FIN7 as a Case Study

Like clockwork, FIN7 again unleashed a new attack able to bypass almost every security solution. The attack, which took place between October 8 to 10, 2017, is yet another demonstration of the high-paced innovation by threat actors.

FIN7 is one of today’s most organized and sophisticated cybercrime groups, primarily known for targeting US businesses to steal payment card data. They typically use clever, customized spear-phishing lures with malicious attachments. Once an organization is infected, they move laterally across the network, using various anti-forensic techniques to evade detection. The group is closely tied to the notorious Carbanak Gang, responsible for a slew of attacks against financial institutions, although so far evidence falls short of directly equating the two.

Over the past year, Morphisec has been closely monitoring FIN7 and their targets, publishing several analyses on methods used by this group. In this report we take a broader approach, describing in detail the rapid dynamic changes and innovation over the course of the last four months.

We examine each of the component modifications in the attack chains, and show how those changes helped FIN7 evade the dynamic behavior patterns and static patterns applied by many security solutions.


Michael Gorelik, VP R&D at Morphisec and author of this report: 

"The latest Fin7 campaign adds functionality to burrow deeper in the victim’s network by taking over some of the Outlook information. As usual, they also modified every significant tracked component in their attack chain. The group is clearly well organized with experts in every domain since the modifications of different components require different specialties." 

"Once again FIN7 proves that evading behavior and static pattern based security solution comes more easily than security providers would like to admit. Their rapid ability to modify old techniques and innovate new ones is alarming and other groups are likely taking notes.  I wouldn’t be surprised if these kinds of attack strategies and techniques soon become commonplace. Until we change our approach to security, move towards prevention without reliance on known patterns, like Morphisec's Moving Target Defense approach, security vendors and their customers will always be playing catch up."