A recently released report has detailed the threat group FIN7’s transition to working with high-profile ransomware groups as part of its infection and compromise process. FIN7 is a Russian speaking threat group that primarily targets retail, restaurant, and hospitality sectors in the United States.
Over the last few years, FIN7 has greatly evolved and improved its toolset. PowerPlant, FIN7’s PowerShell-based backdoor, has been modified heavily over the last few years and has become the threat group’s primary way of obtaining initial access on an infected system. During execution, PowerPlant fetches different modules from a C2 server, with the most common modules being Easylook and Boatlaunch. Easylook is a PowerShell-based reconnaissance utility that is used to capture system information details like usernames, operating system versions, domain data, and so on. Boatlaunch is a helper module that patches PowerShell processes on an infected system to bypass Windows AMSI, allowing the malicious code to execute without intervention.
Alongside these developments, FIN7 has been seen involved with various ransomware gangs. There has been evidence of FIN7 intrusions being detected right before incidents of ransomware, including Maze, Ryuk, Darkside, and ALPHV. While the exact relationship between FIN7 and these ransomware gangs is still unclear, it shows that FIN7 has some level of involvement in ransomware operations.