Tag Archive for: FIN7

Notorious Cyber Gang FIN7 Returns With Cl0p Ransomware in New Wave of Attacks

/in


May 20, 2023Ravie LakshmananCyber Crime / Ransomware

Cl0p Ransomware

The notorious cybercrime group known as FIN7 has been observed deploying Cl0p (aka Clop) ransomware, marking the threat actor’s first ransomware campaign since late 2021.

Microsoft, which detected the activity in April 2023, is tracking the financially motivated actor under its new taxonomy Sangria Tempest.

“In these recent attacks, Sangria Tempest uses the PowerShell script POWERTRASH to load the Lizar post-exploitation tool and get a foothold into a target network,” the company’s threat intelligence team said. “They then use OpenSSH and Impacket to move laterally and deploy Clop ransomware.”

FIN7 (aka Carbanak, ELBRUS, and ITG14) has been linked to other ransomware families such as Black Basta, DarkSide, REvil, and LockBit, with the threat actor acting as a precursor for Maze and Ryuk ransomware attacks.

Active since at least 2012, the group has a track record of targeting a broad spectrum of organizations spanning software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities.

Another notable tactic in its playbook is its pattern of setting up fake security companies – Combi Security and Bastion Secure – to recruit employees for conducting ransomware attacks and other operations.

UPCOMING WEBINAR

Zero Trust + Deception: Learn How to Outsmart Attackers!

Discover how Deception can detect advanced threats, stop lateral movement, and enhance your Zero Trust strategy. Join our insightful webinar!

Save My Seat!

Last month, IBM Security X-Force revealed that members of the now-defunct Conti ransomware gang are using a new malware called Domino that’s developed by the cybercrime cartel.

FIN7’s use of POWERTRASH to deliver Lizar (aka DICELOADER or Tirion) was also highlighted by WithSecure a few weeks ago in connection with attacks exploiting a high-severity flaw in Veeam Backup & Replication software (CVE-2023-27532) to gain initial access.

The latest development signifies FIN7’s continued reliance on various ransomware families to target victims as part of a shift in its monetization strategy by pivoting away from payment card data theft to…

Source…

Domino Backdoor is Lead by FIN7 and Conti Actors – Blogs

/in


A new Domino Backdoor popped out at the beginning of 2023. Since February, a new malware family coined Domino is used for attack on corporations, having Project Nemesis stealer as a final payload. Analysts say that the new backdoor is controlled and developed by ex-TrickBot/Conti actors and hackers related to the FIN7 group.

Who are Conti and FIN7?

First of all, let’s explain why the presence of actors from FIN7 and the ceased Conti gang is so noteworthy. FIN7 is a cybercrime gang that likely operates from Russia and Ukraine. It is also known under the names of Carbanak (after the backdoor they use), ITG14 and ALPHV/BlackCat. They are most notorious for collaborations with widely-known threat actors, like Ruyk and REvil ransomware, and the release of their own ransomware, called ALPHV. It is still running, and had a couple of noteworthy attacks the past year.

ALPHV onionsite
ALPHV onionsite. Gang uses it to publish data leaked from victims that refused to pay the ransom

Conti is a similar and different story simultaneously. They have built their image around an eponymous ransomware sample. Same as FIN7, this group of cybercriminals consists of actors from ex-USSR countries. However, the start of the war in February 2022 led to a quarrel among the group’s top-management and further publication of its source code. That, eventually, led to the group’s dissolution. Previous to these events, Conti was a prolific ransomware gang with a major share on the market.

Their collaboration is an expected thing. Nature abhors a vacuum, so after the gang breakup its members promptly joined other groups, or started new ones. However, the collaboration with other gangs on the creation of brand-new malware is a pretty outstanding case. That may be a great start of a new character on the scene, a new threat actor, or just a powerful boost to the FIN7 gang.

