FIN7 Reboot | Cybercrime Gang Enhances Ops with New EDR Bypasses and Automated Attacks
July 17, 2024, 2:35 p.m.
Description
This report provides an in-depth analysis of the FIN7 cybercrime group's evolving tactics, techniques, and procedures. It highlights the group's adoption of automated SQL injection attacks, the development of specialized tools like AvNeutralizer for evading security solutions, and the use of multiple pseudonyms on criminal underground forums. The report also explores FIN7's arsenal, including tools such as Powertrash, Diceloader, Core Impact, and an SSH-based backdoor, enabling various stages of their intrusions. Additionally, it examines the group's collaboration with other cybercriminal entities and their continuous innovation in evading security measures.
Tags
Date
- Created: July 17, 2024, 1:57 p.m.
- Published: July 17, 2024, 1:57 p.m.
- Modified: July 17, 2024, 2:35 p.m.
Indicators
- eba1816ea339035176f35c6f6c79d4b9977faa0cd428dd80bb3a8b42b4a6a471
- fad295cf65552061dc553c21d89d8bbd0b02783c01f5e696232df6a14381c206
- fafbf0870568dae2e02913cbe158011c867098bda883c8f85a13d1f83a4aa937
- d76c74fc7a00a939985ae515991b80afa0524bf0a4feaec3e5e58e52630bd717
- dc9442838b464e96281a32705c9b5958e4f45dbefd1ef4a885fac9898af0a4b7
- cbed0cf3273ce544a7e4e316d5c8f5e9c9ac6deaefa485a6afad2654fe75ff1e
- c6f16592e3819772dd7a48df10254a5f6516b780f06293b8d09773c599ee96e2
- 997670338de96f922dbceb15c67fd114400562291b05781875bfd83dc4ae63b6
- c2b5fe6600757f1c4ac9ec89cd7333bc69333f1d5d585d44a898e777f1a33c90
- 87b48b84beaaf3109c4be30d1d3a7bcbd1adf46250ac514a37791cd45ae6e4b7
- 5ccf66192ea9d2b6395fbb4a058d0af8409040d6d38b82b7fa1bf120371e9538
- 6e8e2aaa62ec3d3605eef11a2a28b73fa6769eae49d86dc872676b36ccf6aee7
- 1b95a426cb020f2c496d5da2bd08c2bd8b3787bc8fb309985ab81f0808ba2a08
- 5846f4648919bad0da9c0a63ec1086d3c2362f50a533de61f323f8d0198ee9ed
- 57c01dc2df1ab06b361a47c9377b6495f5088697d973854bc8bc9224e97f0f8b
- 1934b4641ca540ac4fd39c37e6f8b6878ddf111b5c8eb2de26c842cb6bd7b9b8
- 0f083aac77fb734a8e81fb9dff218f0414ac6c4c9a23b2832837fbc2c7e2031d
- 0fde3063fc11bf3901d5323487e7407c30df22bee7d694e44aa689e9e755f74d
- 08e3362fa38f0bfd8f87849be7c73da0d312ad4e84e2b43bab17ec68c20909ad
- 08a248de098e0f9edec425ce37d13c827eaf4c54c93182f4ddf1c5b3801cf540
- 95.217.102.49
- 95.216.251.213
- 94.158.244.23
- 94.158.244.107
- 91.199.147.60
- 91.193.19.163
- 91.149.253.184
- 85.239.54.214
- 80.71.157.173
- 79.141.162.131
- 65.108.20.165
- 62.233.57.241
- 65.108.20.101
- 62.233.57.163
- 46.17.107.7
- 5.161.41.51
- 46.17.107.32
- 45.82.13.64
- 45.87.154.208
- 45.66.249.75
- 37.157.254.8
- 213.109.192.198
- 213.109.192.116
- 208.88.226.158
- 207.246.92.213
- 198.15.119.69
- 195.123.246.46
- 195.123.240.46
- 195.123.218.99
- 194.87.191.198
- 194.180.191.85
- 194.180.174.86
- 193.42.36.231
- 193.233.23.59
- 193.233.23.45
- 193.233.23.158
- 193.233.22.68
- 193.109.120.69
- 193.178.210.227
- 192.248.188.166
- 185.33.87.24
- 185.250.151.60
- 185.250.151.33
- 185.250.151.141
- 185.234.247.62
- 185.244.151.114
- 185.232.170.83
- 185.172.129.70
- 185.16.40.108
- 176.97.75.244
- 185.117.88.245
- 15.235.156.105
- 108.170.20.89
- 146.59.217.154
- 104.193.255.99
- 95.217.82.121
- 94.140.114.173
- 91.149.243.129
- 91.149.221.195
- 62.233.57.31
- 62.233.57.19
- 5.252.177.7
- 37.1.210.119
- 185.232.170.205
- 194.104.136.113
- 185.161.208.45
- 185.161.210.11
- 185.117.119.108
- 184.95.51.185
- 162.248.225.148
- 95.123.243.169
- 195.123.246.20
- 194.87.82.7
- 91.199.147.152
- 45.136.199.128
- 217.12.206.176
- http://45.87.154.208/work_53m8.ps1
- http://45.87.154.208/icsnd3b_64refl.ps1
- http://193.178.210.227/work_53.bin_m7.ps1
Attack Patterns
- AvNeutralizer
- Core Impact
- Powertrash
- Diceloader
- FIN7
- T1055.004
- T1480.001
- T1053.003
- T1053.002
- T1497.003
- T1055.001
- T1055.011
- T1059.006
- T1055.003
- T1053.005
- T1055.002
- T1497.001
- T1059.003
- T1059.001
- T1059.007
- T1070.004
- T1562.001
- T1027