Russian financially motivated threat actor FIN7 (aka Carbanak) is continuously evolving its attack strategy, possibly joining other ransomware attack forces. Mandiant researchers have provided a detailed technical report on FIN7 operations from late 2021 to early 2022.

Evolving the toolset

The adversary group has updated the PowerShell backdoor named PowerPlant in its ongoing campaigns. Researchers have observed different versions of it, ranging from v0.012 to v0.028.
  • PowerPlant and BEACON reportedly replaced Loadout and Griffon in their operations last year, while its other tools Carbanak and Diceloader malware are being sidelined.
  • Additional development was observed in its Birdwatch downloader; it now boasts of two variants Crowview and Fowlgaze. These variants support retrieving payloads over HTTP and offer basic reconnaissance.
  • In some of the attacks, the threat actor was observed modifying the functionality and adding new features to PowerPlant.
  • During deployment, PowerPlant obtains different modules from the C2 server, so the capabilities vary. Two of the most commonly deployed modules are named Boatlaunch (a helper module) and Easylook (a reconnaissance utility).

FIN7 is planning big

The recent report further discloses FIN7's involvement with various ransomware groups. 
  • In some cases, the group’s intrusions were spotted before cyberattacks from Maze, Darkside, BlackCat, and Ryuk.
  • Further, secondary artifacts (a code signing certificate) indicate that FIN7 had a role in some Darkside operations. The certificate used by the group in 2021 was spotted in Darkside samples.
  • Last October, the gang’s rising interest in ransomware operations was reported when the group was exposed for setting up a fake pen-testing firm to recruit network intrusion specialists.

Ending notes

FIN7 is regularly evolving its criminal operations for better chances of success. Further, the adversary’s connection with multiple ransomware operations is concerning as well. Thus, organizations are required to have an in-depth security strategy, including threat intel sourcing, to tackle evolving threats.
Cyware Publisher