ATT&CK Group ID: GOO46
Objectives: FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015.25 The group is characterized by their persistent targeting and large-scale theft of payment card data from victim systems, often using social engineering and spearphishing (T1566) with well-disguised lures to distribute their malware.9,11,12,26 Beyond the monetization of victim payment card data, FIN7 has used other diverse monetization tactics, including targeting finance departments within victim organizations and targeting individuals with access to material non-public information that the actors could use to gain a competitve advantage in stock trading.11,26
Target Industries: FIN7 operations have been directed against victims within the following sectors in the United States and Europe: restaurants, hospitality, casinos and gaming, energy, finance, high-tech, software, travel, education, construction, retail, telecommunications, government, and business services.11
Operations: Regarding their operational tradecraft, FIN7 is distinguished by their techincal innovation, using novel techniques and displaying characteristics of a well-rounded operation. FIN7 has been reported to employ limited use of exploits while blending publicly available and unique or altered tools.9 The group has leveraged hidden shortcut files (LNK files) (T1204.002) to initiate infection and VBScript functionality launched by mshta.exe (T1218.005) to infect the victim.25 This is a departure from previously established usage of weaponized Office macros (T1059.005) and highlights the group's ability to adapt to evade detction.11
FIN7 has been reported to use the Carbanak backdoor as a post-exploitation tool since as early as 2015.11 The group has also used creative persistence mechanisms, such as application shimming (T1546.011), to spawn a Carbanak backdoor and seprately to install a payment card harvesting utility.11,24 It has also been reported that the group has developed defense evasion techniques rapidly, such as we creating novel obfuscation methods that in some cases were modified on a daily basis while launching attacks targeting multiple victims.11 FireEye dubbed their development of a payload obfuscation style using the Windows command interpreter's native string substitution as "FINcoding."11
FIN7 has also used point-of-sale malware, such as Pillowmint, to scrape track 1 and track 2 payment card data from memory.8
| Name | Associated Names | Software Type | Availability | Emulation Notes |
|---|---|---|---|---|
| BABYMETAL | Downloader, Stager | FIN7 has used BABYMETAL to stage a Meterpreter payload over HTTP(s).11 | ||
| BOOSTWRITE (S0415) | Loader | FIN7 has used BOOSTWRITE as a loader launched via the abuse of DLL search order of applications.11 | ||
| Carbanak (S0030) | Anunak | Backdoor | FIN7 has used Carbanak as a post-exploitation tool to cement their foothold and maintain access to victim environments.11 | |
| GRIFFON (S0417) | Backdoor | FIN7 has used GRIFFON to execute modules in-memory and send results to a C2.4 | ||
| HALFBAKED (S0151) | Backdoor | FIN7 has used HALFBAKED to establish and maintain a foothold in victim networks.25 | ||
| Mimikatz (S0002) | Windows Credential Dumper | Openly Available | FIN7 has used Mimikatz to facilitate privilege escalation. 9 | |
| PAExec | Remote Execution | Openly Available | FIN7 has used PAExec to support execution of remote commands.9 | |
| Pillowmint (S0517) | Point of Sale (POS) Malware | FIN7 has used Pillowmint to scrape credit card data from memory.9 | ||
| SQLRat (S0390) | Remote Access Tool (RAT) | FIN7 has used SQLRat to drop files and execute SQL scripts on victim hosts.5 |
The following behaviors are in scope for an emulation of actions attributed to FIN7 as referenced by MITRE ATT&CK.
The following behaviors are in scope for an emulation of actions attributed to FIN7, as implemented in Scenario 1, in the referenced reporting.
The following behaviors are in scope for an emulation of actions attributed to FIN7, as implemented in Scenario 2, in the referenced reporting.
The following behaviors are in scope for an emulation of actions performed by FIN7 using BOOSTWRITE, exclusively based on current intelligence within ATT&CK for the given software.
The following behaviors are in scope for an emulation of actions performed by FIN7 using Carbanak, exclusively based on current intelligence within ATT&CK for the given software.
The following behaviors are in scope for an emulation of actions performed by FIN7 using GRIFFON, exclusively based on current intelligence within ATT&CK for the given software.
The following behaviors are in scope for an emulation of actions performed by FIN7 using HALFBAKED, exclusively based on current intelligence within ATT&CK for the given software.
The following behaviors are in scope for an emulation of actions performed by FIN7 using Pillowmint, exclusively based on current intelligence within ATT&CK for the given software.
The following behaviors are in scope for an emulation of actions performed by FIN7 using SQLRat, exclusively based on current intelligence within ATT&CK for the given software.
The Intelligence Summary summarizes 26 publicly available sources, as well as the results of an open call for contributions. The following organizations participated in the community cyber threat intelligence contribution process:
- Microsoft