.006Web Services -
T1587.001Malware -
T1588.002Tool -
T1608.001Upload Malware -
T1608.004Drive-by Target -
T1608.005Link Target
Initial Access
-
T1190Exploit Public-Facing Application -
T1195.002Compromise Software Supply Chain -
T1566.001Spearphishing Attachment -
T1566.002Spearphishing Link
Execution
-
T1047Windows Management Instrumentation -
T1053.005Scheduled Task -
T1059Command and Scripting Interpreter -
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1059.005Visual Basic -
T1059.007JavaScript -
T1204.001Malicious Link -
T1204.002Malicious File -
T1559.002Dynamic Data Exchange -
T1569.002Service Execution -
T1674Input Injection
Persistence
-
T1543.003Windows Service -
T1547.001Registry Run Keys / Startup Folder
Privilege Escalation
-
T1546.011Application Shimming
Stealth
-
T1027.010Command Obfuscation -
T1027.016Junk Code Insertion -
T1036.004Masquerade Task or Service -
T1036.005Match Legitimate Resource Name or Location -
T1078Valid Accounts -
T1078.003Local Accounts -
T1140Deobfuscate/Decode Files or Information -
T1218.005Mshta -
T1218.011Rundll32 -
T1497.002User Activity Based Checks -
T1564.001Hidden Files and Directories -
T1564.003Hidden Window -
T1620Reflective Code Loading
Defense Impairment
-
T1553.002Code Signing -
T1686Disable or Modify System Firewall
Credential Access
-
T1558.003Kerberoasting
Discovery
-
T1033System Owner/User Discovery -
T1057Process Discovery -
T1069.002Domain Groups -
T1082System Information Discovery -
T1087.002Domain Account -
T1124System Time Discovery
Lateral Movement
-
T1021.001Remote Desktop Protocol -
T1021.004SSH -
T1021.005VNC -
T1091Replication Through Removable Media -
T1210Exploitation of Remote Services
Collection
-
T1005Data from Local System -
T1113Screen Capture -
T1125Video Capture
Command and Control
-
T1008Fallback Channels -
T1071.004DNS -
T1102.002Bidirectional Communication -
T1105Ingress Tool Transfer -
T1219Remote Access Tools -
T1571Non-Standard Port -
T1572Protocol Tunneling
Exfiltration
-
T1567.002Exfiltration to Cloud Storage
Impact
Tools & malware (19)
GRIFFON · Mimikatz · AdFind · JSS Loader · HALFBAKED · REvil · PowerSploit · CrackMapExec · Carbanak · Pillowmint · Cobalt Strike · Maze · POWERSOURCE · RDFSNIFFER · SQLRat · Lizar · TEXTMATE · BOOSTWRITE · SystemBC