FIN7 escapes justice and builds up its power

[Carding Forum]

Silent Push experts claim that the FIN7 group resumed its activities after the United States announced the liquidation of the group in 2021.

In 2021, the United States announced that FIN7 no longer exists, after sentences were handed down to key members of the group. The US Department of Justice described FIN7 as a criminal organization with more than 70 participants organized into separate business units and teams. The FIN7 Group has caused approximately $ 3 billion in damage to organizations since 2013.

Recall that in 2023, hacker attacks continued, but not as part of FIN7, but under other brands. FIN7 is associated with the Black Basta, DarkSide, REvil, and LockBit ransomware families.

According to Silent Push, in 2024 FIN7 returned to active activity on its own behalf, creating thousands of sites that mimic various media and technology companies. Malicious domains are registered by a major hosting provider, Stark Industries Solutions.

The first signs of FIN7's resurgence came in April 2024, when Blackberry reported a major car company being hacked. The attack started by infecting users who were searching for a popular free network scanning tool.

Silent Push specialists have developed a method for tracking the fast-growing FIN7 infrastructure, which includes more than 4,000 hosts. Hackers use various methods: from typesquatting tactics and infected advertising (malvertising) to malicious browser extensions and phishing domains.

FIN7 domains target various major brands, including American Express, Bitwarden, Bloomberg, CNN, Dropbox, Google, Meta, Microsoft 365, Midjourney, and others. Many domains look like ordinary websites for various businesses, often with texts from standard templates. This is done to artificially "age" domains and give them a positive reputation. It took hackers 6-9 months to roll out the infrastructure.

In attacks using the typesquatting method, cybercriminals register domains similar to those of popular software. Phishing domains are advertised on Google so that links to them are displayed in search results higher than real software sources. Software that is used as bait includes 7-zip, PuTTY, ProtectedPDFViewer, AIMP, Notepad++, Advanced IP Scanner, AnyDesk, pgAdmin, AutoDesk, Bitwarden, Rest Proxy, Python, Sublime Text, and Node.js.

Silent Push discovered the new FIN7 domains after being contacted by a company that had been attacked by the group in the past and suspected that the group was active again. A search for hosts revealed only one active site, which then led to many other FIN7 resources.

Previously, FIN7 operated through fake information security companies that recruited hackers to help in ransomware attacks. So one of the key members of the group was arrested, who responded to the company's vacancy.

Like other phishing groups, FIN7 uses current global events. Hackers are now targeting tourists visiting the Olympic Games in France. Among the new FIN7 domains, there are several phishing sites that sell fake Louvre tickets.

According to Silent Push, the research clearly shows that FIN7 is back and expanding rapidly. The company expressed the hope that law enforcement agencies will pay attention to this and take additional measures, and that many of the competitors will be able to use the disclosed information to expand research on the FIN7 infrastructure.

• Source: https://www.silentpush.com/blog/fin7/

 

[Carding Forum]

Researchers have uncovered a new fraudulent scheme of the well-known hacker group FIN7. Criminals actively advertise and sell on dark forums a tool for circumventing security systems called AvNeutralizer. This software allows you to invade victims devices without being noticed, bypassing threat detection systems.

According to a recent report from SentinelOne, AvNeutralizer has already adopted several extortionate groups.

AvNeutralizer's history dates back to April 2022. It is interesting that the first six months of the instrument was used by another group-Black Basta. She was probably one of the first customers.

SentinelOne analysts found a lot of ads on various underground forums advertising the sale of AvNeutralizer. To hide their tracks, FIN7 used a number of aliases, including "goodsoft", "lefroggy", "killerAV" and " Stupor". The cost of the software ranges from 4 to 15 thousand dollars.

The key feature of AvNeutralizer is that it is configured individually for each customer, allowing targeted attacks on specific security systems of their choice. Since the beginning of 2023, the malware managed to "light up" in a variety of cyber attacks, including the subsequent introduction of infamous ransomware programs like AvosLocker, MedusaLocker, BlackCat, Trigona and LockBit.

AvNeutralizer developers do not sit idly by and constantly improve their brainchild. The latest version discovered by SentinelOne includes a new method of bypassing security systems, previously not found "in the wild". In particular, the new version uses a built-in Windows driver called "ProcLaunchMon.sys" in conjunction with the Process Explorer driver.

FIN7 itself has been operating since 2013 and during this time has managed to cause significant financial damage to such industries as hospitality, energy, finance, high technology and retail. Most recently, in April of this year, the group attacked a major automaker in the United States.

SentinelOne experts emphasize that the development and commercialization of tools like AvNeutralizer on criminal underground forums significantly increases the group's influence. Using multiple aliases and collaborating with other cybercrime organizations makes it difficult to identify attackers and demonstrates their advanced tactics.

• Source: https://www.sentinelone.com/labs/fi...-with-new-edr-bypasses-and-automated-attacks/

 

[Man]

According to Silent Push experts, the FIN7 hack group has launched a network of websites with fake AI adult content generators. Visitors to such resources are infected with malware, which steals data.

The FIN7 group (aka Sangria Tempest, Carbon Spider and Carbanak) has been active for more than a decade, since 2013. At first, the group was engaged in PoS attacks to steal payment data, and then switched to hacking large companies by distributing ransomware. For example, FIN7 has been linked to ransomware groups such as DarkSide, BlackMatter, and BlackCat.

Typically, FIN7 specializes in sophisticated phishing and engineering attacks to gain initial access to corporate networks. For example, there is a known case when hackers posed as BestBuy and sent malicious USB drives to their targets.

Now, the attackers have been linked to a convoluted network of websites promoting AI deepnudes (AI-generated explicit images) that supposedly help generate explicit photos based on photos of clothed people.

Fake FIN7 sites serve as bait for people interested in creating deepfakes of nude celebrities and other people. It is worth noting that similar tricks for the spread of malware were used by cybercriminals back in 2019, long before the global AI boom.

The network of hackers operates under the AI Nude brand and is actively promoted through black hat SEO techniques to ensure that fake generator sites rank high in search results. All sites have a similar design and promise to create deepnudes based on any uploaded photo for free.

According to Silent Push, the group directly operated sites such as aiNude[.] ai, easynude[.] website and nude-ai[.] pro that offered free trials and free downloads to visitors, but in reality, they were just spreading malware.

Sites allowed users to upload any photos from which they needed to make a blatant deepfake. However, after generating the dipnuds, the image was allegedly not displayed on the screen. Instead, the user was prompted to follow a link to download the result.


As a result, the victim was taken to another site, where they were provided with a link and password to access a secure archive hosted in Dropbox.

Of course, instead of a candid AI-generated image, such an archive contains only the Lumma infostealer, which, once launched, steals credentials and cookies saved in browsers, cryptocurrency wallet data, and other information from the victim's machine.

The researchers also found several sites advertising software for creating deepnudes in Windows. These resources are distributed by the Redline stealer and the D3F@ck Loader malware, which also steal information from hacked devices.

Currently, all seven sites detected by Silent Push specialists have already been removed.

In addition to fake neural network generators, experts have uncovered other FIN7 campaigns, such as those distributing the NetSupport RAT through sites where visitors were asked to install a browser extension. In other cases, FIN7 used payloads disguised as andwell-known brands and apps, including products from Cannon, Zoom, Fortnite, Fortinet VPN, Razer Gaming, and PuTTY.

Source