A recently released report has detailed the threat group FIN7’s transition to working with high-profile ransomware groups as part of its infection and compromise process. FIN7 is a Russian speaking threat group that primarily targets retail, restaurant, and hospitality sectors in the United States.
Over the last few years, FIN7 has greatly evolved and improved its toolset. PowerPlant, FIN7’s PowerShell-based backdoor, has been modified heavily over the last few years and has become the threat group’s primary way of obtaining initial access on an infected system. During execution, PowerPlant fetches different modules from a C2 server, with the most common modules being Easylook and Boatlaunch. Easylook is a PowerShell-based reconnaissance utility that is used to capture system information details like usernames, operating system versions, domain data, and so on. Boatlaunch is a helper module that patches PowerShell processes on an infected system to bypass Windows AMSI, allowing the malicious code to execute without intervention.
Alongside these developments, FIN7 has been seen involved with various ransomware gangs. There has been evidence of FIN7 intrusions being detected right before incidents of ransomware, including Maze, Ryuk, Darkside, and ALPHV. While the exact relationship between FIN7 and these ransomware gangs is still unclear, it shows that FIN7 has some level of involvement in ransomware operations.
Analyst Notes
A good subset of FIN7’s tooling uses PowerShell, a powerful and common scripting environment abused by many threat actors. It is highly recommended to monitor PowerShell execution and look for any suspicious behavior. Suspicious behavior could include such things as: PowerShell making outbound network connections to the Internet, PowerShell executing additional processes used for information gathering purposes such as WMI or whoami, and so on. Likewise, the Boatlaunch module that FIN7 utilizes could be monitored for by looking for any suspicious processes hooking into active PowerShell processes. With the appropriate monitoring and detections in place, there are a number of behaviors that the FIN7 infection process utilizes that could be alerted upon. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with this type of detection need. For ransomware attacks, making sure to have appropriate and regular backups of critical infrastructure can help prevent an organization from losing data if one were to occur. This includes maintaining regular offline backups in cases where online backups may be destroyed as part of the ransomware process.
https://www.bleepingcomputer.com/news/security/fin7-hackers-evolve-toolset-work-with-multiple-ransomware-gangs/
https://www.mandiant.com/resources/evolution-of-fin7
