FIN7 Forays into Ransomware Attack Landscape with New Tools

Evolving the toolset

• PowerPlant and BEACON reportedly replaced Loadout and Griffon in their operations last year, while its other tools Carbanak and Diceloader malware are being sidelined.
• Additional development was observed in its Birdwatch downloader; it now boasts of two variants Crowview and Fowlgaze. These variants support retrieving payloads over HTTP and offer basic reconnaissance.
• In some of the attacks, the threat actor was observed modifying the functionality and adding new features to PowerPlant.
• During deployment, PowerPlant obtains different modules from the C2 server, so the capabilities vary. Two of the most commonly deployed modules are named Boatlaunch (a helper module) and Easylook (a reconnaissance utility).

FIN7 is planning big

• In some cases, the group’s intrusions were spotted before cyberattacks from Maze, Darkside, BlackCat, and Ryuk.
• Further, secondary artifacts (a code signing certificate) indicate that FIN7 had a role in some Darkside operations. The certificate used by the group in 2021 was spotted in Darkside samples.
• Last October, the gang’s rising interest in ransomware operations was reported when the group was exposed for setting up a fake pen-testing firm to recruit network intrusion specialists.

Ending notes