Domino Backdoor Description

Domino is a classic example of a modern backdoor that is capable of malware delivery. It is noticed for spreading a separate malware dropper, coined Domino Loader. The former provides only remote access to the targeted system, while the latter serves for malware deployment. This duo is spotted for being used in a pretty unique…

Source…

Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor

/in


This blog was made possible through contributions from Christopher Caridi. 

IBM Security X-Force recently discovered a new malware family we have called “Domino,” which we assess was created by developers associated with the cybercriminal group that X-Force tracks as ITG14, also known as FIN7. Former members of the Trickbot/Conti syndicate which X-Force tracks as ITG23 have been using Domino since at least late February 2023 to deliver either the Project Nemesis information stealer or more capable backdoors such as Cobalt Strike.

Background

This discovery highlights the intricate nature of cooperation among cybercriminal groups and their members:

  • Since late February 2023, Domino Backdoor campaigns have been observed using the Dave Loader, which we have linked to the Trickbot/Conti syndicate and its former members.
  • Domino’s code shows overlap with the Lizar (aka Tirion, Diceloader) malware family, leading us to suspect that it was created by current or former ITG14 developers.
  • One of Domino’s final payloads is the Project Nemesis infostealer. Project Nemesis was first advertised on the dark web in December 2021, though has been rarely used since then.

Analysis

Ex-Conti Members Deploy Domino in Recent Campaigns

Former members of ITG23 (aka the Trickbot/Conti syndicate) are likely behind recent campaigns using the Dave Loader to load Domino Backdoor and probably collaborated with current or former ITG14 developers to purchase or use the new malware family. X-Force previously assessed that Dave is one of several loaders or crypters developed by members of the Trickbot/Conti group. Although the group has fractured, many of its loaders/crypters — including Dave — have been maintained and continue to be used by factions composed of former Trickbot/Conti members, including Quantum, Royal, BlackBasta, and Zeon.

  • The Dave Loader has been used recently with several Cobalt Strike samples with the watermark “206546002,” which X-Force and other security researchers — here and here — have associated with groups composed of former members of the Trickbot/Conti syndicate, including Quantum and Royal. X-Force observed Dave-loaded Cobalt Strike samples using this watermark in…

Source…

Supervisor of FIN7 Hacking Group Was Sentenced to Seven Years in Prison

/in


Andrii Kolpakov, the Ukrainian national that was a supervisor of the FIN7 hacking group has been sentenced to seven years in prison.

Kolpakov was arrested in Spain in 2018 and extradited to the U.S. the following year. In June 2020, he pleaded guilty to one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer hacking.

He was involved with the group starting 2016 and until his arrest was in charge of managing other hackers tasked with breaching the point-of-sale systems of companies, both in the U.S. and elsewhere, in order to deploy malware that was capable of stealing financial information.

fin7-carbanak-cobalt-hackers

Source

FIN7 hacking group is also called Anunak, Carbanak Group, and the Navigator Group, and is known for the engagement it had in a sophisticated malware campaign targeting restaurant, gambling, and hospitality industries in the U.S. in order to obtain credit and debit card numbers that were then used or sold for profit on underground forums.

It looks like the FIN7 hacking group used a firm called Combi Security as a front to recruit hackers — one of them being Kolpakov in an attempt to “provide a veil of legitimacy to the illegal enterprise,” while projecting itself as “one of the leading international companies” that offered penetration testing services to customers worldwide.

According to public documents, since at least 2015, members of FIN7 (also referred to as Carbanak Group and the Navigator Group, among other names) engaged in a highly sophisticated malware campaign to attack hundreds of U.S. companies, predominantly in the restaurant, gambling and hospitality industries. FIN7 hacked into thousands of computer systems and stole millions of customer credit and debit card numbers that were then used or sold for profit. FIN7, through its dozens of members, launched waves of malicious cyberattacks on numerous businesses operating in the United States and abroad. FIN7 carefully crafted email messages that would appear legitimate to a business’s employees and accompanied emails with telephone calls intended to further legitimize the emails. Once an attached file was opened and activated, FIN7 would use an adapted version of the…

Source…