Read Part 1: Emulating the Financially Motivated Criminal Adversary FIN7 – Part 1
FIN7, also known as Carbon Spider, is a highly sophisticated and financially motivated criminal adversary that began its operations in 2013 by targeting Russian financial institutions. In late 2015, FIN7 expanded its targeting profile to include the Middle East, Europe, and North America, primarily in pursuit of payment card data. The group has been observed leveraging Point-of-Sale (PoS) malware to harvest card data, which was subsequently monetized by selling the stolen information on credit card markets such as Joker’s Stash.
At the beginning of 2020, FIN7 broadened its operational scope to engage in Big Game Hunting (BGH) activities. To this end, the group began employing the REvil ransomware before developing its proprietary ransomware, DarkSide. In November of the same year, FIN7 launched an affiliate program which offered DarkSide under the Ransomware-as-a-Service (RaaS) business model in exchange for a share of the profits generated from successful attacks.
Following a successful infection of Colonial Pipeline in May 2021, the attack disrupted critical fuel supply chains across the southeastern United States, leading to widespread panic buying and temporary fuel shortages. This incident drew significant attention from law enforcement and regulatory bodies forcing the abrupt cessation of DarkSide operations. Shortly thereafter, in July 2021, FIN7 introduced a new RaaS offering called BlackMatter, which remained active until November 2021.
The group has targeted a wide range of sectors, including financial services, hospitality, retail, healthcare and life sciences, technology, transportation, manufacturing, media, professional services, and energy, resources & utilities.
This is a continuation of the research conducted by the Adversary Research Team (ART), published in December 2024. These new emulations are intended to expand FIN7’s playbook by incorporating Tactics, Techniques, and Procedures (TTPs) exhibited during its historical activities.
AttackIQ has released two new attack graphs that emulate the behaviors exhibited by the Russian adversary FIN7 between 2022 and 2023 to help customers validate their security controls and their ability to defend against this long-standing threat.
Validating your security program performance against these behaviors is vital in reducing risk. By using these new assessment templates in the AttackIQ Security Optimization Platform, security teams will be able to:
- Evaluate security control performance against a long-standing financially motivated adversary.
- Assess their security posture against an adversary that has recently engaged in ransomware activities.
- Continuously validate detection and prevention pipelines against a highly sophisticated adversary active worldwide.
FIN7 – 2023-04 – Collaboration with Former Conti Members Unveils the Minodo Backdoor
(Click for Larger)On April 27, 2023, IBM Security X-Force reported the discovery of activities associated with former members of the TrickBot/Conti criminal syndicate, identified as ITG23. These activities, which took place as of February 2023, employed Dave Loader to deliver the recently discovered Minodo backdoor, a malware developed and operated by the financially motivated group known as FIN7. The backdoor was used to deliver either the Project Nemesis information stealer or more capable backdoors such as Cobalt Strike.
Minodo is a backdoor whose primary purpose is to obtain information from the compromised system, which is transmitted to the C2, and in response receives an AES-encrypted payload. It has notorious overlaps with the Lizar family of malware, also known as Tirion or DiceLoader.
Initial Access & Discovery – Malware Delivery and Local System Discovery
(Click for Larger)This stage begins with the deployment of Dave Loader, which is intended to deploy the Minodo Backdoor which, once operational, gathers information such as user name, computer name, system information, and running processes via Windows API.
Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
System Owner/User Discovery (T1033): This scenario executes the GetUserNameA Windows API call to retrieve the name of the user associated with the current thread.
System Information Discovery (T1082): This scenario will execute the GetComputerNameExA Windows API call to retrieve a NetBIOS or DNS name associated with the local computer.
System Information Discovery (T1082): This scenario executes the GetNativeSystemInfo Native API call to retrieve information associated to the system.
Process Discovery (T1057): This scenario uses Windows API to receive a list of running processes by calling CreateToolhelp32Snapshot and iterating through each process object with Process32FirstW and Process32NextW.
Execution – Payload Staging and Deployment
(Click for Larger)This stage begins with the deployment of the Minodo loader which can be executed via Reflective Code Injection, CreateProcess, or VirtualAlloc APIs. The loader is intended to deploy an arbitrary AES-encrypted payload contained within.
Reflective DLL Injection (T1620): This scenario takes a default AttackIQ DLL and loads it into the memory space of its own process in order to execute the desired DLL function.
Native API (T1106): This scenario executes the CreateProcessA Windows API call to create a new process of a given executable payload.
Process Injection (T1055): This scenario performs process injection by allocating memory in a running process with VirtualAlloc, writing shellcode to that memory space, and then changing the memory protection option with VirtualProtect.
