Cyber security news for all

More

    Threat Group Resurfaces with New Tactics and Tools

    The elusive Russian threat group FIN7, previously declared defunct by the US government, appears to have reemerged in 2024’s ransomware landscape with upgraded tools and novel tactics. According to a fresh analysis released by SentinelLabs, FIN7 is actively participating in the dark markets, selling improved versions of its notorious attack tools.

    FIN7, a financially motivated group, has been active for over two decades, primarily targeting credit card payment systems in industries such as hospitality, energy, finance, high-tech, and retail worldwide until around 2020. At that point, the group shifted its focus to ransomware as its primary modus operandi.

    New Findings

    SentinelLabs’ latest analysis highlights FIN7’s continued adaptability, persistence, and evolution as a threat group. Researchers have discovered that the group is marketing a highly specialized version of its ‘AvNeutralizer’ attack tool. This tool employs a previously unseen technique, leveraging the Windows built-in driver ProcLaunchMon.sys (TTD Monitor Driver) to interfere with security solutions.

    This enhanced version is being sold under various pseudonyms such as “goodsoft,” “lefroggy,” and “killerAV” on underground forums, with prices ranging from $4,000 to $15,000. This strategy allows the group to mask its true identity and stay under the radar.

    FIN7’s History

    Established in 2012 and sometimes referred to as Carbanak or Navigator, FIN7 is infamous for its sophisticated malware campaigns targeting US companies in the hospitality and gaming industries. The attackers made off with an estimated $20 million in credit and debit card numbers through their signature point-of-sale (POS) attacks. This stolen information was then sold on the dark web, causing an estimated $3 billion in damages to banks, credit card companies, and consumers.

    In April 2021, the US government issued the first of several indictments against high-level managers of the group’s highly organized cybercriminal operations. The FBI revealed that at the time, FIN7 was operating under the guise of several fake cybersecurity companies, including one named Combi Security, complete with a phony website and no legitimate clients.

    Conclusion and Implications

    SentinelLabs hopes their latest analysis will inspire further efforts to understand and mitigate FIN7’s evolving tactics. The development and commercialization of specialized tools like AvNeutralizer within criminal underground forums significantly enhance the group’s impact. FIN7’s ability to innovate continuously and create sophisticated techniques for evading security measures showcases their technical expertise and advanced operational strategies.

    Recent Articles

    Related Stories