Security Experts:

Connect with us

Hi, what are you looking for?



FIN7 Cybercrime Operation Continues to Evolve Despite Arrests

Despite recent arrests and convictions, the FIN7 cybercrime operation has continued to evolve, with hackers updating their tools and techniques and changing monetization strategies, according to cybersecurity firm Mandiant.

Despite recent arrests and convictions, the FIN7 cybercrime operation has continued to evolve, with hackers updating their tools and techniques and changing monetization strategies, according to cybersecurity firm Mandiant.

Also referred to as Anunak, and Carbanak, FIN7 has been around since at least 2015, mainly focused on the theft of credit card information from businesses worldwide. There are multiple groups of hackers that operate under the FIN7 umbrella, and even more of them can be associated with the gang.

The group has targeted organizations in numerous sectors, including cloud services providers, consulting, financial services, food and beverages, media, medical equipment, software, transportation, and utilities.

Two FIN7 hackers – both Ukrainian nationals – were sentenced to prison in the United States last year.

According to Mandiant, over the past couple of years, some of the groups that show overlaps with FIN7 have transitioned toward targeted ransomware, including REvil, DarkSide, BlackMatter, and Alphv.

During this time, however, FIN7 continued to use PowerShell in attacks, and also employed updated versions of the Birdwatch downloader (tracked as Crowview and Fowlgaze). The group was also seen using a new backdoor called Powerplant, which has received constant updates over the last two years.

During this period of time, FIN7 also adopted new initial access techniques – which now include software supply chain compromise and stolen credentials, in addition to phishing – and replaced Loadout and Griffon first stage malware with Powerplant.

[ READ: FIN7 Hackers Use New Malware in Recent Attacks ]

Mandiant also notes that FIN7 activity was often followed by ransomware deployment or data theft extortion, suggesting association with various ransomware operations. Furthermore, one group believed to be working under the FIN7 umbrella was seen conducting a BadUSB campaign that led to the delivery of Diceloader malware.

Continuous tracking of the activity associated with the hacking gang also allowed Mandiant to merge eight groups into the core FIN7 cluster. Additionally, the company’s researchers suspect that there are 17 more groups affiliated to FIN7, although they haven’t been merged into the crime ring yet.

In 2020, FIN7 was seen deploying malware such as Loadout and Griffon. The former is an obfuscated VBScript-based downloader designed to gather large amounts of information from the compromised systems and send it to a command and control (C&C) server.

In response, the server sends Griffon, a JavaScript-based downloader that can retrieve additional modules and run them in memory. In the second half of 2020, the group started using Powerplant (also known as KillACK), a PowerShell-based backdoor, initially as the next stage in Griffon infections.

[READ: FIN7 Hackers Use LNK Embedded Objects in Fileless Attacks ]

In 2021, the group moved away from Loadout, Griffon, and Carbanak and started deploying Powerplant directly. FIN7 was also seen relying on Cobalt Strike Beacon as a secondary mode of access.

During their analysis of FIN7, Mandiant also observed that the group has been using other PowerShell malware, including Powertrash, an in-memory dropper designed to execute an embedded payload, including Carbanak, Diceloader, Supersoft, Cobalt Strike Beacon, and Pillowmint.

As part of an attack, the hackers used compromised remote desktop protocol (RDP) credentials for initial access, and then executed reconnaissance scripts, followed by a Termite loader, which was used to execute Cobalt Strike. Next, FIN7 executed a victim-customized version of Powerplant and then attempted to steal credentials and further compromise the target environment.

“Between the two days of FIN7 operations on the victim system, FIN12 was also active on the same victim for multiple hours using the same RDP account, but much different infrastructure and tradecraft, attempting to install Beacon using the Weirdloop in-memory dropper before the intrusion was remediated,” Mandiant notes.

[ READ: Member of FIN7 Cybercrime Gang Sentenced to Prison in U.S. ]

In a recent incident, the hackers compromised a website that sells digital products and changed download links to point to an Amazon S3 bucket where trojanized installers were hosted. The installers contained the Atera agent, a remote management tool that was then used to deploy Powerplant.

FIN7, Mandiant says, is actively developing the Powerplant backdoor, and was even observed deploying an updated version of the malware within a 10-minute window during the same attack.

Since at least 2019, FIN7 was also seen employing the Easylook reconnaissance tool in attacks, to capture a broad range of data from the compromised systems. In some intrusions, the group would use the Boatlaunch utility, which patches PowerShell processes to bypass Windows AntiMalware Scan Interface (AMSI).

FIN7 also paid a lot of attention to the development of Birdwatch, a .NET-based downloader that was also ported to C++, just as its variant Crowview. Both are designed to harvest various types of information from the victim system and send it to the C&C server, but Crowview can also house an embedded payload, supports arguments, and can self-delete.

In October 2021, the researchers identified an attack where BadUSB removable drives were sent to victim organizations, mainly in the United States. The malicious USB drives were designed to download Stoneboat, which would deploy the Diceloader framework.

[ READ: FBI: Cybercriminals Mailing Malicious USB Devices to Victims ]

Stoneboat is a new, .NET-based in-memory dropper designed to decrypt an embedded shellcode payload that is mapped into memory and executed. As part of the observed attack, Stoneboat executed the Daveshell intermediate loader (an open-source launcher) that in turn deployed Diceloader.

Mandiant notes that, while it hasn’t attributed the deployment of ransomware to FIN7, there is evidence suggesting that the group’s activities at least in some part overlap with known ransomware operations. In at least two incidents in 2020, FIN7 activity was identified on systems that were then encrypted with ransomware such as Maze and Ryuk.

In 2021, FIN7 intrusion preceded the deployment of Alphv ransomware, and there is also evidence suggesting that the group played at least a role in Darkside ransomware operations. A code signing certificate that the group used to sign Beacon and Beakdrop samples was also used to sign multiple Darkside samples seen in the wild.

“Despite indictments of members of FIN7 in 2018 and a related sentencing in 2021 announced by the U.S. Department of Justice, at least some members of FIN7 have remained active and continue to evolve their criminal operations over time. Throughout their evolution, FIN7 has increased the speed of their operational tempo, the scope of their targeting, and even possibly their relationships with other ransomware operations in the cybercriminal underground,” Mandiant concludes.

Related: Member of FIN7 Hacking Group Sentenced to US Prison

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...