[ad_1]
Researchers also found FIN7 using updated versions of a known .NET downloader called BirdWatch, which is known to retrieve payloads over HTTP, write them to disk and then execute them. One of the newer variants, CrowView, can house embedded payloads, self-delete and support additional arguments, for instance.
In addition to new tools and access vectors, researchers said that data theft extortion or ransomware deployment has been observed following FIN7-attributed activity at multiple organizations. This could represent a possible shift in monetization of FIN7 intrusions from payment card data to extortion operations, said researchers. For instance, in 2020, FIN7 intrusions were identified prior to the deployment of the Maze and Ryuk ransomware families, and in 2021 FIN7 activity was uncovered during an incident response by Mandiant involving the ALPHV ransomware. While this may suggest FIN7 actors may have been associated with ransomware operations, researchers stressed that Mandiant has not attributed any direct deployment of ransomware to FIN7.
“In all these cases, the ransomware deployment is currently attributed to separately tracked threat groups due to factors of the investigation and our visibility,” said researchers. “However, the possibility that FIN7 actors are engaging in ransomware operations is also substantiated by evidence outside of our intrusion data holdings and includes code usage, actor infrastructure, and trusted third party sources.”
FIN7, which has been around since at least 2015, started out as a financially motivated group targeting the retail, banking and hospitality sectors with point-of-sale malware. However, the group over the years has continued to build out its operations, target new companies and actively develop new malware. Recently, for instance, FIN7 attackers mailed USB thumb drives to U.S. organizations in an attempt to infect their environments with the DiceLoader framework, a known toolkit that helps attackers gain a foothold in infected systems and perform reconnaissance.
“Despite indictments of members of FIN7 in 2018 and a related sentencing in 2021 announced by the U.S. Department of Justice, at least some members of FIN7 have remained active and continue to evolve their criminal operations over time,” said researchers.
[ad_2]
Source link