ATK32 (aka: FIN7) is a financially motivated group that is active since at least 2013, which primarily targets the retail, hospitality and restaurant sectors, mainly in the U.S.. There are assumptions that this is the same group as Carbanak, but it appears that these are two separate groups using similar tools, and therefore are currently tracked separately. Its main goal is to steal financial assets from companies, such as debit cards, or to get access to financial data or computers of finance department employees in order to conduct wire transfers to offshore accounts. The group's often use phishing as their main attack vector, including tailored spear-phishing campaigns. In addition, the group used a front company dubbed "Combi Security", purportedly headquartered in Russia and Israel, to provide a guise of legitimacy and to recruit hackers to join the criminal enterprise.
References
- MITRE, FIN7, https://attack.mitre.org/groups/G0046/
- 07/03/2017, FireEye, FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings, https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html
- 16/03/2017, ThreatPost, Fileless Malware Campaigns Tied to Same Attacker, https://threatpost.com/fileless-malware-campaigns-tied-to-same-attacker/124369/
- 24/04/2017, FireEye, FIN7 Evolution and the Phishing LNK, https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
- 03/05/2017, FireEye, To SDB Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence, https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
- 09/06/2017, Morphisec, FIN7 TAKES ANOTHER BITE AT THE RESTAURANT INDUSTRY, http://blog.morphisec.com/fin7-attacks-restaurant-industry
- 25/07/2017, Gigamon, Footprints of Fin7: Tracking Actor Patterns (Part 1), https://atr-blog.gigamon.com/2017/07/25/footprints-of-fin7-tracking-actor-patterns-part-1/
- 26/07/2017, Gigamon, Footprints of FIN7: Tracking Actor Patterns (Part 2), https://atr-blog.gigamon.com/2017/07/26/footprints-of-fin7-tracking-actor-patterns-part-2/
- 31/07/2017, ProofPoint, FIN7/Carbanak threat actor unleashes Bateleur JScript backdoor, https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor
- 13/10/2017, Morphisec, FIN7 DISSECTED: HACKERS ACCELERATE PACE OF INNOVATION, http://blog.morphisec.com/fin7-attack-modifications-revealed
- 01/08/2018, FireEye, On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation, https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
- 01/08/2018, WIRED, THE WILD INNER WORKINGS OF A BILLION-DOLLAR HACKING GROUP, https://www.wired.com/story/fin7-wild-inner-workings-billion-dollar-hacking-group/
- 01/08/2018, ZDNet, DOJ arrests three Ukrainian nationals from Fin7 cybercrime group, https://www.zdnet.com/article/doj-arrests-indicts-three-ukrainian-nationals-from-fin7-cybercrime-group/
- 21/11/2018, Morphisec, FIN7 NOT FINISHED – MORPHISEC SPOTS NEW CAMPAIGN, http://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign
- 20/03/2019, ThreatPost, Fin7 Ramps Up Campaigns With Two Fresh Malware Samples, https://threatpost.com/fin7-ramps-up-campaigns-with-two-fresh-malware-samples/142975/
- 20/03/2019, ZDNet, Global threat group Fin7 returns with new SQLRat malware, https://www.zdnet.com/article/global-cybergang-fin7-returns-with-new-sqlrat-malware/
- 20/03/2019, FlashPoint, FIN7 Revisited: Inside Astra Panel and SQLRat Malware, https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/
- 21/03/2019, DarkReading, FIN7 Cybercrime Gang Rises Again, https://www.darkreading.com/analytics/fin7-cybercrime-gang-rises-again-/d/d-id/1334228
- 21/03/2019, SecurityWeek, FIN7 Hackers Use New Malware in Recent Attacks, https://www.securityweek.com/fin7-hackers-use-new-malware-recent-attacks
- 21/03/2019, SCMagazine, Despite arrests FIN7 launched 2018 attack campaigns featuring new malware, https://www.scmagazine.com/home/security-news/despite-arrests-fin7-launched-2018-attack-campaigns-featuring-new-malware/
- 08/05/2019, Kaspersky, Fin7 hacking group targets more than 130 companies after leaders’ arrest, https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest
- 08/05/2019, SecureList, FIN7.5: the infamous cybercrime rig “FIN7” continues its activities, https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/
- https://otx.alienvault.com/pulse/59273e8d4459992879600111/