The financially motivated threat actor known as FIN7 has been observed using multiple pseudonyms across several underground forums, likely to advertise a tool used by ransomware groups such as Black Basta.
“AvNeutralizer (also known as AuKill), a highly specialized tool developed by FIN7 to tamper with security solutions, has been marketed in the criminal underground and used by multiple ransomware groups,” cybersecurity company SentinelOne stated in a report shared with The Hacker News.
FIN7, an cybercrime group originating from Russia and Ukraine, has been a persistent threat since at least 2012. Initially targeting point-of-sale (PoS) terminals, they have evolved to act as a ransomware affiliate for now-defunct gangs like REvil and Conti, and have since launched their own ransomware-as-a-service (RaaS) programs, DarkSide and BlackMatter.
Tracked under aliases such as Carbanak, Carbon Spider, Gold Niagara, and Sangria Tempest (formerly Elbrus), FIN7 has a history of setting up front companies like Combi Security and Bastion Secure to recruit unsuspecting software engineers into ransomware schemes under the guise of penetration testing.
Over the years, FIN7 has shown a high degree of adaptability, sophistication, and technical prowess by retooling its malware arsenal – including POWERTRASH, DICELOADER (also known as IceBot, Lizar, or Tirion), and a penetration testing tool called Core Impact delivered via the POWERTRASH loader – despite the arrests and sentencing of some of its members.
This adaptability is evident in the large-scale phishing campaigns undertaken by the group to deliver ransomware and other malware families, deploying thousands of “shell” domains that mimic legitimate media and technology businesses, according to a recent report from Silent Push.
Additionally, these shell domains have occasionally been used in a conventional redirect chain to send users to spoofed login pages that masquerade as property management portals.
These typosquat versions are advertised on search engines like Google, deceiving users searching for popular software into downloading malware-laden variants instead. Targeted tools include 7-Zip, PuTTY, AIMP, Notepad++, Advanced IP Scanner, AnyDesk, pgAdmin, AutoDesk, Bitwarden, Rest Proxy, Python, Sublime Text, and Node.js.
It’s worth noting that FIN7’s use of malvertising tactics was previously highlighted by both eSentire and Malwarebytes in May 2024, with the attack chains leading to the deployment of NetSupport RAT.
“FIN7 rents a large number of dedicated IPs across various hosts, primarily using Stark Industries, a well-known bulletproof hosting provider linked to DDoS attacks in Ukraine and Europe,” Silent Push noted.
The latest findings from SentinelOne indicate that FIN7 has not only used multiple personas on cybercrime forums to promote AvNeutralizer but has also enhanced the tool with new features.
This is evident from the fact that multiple ransomware groups began using updated versions of the EDR impairment program starting in January 2023, a tool previously exclusive to the Black Basta group.
SentinelLabs researcher Antonio Cocomazzi told The Hacker News that advertising AvNeutralizer on underground forums shouldn’t be seen as a new malware-as-a-service (MaaS) tactic by FIN7 without further evidence.
“FIN7 has a history of developing and using sophisticated tools for their operations,” Cocomazzi said. “However, selling tools to other cybercriminals could be a natural evolution of their methods to diversify and generate additional revenue.”
“Historically, FIN7 has used underground marketplaces to generate revenue. For instance, the DoJ reported that since 2015, FIN7 successfully stole data from more than 16 million payment cards, many of which were sold on underground marketplaces. While this was more common in the pre-ransomware era, the current advertisement of AvNeutralizer could signal a shift or expansion in their strategy.”
“This could be driven by the increasing protections provided by modern EDR solutions compared to previous AV systems. As these defenses have improved, the demand for impairment tools like AvNeutralizer has grown significantly among ransomware operators. Attackers now face tougher challenges in bypassing these protections, making such tools highly valuable and expensive.”
The updated version of AvNeutralizer employs anti-analysis techniques and leverages a Windows built-in driver called “ProcLaunchMon.sys” in conjunction with the Process Explorer driver to tamper with security solutions and evade detection. The tool is believed to have been in active development since April 2022.
A similar tactic has been used by the Lazarus Group, making it more dangerous as it goes beyond a traditional Bring Your Own Vulnerable Driver (BYOVD) attack by weaponizing a susceptible driver already present by default in Windows machines.
Another significant update concerns FIN7’s Checkmarks platform, which has been modified to include an automated SQL injection attack module for exploiting public-facing applications.
“In its campaigns, FIN7 has adopted automated attack methods, targeting public-facing servers through automated SQL injection attacks,” SentinelOne said. “Additionally, its development and commercialization of specialized tools like AvNeutralizer within criminal underground forums significantly enhance the group’s impact.”
Source: TheHackerNews
