Freely subscribe to our NEWSLETTER

© noregt_

Initially, FIN7 specialised in using POS (Point of Sale) malware for financial fraud. However, beginning in 2020, it shifted its focus to ransomware operations, affiliating with notorious RaaS groups such as REvil and Conti as well as launching its own RaaS programmes under the names Darkside and subsequently BlackMatter.

In SentinelLabs’ report published on 3rd November 2022, the team discussed the connection between FIN7 and the use of EDR evasion tools in ransomware attacks involving the Black Basta group. Researchers’ telemetry revealed that the EDR impairment tool, which they track as "AvNeutralizer" (aka AuKill), targeted multiple endpoint security solutions and was used exclusively by the group for six months. This reinforced their hypothesis that FIN7 and Black Basta might have had a close relationship.

Beginning in January 2023, a peak in the usage of updated versions of AvNeutralizer by multiple ransomware groups was observed. This suggests that the tool was no longer exclusive to Black Basta, who shifted several TTPs since their last report and removed AvNeutralizer from its arsenal. Researchers hypothesise that AvNeutralizer was likely sold on criminal underground forums, with Black Basta being one of the early buyers and adopters.
New evidence has emerged since the last report allowing researchers to refine its understanding of the situation.

After conducting a thorough analysis, researchers identified multiple advertisements across various underground forums in which they assess with high confidence that these advertisements were promoting the sale of the AvNeutralizer tool.

According to SentinelLabs’ intel, FIN7 began developing a specialised tool to tamper with security solutions in April 2022. The tool has received multiple updates, with a recent iteration including a previously unseen tampering method.
Key points:
• New evidence shows FIN7 is using multiple pseudonyms to mask the group’s true identity and sustain its criminal operations in the underground market
• FIN7’s campaigns demonstrate the group’s adoption of automated SQL injection attacks for exploiting public-facing applications
• AvNeutralizer (aka AuKill), a highly specialised tool developed by FIN7 to tamper with security solutions, has been marketed in the criminal underground and used by multiple ransomware groups
• SentinelLabs has discovered a new version of AvNeutralizer that utilises a technique previously unseen in the wild to tamper with security solutions, leveraging the Windows built-in driver ProcLaunchMon.sys (TTD Monitor Driver)
• Attribution efforts have expanded the researchers’ understanding of the AvNeutralizer malware family. This research offers a broader perspective than previous research, enabling better evolution tracking and retrospective analysis.

Conclusion
SentinelLabs’ investigation into FIN7’s activities highlights its adaptability, persistence and ongoing evolution as a threat group. In its campaigns, FIN7 has adopted automated attack methods, targeting public-facing servers through automated SQL injection attacks.
Additionally, its development and commercialisation of specialised tools like AvNeutralizer within criminal underground forums significantly enhance the group’s impact.
FIN7’s continuous innovation, particularly in its sophisticated techniques for evading security measures, showcases its technical expertise. The group’s use of multiple pseudonyms and collaboration with other cybercriminal entities makes attribution more challenging and demonstrates its advanced operational strategies. SentinelLabs hopes this research will inspire further efforts to understand and mitigate FIN7’s evolving tactics.