Currently viewing ATT&CK v8.2 which was live between October 27, 2020 and April 28, 2021. Learn more about the versioning system or see the live site.
GROUPS
GROUPS
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
No groups
  1. Home
  2. Groups
  3. FIN7

FIN7

FIN7 is a financially-motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. They often use point-of-sale malware. A portion of FIN7 was run out of a front company called Combi Security. FIN7 is sometimes referred to as Carbanak Group, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. [1] [2] [3] [4]

ID: G0046
Version: 1.5
Created: 31 May 2017
Last Modified: 22 October 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .004 Application Layer Protocol: DNS

FIN7 has performed C2 using DNS via A, OPT, and TXT records.[4]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.[2][4]
Enterprise T1059 Command and Scripting Interpreter

FIN7 used SQL scripts to help perform tasks on the victim's machine.[4][5][4]
.001 PowerShell

FIN7 used a PowerShell script to launch shellcode that retrieved an additional payload.[2][6]
.003 Windows Command Shell

FIN7 used the command prompt to launch commands on the victim’s machine.[4][5]

.005 Visual Basic

FIN7 used VBS scripts to help perform tasks on the victim's machine.[4][5]
.007 JavaScript/JScript

FIN7 used JavaScript scripts to help perform tasks on the victim's machine.[4][5][4]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

FIN7 created new Windows services and added them to the startup directories for persistence.[4]
Enterprise T1587 .001 Develop Capabilities: Malware

FIN7 has developed malware for use in operations, including the creation of infected removable media.[7][8]
Enterprise T1546 .011 Event Triggered Execution: Application Shimming

FIN7 has used application shim databases for persistence.[9]
Enterprise T1105 Ingress Tool Transfer

FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.[2][10]
Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

FIN7 spear phishing campaigns have included malicious Word documents with DDE execution.[11]
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

FIN7 has created a scheduled task named "AdobeFlashSync" to establish persistence.[6]
Enterprise T1571 Non-Standard Port

FIN7 has used port-protocol mismatches on ports such as 53, 80, 443, and 8080 during C2.[4]
Enterprise T1027 Obfuscated Files or Information

FIN7 has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.[12][4]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

FIN7 sent spearphishing emails with either malicious Microsoft Documents or RTF files attached.[2][10][5]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

FIN7 malware has created scheduled tasks to establish persistence.[2][6][4][5]
Enterprise T1113 Screen Capture

FIN7 captured screenshots and desktop video recordings.[10]
Enterprise T1218 .005 Signed Binary Proxy Execution: Mshta

FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems.[2]
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

FIN7 has signed Carbanak payloads with legally purchased code signing certificates. FIN7 has also digitally signed their phishing documents, backdoors and other staging tools to bypass security controls.[3][4]
Enterprise T1204 .002 User Execution: Malicious File

FIN7 lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file.[2]
Enterprise T1125 Video Capture

FIN7 created a custom video recording capability that could be used to monitor operations in the victim's environment.[4][10]
Enterprise T1497 .002 Virtualization/Sandbox Evasion: User Activity Based Checks

FIN7 used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes.[2]
Enterprise T1102 .002 Web Service: Bidirectional Communication

FIN7 used legitimate services like Google Docs, Google Scripts, and Pastebin for C2.[4]

Software

ID Name References Techniques
S0415 BOOSTWRITE [8] Deobfuscate/Decode Files or Information, Hijack Execution Flow: DLL Search Order Hijacking, Obfuscated Files or Information, Shared Modules, Subvert Trust Controls: Code Signing
S0030 Carbanak [1][4][10] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create Account: Local Account, Data Encoding: Standard Encoding, Data Transfer Size Limits, Email Collection: Local Email Collection, Encrypted Channel: Symmetric Cryptography, Indicator Removal on Host: File Deletion, Input Capture: Keylogging, Obfuscated Files or Information, OS Credential Dumping, Process Discovery, Process Injection: Portable Executable Injection, Query Registry, Remote Access Software, Remote Services: Remote Desktop Protocol, Screen Capture
S0417 GRIFFON [13] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: JavaScript/JScript, Permission Groups Discovery: Domain Groups, Scheduled Task/Job: Scheduled Task, Screen Capture, System Information Discovery, System Time Discovery
S0151 HALFBAKED [2][4] Command and Scripting Interpreter: PowerShell, Indicator Removal on Host: File Deletion, Process Discovery, Screen Capture, System Information Discovery, Windows Management Instrumentation
S0517 Pillowmint [14] Archive Collected Data, Command and Scripting Interpreter: PowerShell, Data from Local System, Deobfuscate/Decode Files or Information, Event Triggered Execution: Application Shimming, Indicator Removal on Host: File Deletion, Indicator Removal on Host, Modify Registry, Native API, Obfuscated Files or Information, Process Discovery, Process Injection: Asynchronous Procedure Call, Query Registry
S0145 POWERSOURCE [1] Application Layer Protocol: DNS, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Hide Artifacts: NTFS File Attributes, Ingress Tool Transfer, Query Registry
S0416 RDFSNIFFER [8] Indicator Removal on Host: File Deletion, Input Capture: Credential API Hooking, Native API
S0390 SQLRat [5] Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Deobfuscate/Decode Files or Information, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information, Scheduled Task/Job: Scheduled Task, User Execution: Malicious File
S0146 TEXTMATE [1] Application Layer Protocol: DNS, Command and Scripting Interpreter: Windows Command Shell

References

  1. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
  2. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  3. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  4. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  5. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
  6. Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.
  7. Federal Bureau of Investigation, Cyber Division. (2020, March 26). FIN7 Cyber Actors Targeting US Businesses Through USB Keystroke Injection Attacks. Retrieved October 14, 2020.
  1. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019.
  2. Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017.
  3. Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.
  4. Waterman, S. (2017, October 16). Fin7 weaponization of DDE is just their latest slick move, say researchers. Retrieved November 21, 2017.
  5. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
  6. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.
  7. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.