G0046 · 52 ATT&CK techniques · 0 correlated reports

FIN7

Aliases: GOLD NIAGARA, ITG14, Carbon Spider, ELBRUS, Sangria Tempest

FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has primarily targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, and utilities industries in the U.S. A portion of FIN7 was run out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to a big game hunting (BGH) approach including use of REvil ransomware and their own Ransomware as a Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but there appears to be several groups using Carbanak malware and are therefore tracked separately.

Open interactive actor investigation

ATT&CK techniques

T1204.001
Malicious Link T1553.002
Code Signing T1078
Valid Accounts T1059
Command and Scripting Interpreter T1021.004
SSH T1190
Exploit Public-Facing Application T1027.001
Binary Padding T1033
System Owner/User Discovery T1053.005
Scheduled Task T1021.005
VNC T1036.005
Match Legitimate Name or Location T1566.002
Spearphishing Link T1036.004
Masquerade Task or Service T1218.011
Rundll32 T1047
Windows Management Instrumentation T1059.005
Visual Basic T1219
Remote Access Software T1059.001
PowerShell T1546.011
Application Shimming T1559.002
Dynamic Data Exchange T1069.002
Domain Groups T1021.001
Remote Desktop Protocol T1486
Data Encrypted for Impact T1588.002
Tool T1583.006
Web Services T1497.002
User Activity Based Checks T1059.007
JavaScript T1547.001
Registry Run Keys / Startup Folder T1608.004
Drive-by Target T1125
Video Capture T1571
Non-Standard Port T1027.010
Command Obfuscation T1204.002
Malicious File T1218.005
Mshta T1102.002
Bidirectional Communication T1105
Ingress Tool Transfer T1078.003
Local Accounts T1583.001
Domains T1005
Data from Local System T1543.003
Windows Service T1091
Replication Through Removable Media T1071.004
DNS T1059.003
Windows Command Shell T1566.001
Spearphishing Attachment T1608.001
Upload Malware T1008
Fallback Channels T1558.003
Kerberoasting T1195.002
Compromise Software Supply Chain T1113
Screen Capture T1567.002
Exfiltration to Cloud Storage T1210
Exploitation of Remote Services T1587.001
Malware

Correlated CTI and IR reports

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research