FIN7.5: The Infamous Cybercrime Rig "FIN7" Continues Its Activities


FIN7.5: The Infamous Cybercrime Rig "FIN7" Continues Its Activities (May 8, 2019)

Kaspersky researchers have published a report discussing activity attributed to the financially-motivated threat group, “FIN7,” from the past year. The FIN7 campaigns use spear phishing emails with malicious attachments as the initial infection vector. One malicious document is used to gain context information about the infected machine, with another using macros to execute a “GRIFFON” implant. The GRIFFON implant is a Javascript validator-style implant capable of receiving modules for reconnaissance, screenshot, persistence, and downloading with the results sent to C2s. It is believed by researchers after analyzing the Tactics, Techniques, and Procedures (TTPs), that multiple other groups are interconnected to FIN7, continuing attacks.

Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defence processes) is the best way to ensure safety from sophisticated threat groups, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing and how to identify such attempts.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.