FIN7 – 2022-11 – From ISO Image to QakBot Leading to Black Basta Ransomware
(Click for Larger)On November 3, 2022, SentinelOne reported the discovery of activity associated with the Black Basta ransomware, a strain operating under the Ransomware-as-a-Service (RaaS) business model that has been active since April 2022. During this incident, the perpetrators deployed custom EDR evasion tools linked to the financially motivated adversary known as FIN7.
These activities began with the deployment of QakBot, a modular second-stage malware with backdoor capabilities, which was delivered via macro-based MS Office documents, ISO + LNK droppers, and .docx documents exploiting CVE-2022-30190, a Microsoft Support Diagnostic Tool (MSDT) Remote Code Execution (RCE) vulnerability.
Before deploying the Black Basta ransomware, the attacker manually performs environment reconnaissance, privilege escalation, lateral movement, and defense impairment by connecting to the backdoor which, when it occurs, creates a new process and performs process hollowing to hide the malicious activity behind the legitimate process.
Initial Access & Execution – QakBot Deployment
(Click for Larger)This stage begins with the deployment of an Optical Disc Image (ISO) file containing a Shortcut (LNK) file designed to deploy QakBot, a modular second-stage malware with backdoor capabilities, which is then executed via RegSvr32. Once operational, it acquires persistence through the creation of a scheduled task.
Ingress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent scenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious samples.
Subvert Trust Controls: Mark-of-the-Web Bypass (T1553.005): This scenario bypasses Mark-of-the-Web (MOTW) by downloading and mounting an ISO image on the system to execute the payload contained inside.
System Binary Proxy Execution: Regsvr32 (T1218.010): This scenario executes the RegSvr32 Windows utility to register a Common Object Model (COM) DLL and execute its exported DllRegisterServer function.
Scheduled Task/Job: Scheduled Task (T1053.005): This scenario acquires persistence through the creation of a new scheduled task using the schtasks utility.
Discovery – Active Directory and Defense Discovery
(Click for Larger)This stage focuses on environment discovery, beginning with Active Directory reconnaissance using AdFind. Then, it attempts to gather information regarding antivirus products, antispyware software, and local firewall settings using Windows Management Instrumentation (WMI) commands.
Remote System Discovery (T1018): This scenario leverages the AdFind utility to discover details about the Active Directory configuration including accounts, groups, computers, and subnets.
Security Software Discovery (T1518.001): This scenario executes a Microsoft Windows Management Instrumentation Command (WMIC) to determine the installed antivirus software using the AntiVirusProduct class.
Security Software Discovery (T1518.001): This scenario executes a Microsoft Windows Management Instrumentation Command (WMIC) to determine the installed antispyware product using the AntiSpywareProduct class.
Security Software Discovery (T1518.001): This scenario executes a Microsoft Windows Management Instrumentation Command (WMIC) to determine the installed firewall product using the FirewallProduct class.
Persistence & Privilege Escalation – Create Account and Add to Local Groups
(Click for Larger)This stage begins with the deployment of a Dynamic-Link Library (DLL) designed to establish persistence through the creation of a local account named “Crackenn”. Once created, it is added to the local “Administrators” and “Remote Desktop Users” groups to elevate privileges and enable remote access.
Create Account: Local Account (T1136.001): This scenario executes the NetUserAdd Windows API call to create a new local account.
Account Manipulation: Additional Local or Domain Groups (T1098.007): This scenario adds a local user to a local Administrators group using the net localgroup command.
Account Manipulation: Additional Local or Domain Groups (T1098.007): This scenario adds a local user to a local Remote Desktop Users group using the net localgroup command.
Persistence & Defense Evasion – Windows Defender Tampering
(Click for Larger)This stage begins with the deployment of a Batch (BAT) file designed to create a new registry Run key, ensuring the persistent execution of an arbitrary payload. Then, an additional Batch (BAT) file is executed to modify the “DisableAntiSpyware” and “DisableRealtimeMonitoring” settings of Windows Defender.
Logon Autostart Execution: Registry Run Keys / Startup Folder (T1547.001): This scenario creates an entry under HKLM\Software\Microsoft\Windows\CurrentVersion\Run to acquire persistence on the system.
Impair Defenses: Disable or Modify Tools (T1562.001): This scenario modifies the HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware registry key to 1 to disable Windows Defender from being enabled at next reboot.
Impair Defenses: Disable or Modify Tools (T1562.001): This scenario uses the Set-MpPreference PowerShell cmdlet to modify the DisableRealtimeMonitoring setting in Microsoft Defender.
Impact – Black Basta Ransomware Deployment
(Click for Larger)This stage begins with the deployment of Black Basta ransomware, followed by the immediate deletion of Volume Shadow Copies using vssadmin.exe. Once operational, it gathers system information, enumerates available volumes, and iterates through directories and files before encrypting them using a combination of ChaCha20 and RSA-2096.
