FIN7, a financially driven threat group, has been utilizing various aliases on undercover forums to supposedly promote a tool commonly employed by ransomware factions such as Black Basta.
“AvNeutralizer (also known as AuKill), a specialized tool crafted by FIN7 to manipulate security solutions, has been marketed in the criminal underground and used by several ransomware factions,” as per a report by cybersecurity firm SentinelOne shared with The Hacker News.
Having roots in Russia and Ukraine, FIN7 has been an enduring menace since at least 2012, transitioning from targeting point-of-sale (PoS) systems to becoming a ransomware affiliate for disbanded groups like REvil and Conti. Later, they launched their own ransomware programs DarkSide and BlackMatter.
The group, also known by aliases Carbanak, Carbon Spider, Gold Niagara, and Sangria Tempest (formerly Elbrus), has a reputation of establishing front organizations like Combi Security and Bastion Secure to recruit unaware software developers into ransomware operations under the guise of penetration testing.
Over time, FIN7 has showcased remarkable adaptability, complexity, and technical know-how by upgrading its arsenal of malware – POWERTRASH, DICELOADER (also known as IceBot, Lizar, or Tirion), and a penetration testing tool named Core Impact disseminated via the POWERTRASH loader – despite the capture and sentencing of certain members of their group.
This has been evident in the extensive phishing campaigns conducted by the group to propagate ransomware and other malware strains by using numerous counterfeit domains resembling legitimate media and tech companies, per a recent Silent Push report.
Alternatively, these imitation domains have also been occasionally employed in a traditional redirect sequence to guide users to fake login pages posing as property management interfaces.
These typo variations are advertised on popular search engines like Google, deceiving users seeking popular software into downloading a malicious version instead. Some of the targeted tools include 7-Zip, PuTTY, AIMP, Notepad++, Advanced IP Scanner, AnyDesk, pgAdmin, AutoDesk, Bitwarden, Rest Proxy, Python, Sublime Text, and Node.js.
It is noteworthy that FIN7’s utilization of malvertising techniques was previously brought to light by both eSentire and Malwarebytes in May 2024, with the attack chains leading to the deployment of NetSupport RAT.
“FIN7 leases a substantial number of dedicated IPs on various hosts, primarily on Stark Industries, a prominent bulletproof hosting provider connected to DDoS assaults in Ukraine and across Europe,” as highlighted by Silent Push.
The most recent discoveries from SentinelOne indicate that FIN7 has not only used multiple personas on cybercrime forums to endorse the sale of AvNeutralizer but has also enhanced the tool with new functions.
Multiple ransomware factions started using updated versions of the EDR bypass program as of January 2023, which was previously exclusive to the Black Basta group.
According to SentinelLabs researcher Antonio Cocomazzi, the promotion of AvNeutralizer on undercover forums should not be seen as a fresh malware-as-a-service (MaaS) strategy adopted by FIN7 without additional proof.
“FIN7 has a background of devising and employing advanced tools for their own operations,” Cocomazzi commented. “However, vending tools to other cybercriminals could be viewed as a natural progression of their techniques to diversify and accrue more income.”
“Historically, FIN7 has utilized undercover marketplaces to generate funds. For instance, the DoJ noted that since 2015, FIN7 managed to pilfer data of over 16 million payment cards, many of which were traded on hidden markets. While this was more prevalent in the era before ransomware, the present promotion of AvNeutralizer could indicate a change or expansion in their strategy.”
“This could be driven by the advancing defenses offered by modern EDR solutions compared to previous AV systems. As these protections have become stronger, the demand for bypass tools like AvNeutralizer has significantly increased, particularly among ransomware operators. Cyber attackers now encounter more formidable obstacles in circumventing these protections, making these tools highly sought-after and costly.”
The updated version of AvNeutralizer employs anti-analysis methods and importantly utilizes a built-in Windows driver named “ProcLaunchMon.sys” alongside the Process Explorer driver to manipulate security solutions and evade detection. It is believed that the tool has been actively developed since April 2022.
Similar strategies have also been employed by the Lazarus Group, making it even more perilous as it transcends a conventional Bring Your Own Vulnerable Driver (BYOVD) attack by weaponizing a vulnerable driver already present as a default on Windows devices.
Another notable update pertains to FIN7’s Checkmarks platform, which has been updated to include an automated SQL injection attack module for exploiting publicly accessible applications.
“In their campaigns, FIN7 has adopted automated attack techniques, focusing on public servers through auto SQL injection attacks,” as stated by SentinelOne. “Moreover, their creation and promotion of specialized tools such as AvNeutralizer within criminal underground forums considerably amplify the group’s influence.”
About Author
