FIN7 [1] [2] [3] [4] [5] [6] [7] [8] [9], a financially motivated threat actor originating from Russia in 2012, has been observed promoting the tool AvNeutralizer on cybercrime forums under multiple pseudonyms.

Description

This custom endpoint detection and response tool has been used by ransomware groups like Black Basta to bypass security solutions, showcasing FIN7’s technical expertise and adaptability [6]. The group has a history of setting up front companies to recruit software engineers into ransomware schemes and has evolved from financial fraud to ransomware operations, collaborating with various ransomware-as-a-service groups [6]. Recent findings show that FIN7 has updated AvNeutralizer with new capabilities, including anti-analysis techniques and leveraging a Windows built-in driver to evade detection [8]. Additionally, FIN7 has modified its Checkmarks platform to include an automated SQL injection attack module for exploiting public-facing applications [8]. The group has been using large-scale phishing campaigns to deliver ransomware and other malware families [8], deploying shell domains to mimic legitimate businesses and trick users into downloading malware-laced variants [8]. FIN7 has also been using malvertising tactics and renting dedicated IPs on bulletproof hosting providers [8]. Attribution efforts have expanded our understanding of the AvNeutralizer malware family [7], providing a broader perspective for better tracking and analysis [7]. FIN7 targets specific victims through phishing attacks [6], posing a significant threat to companies and governments with their highly skilled [6], persistent [6], and constantly evolving tactics [6]. Researchers from SentinelLabs reported on the connection between FIN7 and the use of EDR evasion tools in ransomware attacks involving the Black Basta group [9]. They identified the tool “AvNeutralizer” (aka AuKill) as being used exclusively by the group for six months [9], suggesting a close relationship between FIN7 and Black Basta [9]. However, starting in January 2023 [9], multiple ransomware groups began using updated versions of AvNeutralizer [5] [8] [9], indicating that the tool was no longer exclusive to Black Basta [9]. It is hypothesized that AvNeutralizer may have been sold on criminal underground forums [9], with Black Basta being one of the early adopters [9]. Selling tools to other cybercriminals could be a new revenue stream for FIN7 [4].

Conclusion

The evolving tactics and capabilities of FIN7, as demonstrated through the use of AvNeutralizer, pose a significant threat to cybersecurity. Mitigating these threats requires a comprehensive understanding of their techniques and tools. The potential sale of AvNeutralizer to other cybercriminals highlights the need for increased vigilance and collaboration among security professionals to combat the ever-changing landscape of cyber threats.

References

[1] https://cyber.vumetric.com/security-news/2024/07/17/fin7-group-advertises-security-bypassing-tool-on-dark-web-forums/
[2] https://insights.havosoft.com/2024/07/17/fin7-group-markets-security-bypassing-tool-on-dark-web-linked-to-ransomware-operations/
[3] https://www.krofeksecurity.com/unveiling-fin7-latest-security-bypassing-tool-unearthed-on-dark-web-forums/
[4] https://www.redpacketsecurity.com/fin7-group-advertises-security-bypassing-tool-on-dark-web-forums/
[5] https://indoguardonline.com/2024/07/17/fin7-group-advertises-security-bypass-tool-on-dark-web-forums/
[6] https://www.scmagazine.com/news/fin7-deploys-custom-edr-tool-on-numerous-dark-web-forums
[7] https://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/
[8] https://thehackernews.com/2024/07/fin7-group-advertises-security.html
[9] https://businessmondays.co.uk/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/