FIN7 as a Case Study

Like clockwork, FIN7 again unleashed a new attack able to bypass almost every security solution. The attack, which took place between October 8 to 10, 2017, is yet another demonstration of the high-paced innovation by threat actors.

FIN7 is one of today’s most organized and sophisticated cybercrime groups, primarily known for targeting US businesses to steal payment card data. They typically use clever, customized spear-phishing lures with malicious attachments. Once an organization is infected, they move laterally across the network, using various anti-forensic techniques to evade detection. The group is closely tied to the notorious Carbanak Gang, responsible for a slew of attacks against financial institutions, although so far evidence falls short of directly equating the two.

Over the past year, Morphisec has been closely monitoring FIN7 and their targets, publishing several analyses on methods used by this group. In this report we take a broader approach, describing in detail the rapid dynamic changes and innovation over the course of the last four months.

We examine each of the component modifications in the attack chains, and show how those changes helped FIN7 evade the dynamic behavior patterns and static patterns applied by many security solutions.