Threat Hunting Case Study: Uncovering FIN7 | Intel 471 Skip to content

Threat Hunting Case Study: Uncovering FIN7

Sep 10, 2024
Background

Since at least 2015, FIN7 has been one of the most persistent and capable financially motivated threat actor groups. This complex cluster of threat actors, who are centered in Eastern Europe and Russia, has been linked to payment and debit card fraud and banking malware such as Carbanak. In recent years, the group shifted to ransomware, and researchers have connected probable FIN7 activity with ransomware strains including REvil, DarkSide, BlackMatter, ALPHV, Black Basta, Maze and Ryuk. In 2018, the U.S. Department of Justice announced the arrests of three Ukrainian men accused of FIN7 activity. The indictments described how the group stole payment card data by targeting more than 100 companies, mostly in the restaurant, hospitality and gaming verticals, in 47 states. Despite this action, FIN7 continues to operate. SentinelOne published a report in July 2024 that described its continued development of the AvNeutralizer tool that is designed to disrupt endpoint, detection and response (EDR) software. The vendor noted FIN7 continues to be challenging to track due to the actors’ use of masking pseudonyms, and it remains a formidable adversary due to its development of effective, custom tools. Other names for FIN7 include GOLD NIAGARA, ITG14, Carbon Spider, ELBRUS and Sangria Tempest. This post will illustrate how security personnel can conduct threat hunts for FIN7-related activity by drawing on tactics, techniques and procedures (TTPs) used by the group.

Effective threat hunts start with quality intelligence about previous attacks. For FIN7, we can turn to MITRE ATT&CK, which is a database of techniques and sub-techniques used to attack organizations. This information is drawn from open-source reporting from security researchers and vendors that have investigated incidents. As an example, MITRE lists enterprise technique ID T1547 as having been employed by FIN7.

Fig1

This technique relates how adversaries achieve persistence by adding a program to a startup folder or referencing it with a registry run key. MITRE ATT&CK provides useful documentation about why adversaries might use this technique. Changing the settings can allow a program to boot automatically and possibly with higher-level privileges. Both are effective ways to maintain persistence.

Further down, MITRE references other locations and registry keys that could be used to set startup folder items for persistence, such as one that controls the automatic startup of a service on boot. This behavior allows for many ways to conduct FIN7 threat hunts — and not just using the values listed there, but for different hypotheses of activity as well.

There are two citations for this activity. One is a comprehensive piece from August 2018 by Google Cloud’s Mandiant division on FIN7 activity it analyzed, and the other is a Mandiant piece from April 2017 about FIN7-related Windows shortcut file (LNK) phishing. It’s a reasonable question to ask if it is prudent to pull TTPs from reports that date to 2017 and 2018. But first, let’s look at the autostart run registry reference in the Mandiant piece about LNK phishing under the “Persistence Mechanism” heading. Mandiant writes: “Figure 3 shows that for persistence, the document creates two scheduled tasks and creates one autostart registry entry point, pointing to the LNK file.” We can see the third item in the chart shows:

\Software\Microsoft\Windows\Current\Version\Run

Fig2

Going back to the MITRE ATT&CK matrix, here’s that exact technique. This confirms the technique was used in an attack. The references MITRE includes with the techniques are useful for drilling down into all the TTPs and behaviors that have been used in connection with a specific attack. If we choose, we can then hunt for that activity. We can also compare those TTPs with the next report to see which behaviors or TTPs have changed.

Let’s view the other Mandiant report, “On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation.” Under the heading “FIN7 Tactics, Techniques & Procedures (TTPs),” we see FIN7 establishes a foothold and persistence by using registry Run and Run Once keys. Mandiant also notes another trait of this activity, which is that New Run and RunOnce registry entries may reference .VBS and .VBA, which relate to Microsoft Visual Basic. Why can we use this years-old intelligence in current threat hunts? Because this technique is still used. It’s possible to build a threat hunt query for it with proper auditing, visibility and tools.

The reason we hunt for behaviors is because threat actors are less likely to stop using them. Behaviors are harder for adversaries to change than, say, file hashes, IP addresses or other indicators of compromise (IoCs) that are on the lower end of the Pyramid of Pain model. If we scroll down further in the Mandiant report to the “Phishing Document Droppers” section, we can see a list of file names that were used in the attack. The problem with searching for those file names now is that they’re unlikely to be reused, making them unreliable ways to search for an infection. But the behaviors will often stay the same, and this human aspect of an attack is an ideal place to focus our hunting efforts.

Now that we understand this threat actor is abusing the autorun registry location, what’s next? That’s where Intel 471’s HUNTER platform comes in. We have written hunt packages that focus on the values and various locations FIN7 typically abuses. Some of these hunt packages are available in HUNTER’s Community Edition, which users can register for free. We’ll focus on the “Autorun or ASEP Registry Key Modification” package, which is in the Community Edition, as seen in the screenshot below.

Fig3

If we scroll down to the query logic table, we can see the field-value relationship. We’re specifically looking in the registry path field or registry key name. Stating the query logic allows us to write out the field and the values we plan to hunt for. This allows us to get our thoughts on paper and show what we want to look for in a tool-agnostic way.

Fig4

Now that we understand 1) a consistent behavior of this threat actor group and 2) how to spot it, we can proceed to conduct a threat hunt. We’ve written hunt queries for this behavior for CarbonBlack Cloud - Investigate, CarbonBlack Cloud - LiveQuery, CarbonBlack Response, CrowdStrike, CrowdStrike LogScale, Elastic (for wineventlog and sysmon), Palo Alto Cortex XDR, QRadar Query, SentinelOne, Splunk, Tanium, Tanium Signal and Trend Micro Vision One. In this hunt, we will grab the query for Splunk for a sysmon log source.

Fig5

We have hits. The first step after getting results: don’t panic. This doesn’t mean the organization has necessarily been attacked by FIN7 or any other threat actor group that uses this same technique. False positives are to be expected because there are legitimate reasons to use the capabilities of the current version or the autorun registry key locations. Analyze the results and ensure they match the logic of the query. Also, see if there's anything that matches that doesn't match the intent, but perhaps the logic does.

In these results, we see \CurrentVersion\RunOnce and we see \CurrentVersion\One.

Fig6

We can see that those values match the values in the query itself.

Fig7

Let’s focus on two computers referenced in the results: DESKTOP-2BBWW1B and DESKTOP-2BB001B. We’re also going to tweak the query by adding “values(Details) AS regDetails.” This will allow us to look at the registry key details.

The number of returned events falls from 872 to 405, and the results show all autorun registry locations. At first glance, the results don’t look fishy, although regDetails shows OneDriveSetup.exe executing, which could be either malicious or completely legitimate. One of the keys to threat hunting success is knowing what activity is expected in your environment and what isn’t. That takes time, and it also isn’t necessarily straightforward. These hunt packages are designed to take threat hunters close to the point where they can then decide if certain activity merits further investigation or, in a worst-case scenario, they should start rolling incident response. Stay safe and happy hunting.