FIN7, a notorious financially motivated cybercrime group, uses multiple aliases to conceal their identity and sells advanced Endpoint Detection and Responses (EDR) bypass software such as AvNeutralizer on hacking forums.
AvNeutralizer, also known as AuKill, is designed to disable security solutions and has been widely adopted by various ransomware groups.
Researchers have identified a new version of AvNeutralizer that utilises a novel technique involving the Windows ProcLaunchMon.sys, revealing deeper insights into the malware family and enhancing understanding of FIN7’s evolving tactics.
This combination creates a denial of service condition in protected processes, ultimately leading to a crash. The malware uses various decryption and unpacking routines to evade detection and complicate analysis. This tool has been used in ransomware intrusions involving various ransomware-as-a-service (RaaS) payloads, such as AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit.
The updated version employs advanced anti-analysis techniques and uses multiple user and kernel modes to disable security solutions.
“The first usage of this tool, in intrusions detected within our telemetry, was observed in early June 2022. The tool is delivered to buyers as a customized build targeting specific security solutions requested by the buyer. While multiple samples of the tool exhibit the same code, the list of targeted process names may vary based on the attacker’s chosen build,” researchers explained.
This EDR evasion tool has been used to target multiple endpoint security solutions. Researchers have found new evidence suggesting that since January 2023, various ransomware groups have used updated versions of AvNeutralizer. This indicates its sale on underground forums such as exploit[.]in, xss.[.]is, and RAMP, where its capabilities are being promoted. The pseudonyms “goodsoft,” “lefroggy,” “killerAV,” and “Stupor” have been linked to FIN7.
FIN7’s proficiency in executing sophisticated cyberattacks is attributed to its versatile arsenal, which includes tools such as Powertrash, Diceloader, Core Impact, an SSH-based backdoor, and AvNeutralizer. Each tool supports different attack phases, enabling FIN7 to infiltrate, exploit, persist, and evade detection.
Powertrash is a heavily obfuscated PowerShell script that reflectively loads embedded PE files in memory, allowing stealthy execution of backdoor analysis. It has been a key component in FIN’s intrusions. Researchers have observed the tool to be associated with various malware families, such as Carbanak.
Diceloader, also known as Lizer and IceBot, is a minimal backdoor that establishes a command and control (C2) channel, allowing attackers to control infected systems. It is typically deployed through Powertrash loaders and has been a consistent tool in FIN7’s operations.
Researchers investigated the Diceloader C2 infrastructure to uncover an open directory web server used by FIN7 for staging payloads. This server contained Powertrash loaders delivering Diceloader, along with native tools based on OpenSSH and 7zip, used to maintain persistence on compromised systems.
Researchers also discovered Core Impact, a penetration testing tool with a library of commercial-grade exploits. It enables the generation of Position Independent Code (PIC) implants delivered through Powertrash in FIN7’s campaigns.
The group has also embraced automation, developing the Checkmarks platform for large-scale exploitation of vulnerabilities in public-facing servers. This includes an Auto-SQLi module for automated SQL injection attacks, significantly expanding FIN7’s reach and efficiency.
“Our investigation into FIN7’s activities highlights its adaptability, persistence and ongoing evolution as a threat group. In its campaigns, FIN7 has adopted automated attack methods, targeting public-facing servers through automated SQL injection attacks,” the researchers concluded.
In the News: 15M+ Trello emails dumped on hacking forum for a meagre $2.32