Cyber security news for all

More

    FIN7 Group Advertises Security-Bypassing Tool on Dark Web Forums

    The financially driven cybercriminal syndicate, FIN7, has been observed employing various aliases on multiple clandestine forums to ostensibly promote a tool used by ransomware collectives, including Black Basta.

    “AvNeutralizer, also known as AuKill, is a highly specialized instrument devised by FIN7 to sabotage security measures. This tool has been marketed within the criminal underground and utilized by several ransomware factions,” stated SentinelOne in a report shared with The Hacker News.

    FIN7, an e-crime faction of Russian and Ukrainian origin, has been a persistent menace since at least 2012. Initially, it targeted point-of-sale (PoS) terminals but later transitioned to serving as a ransomware affiliate for now-defunct groups like REvil and Conti, before inaugurating its own ransomware-as-a-service (RaaS) operations, DarkSide and BlackMatter.

    This threat entity, also known under the aliases Carbanak, Carbon Spider, Gold Niagara, and Sangria Tempest (formerly Elbrus), is notorious for establishing front companies such as Combi Security and Bastion Secure. These fronts recruit unsuspecting software engineers into ransomware schemes under the guise of penetration testing.

    Over the years, FIN7 has demonstrated a high degree of adaptability, sophistication, and technical prowess by continually updating its malware arsenal, including POWERTRASH, DICELOADER (also known as IceBot, Lizar, or Tirion), and a penetration testing tool named Core Impact, which is delivered via the POWERTRASH loader. This continued activity persists despite the arrests and sentencing of several of its members.

    The group’s large-scale phishing campaigns aim to disseminate ransomware and other malicious software by utilizing thousands of “shell” domains that mimic legitimate media and technology companies, according to a recent report by Silent Push.

    These shell domains are sometimes employed in conventional redirect chains to funnel users to counterfeit login pages masquerading as property management portals.

    These typosquatted domains are advertised on search engines like Google, deceiving users searching for popular software into downloading malware-laden versions. Some of the targeted tools include 7-Zip, PuTTY, AIMP, Notepad++, Advanced IP Scanner, AnyDesk, pgAdmin, AutoDesk, Bitwarden, Rest Proxy, Python, Sublime Text, and Node.js.

    It’s worth noting that FIN7’s malvertising tactics were previously highlighted by both eSentire and Malwarebytes in May 2024, with attack chains culminating in the deployment of NetSupport RAT.

    “FIN7 rents numerous dedicated IPs across several hosts, primarily on Stark Industries, a bulletproof hosting provider linked to DDoS attacks in Ukraine and across Europe,” Silent Push noted.

    Recent findings from SentinelOne indicate that FIN7 has not only used various personas on cybercrime forums to market AvNeutralizer but has also enhanced the tool with new capabilities.

    This is evidenced by the fact that multiple ransomware groups began utilizing updated versions of the EDR impairment program as of January 2023, which was previously exclusive to the Black Basta group.

    SentinelLabs researcher Antonio Cocomazzi told The Hacker News that the promotion of AvNeutralizer on underground forums shouldn’t be hastily interpreted as a new malware-as-a-service (MaaS) strategy adopted by FIN7 without further evidence.

    “FIN7 has a history of developing and deploying sophisticated tools for their own operations,” Cocomazzi remarked. “However, selling tools to other cybercriminals could be viewed as a natural evolution of their methods to diversify and generate additional revenue.”

    “Historically, FIN7 has leveraged underground marketplaces to generate revenue. For instance, the DoJ reported that since 2015, FIN7 successfully stole data for over 16 million payment cards, many of which were sold on underground marketplaces. While this was more prevalent in the pre-ransomware era, the current advertisement of AvNeutralizer might signify a shift or expansion in their strategy.”

    “This shift could be driven by the enhanced protections provided by modern EDR solutions compared to previous AV systems. As these defenses have strengthened, the demand for tools like AvNeutralizer has surged, particularly among ransomware operators. Attackers now face greater challenges in circumventing these protections, making such tools highly valuable and expensive.”

    The updated version of AvNeutralizer employs anti-analysis techniques and, crucially, leverages a Windows built-in driver called “ProcLaunchMon.sys” alongside the Process Explorer driver to interfere with security solutions and evade detection. This tool is believed to have been in active development since April 2022.

    A similar methodology has also been employed by the Lazarus Group, making it even more perilous as it surpasses traditional Bring Your Own Vulnerable Driver (BYOVD) attacks by weaponizing a susceptible driver already present by default in Windows systems.

    Another significant update concerns FIN7’s Checkmarks platform, which has been modified to incorporate an automated SQL injection attack module for exploiting public-facing applications.

    “In its campaigns, FIN7 has embraced automated attack techniques, targeting public-facing servers through automated SQL injection attacks,” SentinelOne stated. “Moreover, its development and commercialization of specialized tools like AvNeutralizer within criminal underground forums significantly bolster the group’s impact.”

    Recent Articles

    Related Stories