FIN7 Reboot | Cybercrime Gang Enhances Ops with New EDR Bypasses and Automated Attacks
July 17, 2024, 2:35 p.m.
Tags
External References
Description
This report provides an in-depth analysis of the FIN7 cybercrime group's evolving tactics, techniques, and procedures. It highlights the group's adoption of automated SQL injection attacks, the development of specialized tools like AvNeutralizer for evading security solutions, and the use of multiple pseudonyms on criminal underground forums. The report also explores FIN7's arsenal, including tools such as Powertrash, Diceloader, Core Impact, and an SSH-based backdoor, enabling various stages of their intrusions. Additionally, it examines the group's collaboration with other cybercriminal entities and their continuous innovation in evading security measures.
Date
Published: July 17, 2024, 1:57 p.m.
Created: July 17, 2024, 1:57 p.m.
Modified: July 17, 2024, 2:35 p.m.
Indicators
eba1816ea339035176f35c6f6c79d4b9977faa0cd428dd80bb3a8b42b4a6a471
fad295cf65552061dc553c21d89d8bbd0b02783c01f5e696232df6a14381c206
fafbf0870568dae2e02913cbe158011c867098bda883c8f85a13d1f83a4aa937
d76c74fc7a00a939985ae515991b80afa0524bf0a4feaec3e5e58e52630bd717
dc9442838b464e96281a32705c9b5958e4f45dbefd1ef4a885fac9898af0a4b7
cbed0cf3273ce544a7e4e316d5c8f5e9c9ac6deaefa485a6afad2654fe75ff1e
c6f16592e3819772dd7a48df10254a5f6516b780f06293b8d09773c599ee96e2
997670338de96f922dbceb15c67fd114400562291b05781875bfd83dc4ae63b6
c2b5fe6600757f1c4ac9ec89cd7333bc69333f1d5d585d44a898e777f1a33c90
87b48b84beaaf3109c4be30d1d3a7bcbd1adf46250ac514a37791cd45ae6e4b7
5ccf66192ea9d2b6395fbb4a058d0af8409040d6d38b82b7fa1bf120371e9538
6e8e2aaa62ec3d3605eef11a2a28b73fa6769eae49d86dc872676b36ccf6aee7
1b95a426cb020f2c496d5da2bd08c2bd8b3787bc8fb309985ab81f0808ba2a08
5846f4648919bad0da9c0a63ec1086d3c2362f50a533de61f323f8d0198ee9ed
57c01dc2df1ab06b361a47c9377b6495f5088697d973854bc8bc9224e97f0f8b
1934b4641ca540ac4fd39c37e6f8b6878ddf111b5c8eb2de26c842cb6bd7b9b8
0f083aac77fb734a8e81fb9dff218f0414ac6c4c9a23b2832837fbc2c7e2031d
0fde3063fc11bf3901d5323487e7407c30df22bee7d694e44aa689e9e755f74d
08e3362fa38f0bfd8f87849be7c73da0d312ad4e84e2b43bab17ec68c20909ad
08a248de098e0f9edec425ce37d13c827eaf4c54c93182f4ddf1c5b3801cf540
95.217.102.49
95.216.251.213
94.158.244.23
94.158.244.107
91.199.147.60
91.193.19.163
91.149.253.184
85.239.54.214
80.71.157.173
79.141.162.131
65.108.20.165
62.233.57.241
65.108.20.101
62.233.57.163
46.17.107.7
5.161.41.51
46.17.107.32
45.82.13.64
45.87.154.208
45.66.249.75
37.157.254.8
213.109.192.198
213.109.192.116
208.88.226.158
207.246.92.213
198.15.119.69
195.123.246.46
195.123.240.46
195.123.218.99
194.87.191.198
194.180.191.85
194.180.174.86
193.42.36.231
193.233.23.59
193.233.23.45
193.233.23.158
193.233.22.68
193.109.120.69
193.178.210.227
192.248.188.166
185.33.87.24
185.250.151.60
185.250.151.33
185.250.151.141
185.234.247.62
185.244.151.114
185.232.170.83
185.172.129.70
185.16.40.108
176.97.75.244
185.117.88.245
15.235.156.105
108.170.20.89
146.59.217.154
104.193.255.99
95.217.82.121
94.140.114.173
91.149.243.129
91.149.221.195
62.233.57.31
62.233.57.19
5.252.177.7
37.1.210.119
185.232.170.205
194.104.136.113
185.161.208.45
185.161.210.11
185.117.119.108
184.95.51.185
162.248.225.148
95.123.243.169
195.123.246.20
194.87.82.7
91.199.147.152
45.136.199.128
217.12.206.176
http://45.87.154.208/work_53m8.ps1
http://45.87.154.208/icsnd3b_64refl.ps1
http://193.178.210.227/work_53.bin_m7.ps1
Attack Patterns
AvNeutralizer
Core Impact
Powertrash
Diceloader
FIN7
T1055.004
T1480.001
T1053.003
T1053.002
T1497.003
T1055.001
T1055.011
T1059.006
T1055.003
T1053.005
T1055.002
T1497.001
T1059.003
T1059.001
T1059.007
T1070.004
T1562.001
T1027
CVE-2021-31207
CVE-2021-34473
CVE-2021-34523