FIN7 has made a comeback, proving itself innovative and adaptive, this time making available a custom endpoint, detection and response (EDR) tool called "AvNeutralizer" that evades the security defenses of enterprises.
In a July 17 blog post, SentinelLabs researchers said they first reported in November 2022 that FIN7 had a close relationship with the ransomware group BlackBasta. But based on its most recent research, SentinelLabs found that over the past several months, FIN7 deployed AvNeutralizer within numerous criminal dark web forums — and BlackBasta was one of the original customers. The researchers also said the groups' continued innovation showcases its technical expertise and ability to adapt.
First noted on the scene in 2012 with origins in Russia, FIN7 was initially known for its point-of-sale malware for financial fraud. The group later switched to ransomware by 2020, working with notorious ransomware-as-a-service (RaaS) groups such as REvil and Conti, along with launching it own RaaS programs under the names Darkside and then BlackMatter.
"FIN 7 is a highly skilled and persistent threat actor that has stayed active for so long by adopting and evolving their tactics and techniques in response to changes in the threat landscape, as well as security measures that companies and governments have tried to implement,” said Damir Brescic, chief information security officer at Inversion6. “They have ties to Russia and Ukraine, and pose a significant threat to companies and governments due to their proven ability to compromise systems and steal sensitive data.”
Brescic added that FIN7’s tradecraft continued to evolve throughout the years by using the latest and advanced social-engineering techniques to trick victims into installing malware and revealing sensitive information. Brescic said the group leverages phishing tactics that are tailored to specific victims and appear to come from a trusted source, which resulted in a number of high-profile victims, including hotel chains and fast food chain Chipotle.
Heath Renfrow, co-founder of Fenix24, said that like many other cybercriminal elements, FIN7 is in a region of the world where they are virtually untouchable, pointing out that FIN7 has also been one of the most cautious criminal elements his team has seen.
“They are very innovative, pivoting quickly when too much attention is directed toward them, changing their persona on a dime,” said Renfrow. “This contrasts with other threat actors we encounter that make a lot of noise, but do not pivot and go underground when the heat is turned up — most are brazen and crave the attention. FIN7 is methodical and realizes quickly that they must change directions before authorities zero-in on them.”