FIN7 sells improved EDR killer tool
The cybercrime-focused enterprise known as FIN7 (aka the Carbanak group) has come up with yet another trick to assure the effectiveness of its “EDR killer” tool, dubbed AvNeutralizer (i.e., AuKill) by researchers.
By leveraging Windows’ built-in driver TTD Monitor Driver (ProcLaunchMon.sys), in conjunction with updated, Windows-trusted versions of the Process Explorer driver (procexp), the tool is able to effectively DoS some specific implementations of protected processes.
“This updated version has been used in ransomware intrusions starting from April 2023, either as a packed or unprotected payload. Despite different threat actors using the tool, the packer code is identical across various usages, suggesting that FIN7 provides a shared obfuscator to their buyers within the AvNeutralizer bundle,” SentinelOne researchers say.
They spotted the tool being offered for sale on underground forums by several sellers/personas, which they suspect to be part of the FIN7 cluster. Multiple ransomware groups have been spotted using it.
Other tools and tricks employed by FIN7
The group’s attack toolbox also includes:
- Powertrash, a PowerShell script that quietly executes malicious payloads by reflectively loading an embedded PE file in-memory
- Diceloader, a backdoor for C2 communication (loaded in-memory by Powertrash)
- A script that that sets up an SFTP server through a reverse SSH tunnel connecting to the attacker’s server, effectively creating a SSH-based backdoor that’s used for exfiltrating files and can survive reboots
- Core Impact, a pentesting tool leveraging commercial-grade exploits
- Checkmarks, an automated attack system developed by FIN7 to exploit public-facing, vulnerable Microsoft Exchange servers
The Checkmarks platform exploits the ProxyShell vulnerabilities, and has an Auto-SQLi module for SQL injection attacks.
“If initial attempts are unsuccessful, the SQLMap tool scans targets for potential SQL injection vulnerabilities. This module provides remote access to the victim’s system, with FIN7 tailoring the system for seamless implementation and adaptability to various situations, thereby expanding the range of exploitable vulnerabilities,” they researchers shared.
Some of the listed tools are exclusively used by FIN7, but others are leveraged by other cyberattackers, as well.
FIN7 throughout the years
“FIN7’s continuous innovation, particularly in its sophisticated techniques for evading security measures, showcases its technical expertise,” SentinelOne researchers opined.
The group’s activity goes all the way back to 2013, when they tageted banks. Since then, they also:
- Targeted employees involved with SEC filing for their organization
- Targeted the hospitality industry to exfiltrate financial information
- Created fake security companies – Bastion Secure and Combi Security – to recruit IT specialists (without them being aware of this) and pay them less than they would criminal-minded recruits
More recently, there have been reports of FIN7 leveraging malicious ads to deliver the NetSupport RAT on targets’ machine, and setting up over 4,000 domains that will likely be used in phishing attacks.