The DevOps cycles for most threat groups is not truly known for obvious reasons, but security analysts can track changes to tools and malware based on identified code samples found in the wild, or during an incident response. Likewise, Antimalware tools with sample submission options also help threat analysts identify when new versions of tools and malware emerge. The drive behind these changes is the same as the ones for tactical changes; the group sees what does and does not work, they identify when a tool or malware strain has run its course based on detection patterns and they respond. This is the same thing security teams do as new threats are identified for their business verticals, or to the landscape.
When threats are first noted in the wild, they are not always easy to attribute to a specific group though. So, researchers often create a new category for them until they have more information. With the Public’s short-term memory that is usually all that is remembered, the emergence of a new threat. Few pay attention to the hours (days, weeks, month) that go into devouring everything about the “new” item and trying to find where it fits in the threat landscape.
Let’s take FIN7 as a recent example. FIN7 is thought to have started their efforts sometime in 2015 with a focus on hospitality and retail in the US. They have had several high-profile attacks where they were the group that was attributed. The FBI has several articles on them that cover their tactics and who they target in August of 2018 the FBI attributed breaches of 47 companies and more than 15 million card records (from around 6,500 POS systems). They have been touted as one of the most sophisticated of the APT groups out there.
Still the group behind FIN7 has not sat back and let things stagnate. After their successes in 2015-2019 and despite the indictment of several members in 2018 and the capture and sentencing of one in 2020, they are still working to evolve and profit off their labors. Based on threat analysis they have been hard at work developing not only new tools and ways to hide their activities, but also additional partnerships to ensure a good income flow.
One staple of FIN7 is the PowerPlant backdoor. Mandiant has been monitoring its progression and has seen new versions and feature sets evolve even over the last year (2021-2022) and at times during the middle of an attack. They noted version numbers in the tool ranging from 0.012 to 0.028 showing a decent amount of development effort being put into the tool. PowerPlant can fetch different modules based on the current campaign but is often seen downloading and executing a tool called BoatLaunch. BoatLaunch is used to bypass the antimalware scan interface in the PowerShell process making it more difficult to detect the use of malicious PowerShell commands.
Another new item found with FIN7 is an unusual coincidence of FIN7 attributed intrusions followed by the ransomware attacks. Mandiant also found a link between some DARKSIDE attacks and FIN7 Tools Beacon and Beakdrop based on a code signing certificate. So, there is some connection here between the FIN7 and one or more ransomware groups. This could be a direct partnership where FIN7 provides initial access for a fee (they breach a group grab what they want/can sell and ten sell the access to the ransomware group) or another more official partnership like the one with the group behind Trickbot and Conti. Only time will tell which it is.
While the inclusion of a ransomware component does make FIN7 a bit more destructive on top of the financial and reputational damage they represent, there are still some best practices that can help in reducing the risk of attack and compromise. This is the usual litany we talk about, proper anti-malware/EDR/XDR with behavioral analysis components, proper identity management and controls, good anti-phishing tools and training for email, SMS, and voice, good vendor management, and of course proper vulnerability detection and remediation programs. If you do not already have these in place, well you should.