Threat Research

FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7

Securonix

FIN7’s intrusion landscape evolves from LOADOUT and GRIFFON in 2020 to POWERPLANT as the main PowerShell-based backdoor in 2021, with BEACON acting as a secondary access path and extensive PowerShell tradecraft continuing to shape their operations. The report highlights long-running FIN7 patterns, evasion through obfuscation, and a notable shift toward supply-chain-style and targeted defense engagements, illustrating how the group layers modular components and in-memory execution to expand access while complicating detection. #FIN7 #POWERPLANT #LOADOUT #GRIFFON #BEACON #POWERTRASH #CARBANAK #DICELOADER #PILLOWMINT #KERBEROAST #Atera #GoToAssist

Keypoints

  • 2021 marked a strategic shift for FIN7 to deploy POWERPLANT as the primary backdoor across multiple intrusions, with BEACON as a secondary access method.
  • POWERPLANT is a broad PowerShell-based backdoor framework with multiple versions (0.012 through 0.028) and modular capabilities delivered from C2.
  • FIN7’s PowerShell emphasis—described as their “love language”—shows up in unique command lines and obfuscated loaders like POWERTRASH that deliver payloads such as BEACON and CARBANAK in memory.
  • LOADOUT (VBScript downloader) and GRIFFON (JS downloader) were early components, with LOADOUT harvesting system data and sending it to C2, which then delivered GRIFFON.
  • Initial access frequently relied on compromised RDP credentials, followed by Windows process chains (cmd.exe, powershell.exe) and rundll32 to load shellcode like TERMITE and BEACON.
  • FIN7 leaked obfuscation techniques (e.g., inserting “FUCKAV” and Bible verses) to evade detection and repeatedly refine LOADOUT to defeat static detections.

MITRE Techniques

  • [T1021.001] Remote Services – Initial access via compromised RDP credentials to log into a target server on separate days. ‘To obtain initial access during this intrusion, FIN7 used compromised Remote Desktop Protocol (RDP) credentials to login to a target server across two separate days.’
  • [T1059.001] PowerShell – Heavy use of PowerShell-based loaders and commands; PowerShell is described as FIN7’s “love language.”
  • [T1059.003] Command-Line – Command lines such as ‘cmd.exe /c start %SYSTEMROOT%system32WindowsPowerShellv1.0powershell.exe -noni -nop -exe bypass -f …’ show explicit PowerShell invocation through CMD. ‘cmd.exe /c start %SYSTEMROOT%system32WindowsPowerShellv1.0powershell.exe -noni -nop -exe bypass -f /ADMIN$/temp/wO9EBGmDqwdc.ps1’
  • [T1218.011] Signed Binary Proxy Execution: Rundll32 – Using Rundll32 to load a DLL payload. ‘RunDll32 TstDll.dll,TstSec 11985756’
  • [T1069.002] Permission Groups Discovery – Discovery of domain admins via ‘net group “Domain Admins” /domain’. ‘cmd.exe /C net group “Domain Admins” /domain’
  • [T1033] Account Discovery – Quick user enumeration via commands like ‘quser’. ‘quser’
  • [T1003.006] Kerberoasting – Credential dumping using Kerberoast via PowerShell module. ‘Invoke-Kerberoast -OutputFormat HashCat’
  • [T1071.001] Web Protocols – C2 communications delivering modules via HTTP (and DNS). ‘additional JavaScript modules using HTTP or DNS’
  • [T1071.004] DNS – C2 communications leveraging DNS for module retrieval. ‘HTTP or DNS’
  • [T1562.001] Impair Defenses – Execution policy bypass in PowerShell. ‘powershell.exe -ex bypass’
  • [T1027] Obfuscated/Compressed Files and Information – Heavy obfuscation and custom string obfuscation (e.g., inserting ‘FUCKAV’ and Bible verses). ‘…custom obfuscation mechanism’

Indicators of Compromise

  • [File hash] POWERPLANT samples – 5a6bbcc1e44d3a612222df5238f5e7a8, 0291df4f7303775225c4044c8f054360
  • [File hash] POWERPLANT sample (0.019) – 3803c82c1b2e28e3e6cca3ca73e6cce7
  • [File hash] MD5s associated with LOADOUT variants – 485b2a920f3b5ae7cfad93a4120ec20d, 012e7b4d6b5cb8d46771852c66c71d6d

Read more: https://www.mandiant.com/resources/evolution-of-fin7