FIN7 Reboot | Cybercrime Gang Enhances Ops with New EDR Bypasses and Automated Attacks

July 17, 2024, 2:35 p.m.

Description

This report provides an in-depth analysis of the FIN7 cybercrime group's evolving tactics, techniques, and procedures. It highlights the group's adoption of automated SQL injection attacks, the development of specialized tools like AvNeutralizer for evading security solutions, and the use of multiple pseudonyms on criminal underground forums. The report also explores FIN7's arsenal, including tools such as Powertrash, Diceloader, Core Impact, and an SSH-based backdoor, enabling various stages of their intrusions. Additionally, it examines the group's collaboration with other cybercriminal entities and their continuous innovation in evading security measures.

Date

Published: July 17, 2024, 1:57 p.m.

Created: July 17, 2024, 1:57 p.m.

Modified: July 17, 2024, 2:35 p.m.

Indicators

eba1816ea339035176f35c6f6c79d4b9977faa0cd428dd80bb3a8b42b4a6a471

fad295cf65552061dc553c21d89d8bbd0b02783c01f5e696232df6a14381c206

fafbf0870568dae2e02913cbe158011c867098bda883c8f85a13d1f83a4aa937

d76c74fc7a00a939985ae515991b80afa0524bf0a4feaec3e5e58e52630bd717

dc9442838b464e96281a32705c9b5958e4f45dbefd1ef4a885fac9898af0a4b7

cbed0cf3273ce544a7e4e316d5c8f5e9c9ac6deaefa485a6afad2654fe75ff1e

c6f16592e3819772dd7a48df10254a5f6516b780f06293b8d09773c599ee96e2

997670338de96f922dbceb15c67fd114400562291b05781875bfd83dc4ae63b6

c2b5fe6600757f1c4ac9ec89cd7333bc69333f1d5d585d44a898e777f1a33c90

87b48b84beaaf3109c4be30d1d3a7bcbd1adf46250ac514a37791cd45ae6e4b7

5ccf66192ea9d2b6395fbb4a058d0af8409040d6d38b82b7fa1bf120371e9538

6e8e2aaa62ec3d3605eef11a2a28b73fa6769eae49d86dc872676b36ccf6aee7

1b95a426cb020f2c496d5da2bd08c2bd8b3787bc8fb309985ab81f0808ba2a08

5846f4648919bad0da9c0a63ec1086d3c2362f50a533de61f323f8d0198ee9ed

57c01dc2df1ab06b361a47c9377b6495f5088697d973854bc8bc9224e97f0f8b

1934b4641ca540ac4fd39c37e6f8b6878ddf111b5c8eb2de26c842cb6bd7b9b8

0f083aac77fb734a8e81fb9dff218f0414ac6c4c9a23b2832837fbc2c7e2031d

0fde3063fc11bf3901d5323487e7407c30df22bee7d694e44aa689e9e755f74d

08e3362fa38f0bfd8f87849be7c73da0d312ad4e84e2b43bab17ec68c20909ad

08a248de098e0f9edec425ce37d13c827eaf4c54c93182f4ddf1c5b3801cf540

95.217.102.49

95.216.251.213

94.158.244.23

94.158.244.107

91.199.147.60

91.193.19.163

91.149.253.184

85.239.54.214

80.71.157.173

79.141.162.131

65.108.20.165

62.233.57.241

65.108.20.101

62.233.57.163

46.17.107.7

5.161.41.51

46.17.107.32

45.82.13.64

45.87.154.208

45.66.249.75

37.157.254.8

213.109.192.198

213.109.192.116

208.88.226.158

207.246.92.213

198.15.119.69

195.123.246.46

195.123.240.46

195.123.218.99

194.87.191.198

194.180.191.85

194.180.174.86

193.42.36.231

193.233.23.59

193.233.23.45

193.233.23.158

193.233.22.68

193.109.120.69

193.178.210.227

192.248.188.166

185.33.87.24

185.250.151.60

185.250.151.33

185.250.151.141

185.234.247.62

185.244.151.114

185.232.170.83

185.172.129.70

185.16.40.108

176.97.75.244

185.117.88.245

15.235.156.105

108.170.20.89

146.59.217.154

104.193.255.99

95.217.82.121

94.140.114.173

91.149.243.129

91.149.221.195

62.233.57.31

62.233.57.19

5.252.177.7

37.1.210.119

185.232.170.205

194.104.136.113

185.161.208.45

185.161.210.11

185.117.119.108

184.95.51.185

162.248.225.148

95.123.243.169

195.123.246.20

194.87.82.7

91.199.147.152

45.136.199.128

217.12.206.176

http://45.87.154.208/work_53m8.ps1

http://45.87.154.208/icsnd3b_64refl.ps1

http://193.178.210.227/work_53.bin_m7.ps1

Attack Patterns

AvNeutralizer

Core Impact

Powertrash

Diceloader

FIN7

T1055.004

T1480.001

T1053.003

T1053.002

T1497.003

T1055.001

T1055.011

T1059.006

T1055.003

T1053.005

T1055.002

T1497.001

T1059.003

T1059.001

T1059.007

T1070.004

T1562.001

T1027

CVE-2021-31207

CVE-2021-34473

CVE-2021-34523