Cybersecurity experts have compiled a detailed technical report on the operations of FIN7 (also known as Carbanak) from the end of 2021 to the beginning of 2022, showing that attackers continue to be active, develop and try new monetization methods.
Despite the fact that in 2018 some members of the group were charged, and in 2021 one of its members was sentenced, FIN7 did not disappear and continued to develop new tools for covert attacks.
Researchers from Mandiant have published a new list of FIN7 compromise indicators based on the analysis of new malware samples associated with the grouping. The evidence gathered as a result of a number of cyberattacks prompted analysts to combine eight previously suspected groups into FIN7, which indicates a wide range of operations of these criminals.
A PowerShell backdoor called PowerPlant has been linked to FIN7 for many years, but hackers continue to develop new versions of it. FIN7 adjusts functionality and adds new features to PowerPlant, and also deploys a new version in the middle of the operation. During installation, PowerPlant receives different modules from the command server. The two most commonly used modules are called Easylook and Boatlaunch.
Easyloook is an intelligence utility that FIN7 has been using for at least two years to collect information about the network and system, such as hardware, user names, registration keys, operating system versions, domain data, etc.
Boatlaunch is an auxiliary module that corrects PowerShell processes on compromised systems using a 5-byte instruction sequence that leads to an AMSI bypass. AMSI (Malware Scanning Interface) is a built—in Microsoft tool that helps detect malicious PowerShell execution, so Boatlaunch helps prevent this protection mechanism.
Another new development is an updated version of the Birdwatch loader, which now has two options: Crowview and Fowlgaze. Both variants are written in the language .NET, but, unlike Birdwatch, have the ability to self-delete, come with built-in payloads and support additional arguments.
Another interesting discovery is the involvement of FIN7 in various groups of extortionists. In particular, analysts found evidence of FIN7 hacks discovered just before the incidents with ransomware programs such as Maze, Ryuk, Darkside and BlackCat/ALPHV.