Woburn, MA – May 8, 2019 – Kaspersky Lab researchers have detected a number of new attacks by the notorious Fin7/Carbanak cyber-gang using GRIFFON malware, dispelling beliefs that the group had disbanded following the 2018 arrest of a number of its suspected leaders. According to company experts, Fin7 may have extended the number of groups operating under its umbrella; increased the sophistication of its methods; and even positioned itself as a legitimate security vendor to recruit professional employees and dupe them into helping it steal financial assets.
Fin7 is believed to be behind attacks targeting the U.S. retail, restaurant and hospitality sectors since mid-2015, working in close collaboration and sharing tools and methods with the infamous Carbanak group. While Carbanak focused primarily on banks, Fin7 targeted mostly businesses, potentially making off with millions of dollars in financial assets, such as payment card credentials or account information on the computers of financial departments. Once the threat actors got what they needed, they wired money to offshore accounts.
According to Kaspersky Lab’s new investigation, the group has continued its activity – despite last year’s arrest of the alleged group leaders – by implementing sophisticated spear-phishing campaigns throughout 2018 and distributing malware through targeted emails. In different cases, the operators exchanged messages with their intended victims over a period of weeks before finally sending the malicious documents as attachments. Kaspersky Lab estimates that by the end of 2018, more than 130 companies might have been targeted in this way.
The researchers also discovered other criminal teams operating under the Fin7 umbrella. The use of shared infrastructure and the same tactics techniques and procedures (TTPs) shows that Fin7 is likely collaborating with the AveMaria botnet and groups known as CobaltGoblin/EmpireMonkey, believed to be behind bank robberies in Europe and Central America.
Kaspersky Lab also found that Fin7 has created a fake company that claims to be a legitimate cybersecurity vendor with offices across Russia. The company website is registered to the server that Fin7 uses as a Command and Control (C&C) center. The fake business has been used to recruit unsuspecting freelance vulnerability researchers, program developers and interpreters through legitimate online job sites. It seems that some of the individuals working in these fake companies did not suspect that they were involved in a cybercrime business, with some even including their experience working in these organizations on their resumes.
“Modern cyberthreats can be compared to the mythical creature Hydra of Lerna – you cut off one of its heads and it grows two new ones,” said Yury Namestnikov, security researcher at Kaspersky Lab. “Therefore, the best way to protect yourself from such actors is to implement advanced, multi-layered protection: install all software patches as soon as they are released and do regular security analysis across all networks, systems and devices.”
To reduce the risk of infection, Kaspersky Lab advises the following tips for businesses:
More details of Kaspersky Lab’s research on Fin7 can be found on Securelist.
About Kaspersky Lab
Kaspersky Lab is a global cybersecurity company, which has been operating in the market for over 21 years. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into next generation security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.