FIN7

Active

Also known as: FIN7, GOLD NIAGARA, ITG14, Carbon Spider, ELBRUS, Sangria Tempest

🌍

Other

Active Since

2017

MITRE ID

G0046

Techniques

[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to big game hunting (BGH), including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but multiple threat groups have been observed using [Carbanak](https://attack.mitre.org/software/S0030), leading these groups to be tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)(Citation: Mandiant FIN7 Apr 2022)(Citation: BiZone Lizar May 2021)

MITRE ATT&CK Techniques

Recon2

T1591Gather Victim Org Information

T1591.004Identify Roles

Resource7

T1583.001Domains

T1608.004Drive-by Target

T1608.005Link Target

T1587.001Malware

T1588.002Tool

T1608.001Upload Malware

T1583.006Web Services

Initial4

T1195.002Compromise Software Supply Chain

T1190Exploit Public-Facing Application

T1566.001Spearphishing Attachment

T1566.002Spearphishing Link

Exec12

T1059Command and Scripting Interpreter

T1559.002Dynamic Data Exchange

T1674Input Injection

T1059.007JavaScript

T1204.002Malicious File

T1204.001Malicious Link

T1059.001PowerShell

T1053.005Scheduled Task

+4 more

Persist2

T1547.001Registry Run Keys / Startup Folder

T1543.003Windows Service

PrivEsc1

T1546.011Application Shimming

Defense15

T1553.002Code Signing

T1027.010Command Obfuscation

T1140Deobfuscate/Decode Files or Information

T1562.004Disable or Modify System Firewall

T1564.001Hidden Files and Directories

T1564.003Hidden Window

T1027.016Junk Code Insertion

T1078.003Local Accounts

+7 more

Creds1

T1558.003Kerberoasting

Discovery6

T1087.002Domain Account

T1069.002Domain Groups

T1057Process Discovery

T1082System Information Discovery

T1033System Owner/User Discovery

T1124System Time Discovery

Lateral5

T1210Exploitation of Remote Services

T1021.001Remote Desktop Protocol

T1091Replication Through Removable Media

T1021.004SSH

T1021.005VNC

Collect3

T1005Data from Local System

T1113Screen Capture

T1125Video Capture

C27

T1102.002Bidirectional Communication

T1071.004DNS

T1008Fallback Channels

T1105Ingress Tool Transfer

T1571Non-Standard Port

T1572Protocol Tunneling

T1219Remote Access Tools

Exfil1

T1567.002Exfiltration to Cloud Storage

Impact1

T1486Data Encrypted for Impact

Known Victims

live · just now

No victims recorded in ransomware.live for this group.