Inhibit System Recovery (T1490): This scenario executes the vssadmin Windows utility to delete a recent Volume Shadow Copy created by the emulation.
System Information Discovery (T1082): This scenario executes the GetNativeSystemInfo Native API call to retrieve information associated to the system.
System Information Discovery (T1082): This scenario will call the FindFirstVolumeW and FindNextVolumeW Windows API to iterate through the available volumes of the system.
File and Directory Discovery (T1083): This scenario will call the FindFirstFileW and FindNextFileW Windows API to perform the enumeration of the file system.
Data Encrypted for Impact (T1486): This scenario simulates the file encryption routine used by common ransomware families. Files matching an extension list are identified and encrypted in place using the same encryption algorithms observed during this activity.
Opportunities to Expand Emulation Capabilities
In addition to the released assessment templates, AttackIQ recommends the following existing scenario to extend the emulation of the capabilities exhibited in this advisory:
BloodHound Ingestor Execution: This scenario executes a BloodHound ingestor to create a ZIP file containing all the necessary Active Directory data for BloodHound.
Detection and Mitigation Opportunities
Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.
1. Ingress Tool Transfer (T1105):
This actor relies heavily in downloading additional stages of malware. Endpoint and Network security controls should both be employed to try and detect the delivery of these malicious payloads.
1a. Detection
The following signatures can help identify when native utilities are being used to download malicious payloads.
PowerShell Example:
Process Name == (Cmd.exe OR Powershell.exe)
Command Line CONTAINS ((“IWR” OR “Invoke-WebRequest") AND “DownloadData” AND “Hidden”)
1b. Mitigation
MITRE ATT&CK has the following mitigation recommendations.
2. System Binary Proxy Execution: Regsvr32 (T1218.010):
Adversaries may use DLL files for many of their malware payloads and use native Windows utilities to execute them. The primary native method for executing these files is to call the RegSvr32 utility and pass along the path and export function to be executed.
2a. Detection
While this native tool is commonly used by legitimate applications, there are behaviors related to their execution that can stand out in your process logs. Searching for files that are being executed from temporary directories, that don’t have the standard .dll file extension or call strange looking export names can stand out from regular user behavior.
Process Name == (regsvr32.exe)
Command Line CONTAINS (‘TEMP’ OR ‘.png’ OR ‘Roaming’ OR ‘%APPDATA%’)
2b. Mitigation
3. Reflective DLL Injection (T1620):
Adversaries may employ techniques that obscure the true source of malicious activity. By reflectively loading code into its own process, with the aim of loading malicious code, the adversary may try to hide in the normal operating noise of the system or abuse overzealous whitelisting:
3a. Detection
Searching for common processes that are performing uncommon actions can help identify when a process has been compromised. It would be uncommon for these processes to execute additional processes or perform discovery techniques. You can look for similar activity using a signature like:
Parent Process Name CONTAINS (‘explorer.exe’ OR ‘svchost.exe’)
Command Line CONTAINS (‘set’ OR ‘whoami’ OR ‘ping’ OR ‘dir’)
3b. Mitigation
4. Process Injection (T1055):
Adversaries may inject malicious code into legitimate processes to evade detection and execute with higher privileges. By writing arbitrary code into the memory space of another process and executing it within that process’s context, attackers can bypass security controls that rely on process reputation.
4a. Detection
Monitoring for unusual memory allocation and protection changes in legitimate processes can help detect potential process injection attempts. Specifically, look for detection of VirtualAlloc, WriteProcessMemory, and VirtualProtect calls within non-standard processes.
4b. Mitigation
MITRE ATT&CK recommends the following mitigation recommendations:
- M1040 – Behavior Prevention on Endpoint
- M1038 – Execution Prevention
- M1026 – Privileged Account Management
Wrap-up
In summary, these attack graphs will evaluate security and incident response processes and support the improvement of your security control posture against the behaviors exhibited by the FIN7 adversary. With data generated from continuous testing and use of these assessment templates, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.
AttackIQ, the leading provider of Adversarial Exposure Validation (AEV) solutions, is trusted by top organizations worldwide to validate security controls in real time. By emulating real-world adversary behavior, AttackIQ closes the gap between knowing about a vulnerability and understanding its true risk. AttackIQ’s AEV platform aligns with the Continuous Threat Exposure Management (CTEM) framework, enabling a structured, risk-based approach to ongoing security assessment and improvement. The company is committed to supporting its MSSP partners with a Flexible Preactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense.
Read Part 1: Emulating the Financially Motivated Criminal Adversary FIN7 – Part 1
