Hacker group FIN7 is selling EDR evasion tools to other cyber criminals

Authors

Jennifer Gregory

Cybersecurity Writer

Entrepreneurship is rampant these days — even across the dark web. While the paths of cyber gangs are often winding and often involve alliances or rebrandings, the newest activity of FIN7 creates a new dynamic in the cybersecurity world that organizations need to watch to reduce their vulnerabilities. SentinelOne recently followed FIN7’s activity to uncover its history and current dealings.

FIN7 attacked over 100 US companies, including household names

FIN7, a Russian advanced persistent threat (APT) group, has a long-standing reputation for sophisticated and persistent attacks on a range of industries. It is suspected of creating the software that caused the Colonial Pipeline breach. The group started in 2012 and spent several years using POS (point of sale) malware to create financial fraud throughout a wide range of industries, including hospitality, finance, energy and retail.

According to the United States Attorney’s Office, between 2015 and 2018, FIN7 breached more than 100 US companies, including Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin and Jason’s Deli. The gang stole more than 15 million customer card records from over 6,500 individual POS terminals at more than 3,600 separate business locations.

Industry newsletter

The latest tech news, backed by expert insights

Stay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with the Think newsletter. See the IBM Privacy Statement.

Russian cyber gang embraces ransomware

Around 2021, the gang added ransomware to their repertoire and created several fraudulent info sec firms: Combi Security, Bastion Secure and others. For these attacks, the cyber criminals even hired researchers to work for their fake company and had their “employees” unknowingly conduct ransomware attacks.

After three known leaders of the gang were sent to prison, the U.S. Attorney for Washington state declared, “FIN7 is an entity no more” in May 2023. However, in late 2023, a large automotive manufacturer was attacked with malware that targeted people searching for a free networking scanning tool. BlackBerry wrote in a blog post that it had a high level of confidence that the attacker was FIN7 because the script used in the attack was identical to that used in other FIN7 Powertrash scripts.

Explore ransomware protection solutions

Mixture of Experts | 28 March, episode 48

Decoding AI: Weekly News Roundup

Join our world-class panel of engineers, researchers, product leaders and more as they cut through the AI noise to bring you the latest in AI news and insights.

Watch the latest podcast episodes

FIN7 now reportedly selling AvNeutralizer

Events in the last few years suggest that FIN7 is now in partnership with AvNeutralizer. SentinelOne discovered that FIN7 has been connected to “the use of EDR evasion tools [AvNeutralizer] in ransomware attacks involving the Black Basta group.” By using AvNeutralizer, also known as AuKill, hackers can tamper with security solutions and then launch their own attacks. Originally, experts only saw Black Basta using the tool and assumed it was a partnership between the two groups.

“Since early 2023, our telemetry data reveals numerous intrusions involving various versions of AvNeutralizer,” wrote SentinelOne. “About 10 of these are attributed to human-operated ransomware intrusions that deployed well-known RaaS payloads including AvosLocker, MedusaLocker, BlackCat, Trigona and LockBit.”

The tool has now been linked to five different groups, which now makes it likely that Black Basta was simply an early adopter.

Reports indicate that FIN7 is selling AvNeutralizer on Russian-speaking hacking forums ranging in price from USD 4,000 to USD 15,000. The post advertised that the tool took three years and USD 1 million to develop. Additionally, the tool acts as a post-exploration framework that infiltrates enterprise networks and is not detectable by traditional antivirus software.

The impact of FIN7 selling AvNeutralizer

SentinelOne wrote that FIN7’s “development and commercialization of specialized tools like AvNeutralizer within criminal underground forums significantly enhance the group’s impact.” Because they are selling their tools, this move means that many other groups with less expertise and experience can now launch exceptionally sophisticated attacks very quickly. Additionally, AvNeutralizer, combined with other FIN7 tools, makes the group even more dangerous than before.

“The proficiency of FIN7 in executing sophisticated cyberattacks relies on their versatile arsenal, which includes tools such as Powertrash, Diceloader, Core Impact, an SSH-based backdoor and AvNeutralizer,” wrote SentinelOne. “Each of these tools supports various attack phases carried out during the intrusions, allowing the group to adeptly infiltrate, exploit, persist and evade detection.”

With the re-emergence of FIN7 as well as the selling of AvNeutralizer, cybersecurity professionals need to track the current actions of the group to reduce vulnerability and spot an attack early. Although cyber gangs evolving is common in cybersecurity, this current development is concerning and one to watch.

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.