Notorious FIN7 crooks have new malicious code up their sleeves

Written by

Cybersecurity researchers have discovered two new tools used by a prolific hacking group known as FIN7, highlighting how, despite a law enforcement crackdown, the group appears to be thriving and making a lot of money in the process.

The Eastern European hacking crew, which researchers say has stolen over $1 billion from victims in recent years, is using a new “dropper” to deliver its malicious code, as well as a payload that tampers with a remote IT administration tool, cybersecurity company FireEye said Thursday.

Mandiant, FireEye’s incident response arm, discovered the new tools while responding to recent FIN7 hacks in the hospitality industry. It appears the attackers are going after their usual targets — payment card processors — to try to steal money.

“We have multiple ongoing victims and felt that, especially within the security industry, [this was information] we needed to get out there” to raise awareness, said Regina Elwell, principal threat analyst at FireEye.

One of the new FIN7 tools is designed to manipulate remote software used to manage systems in the payment card industry. The malware allows the crooks to “monitor and tamper with legitimate connections” made by the remote administration software, which is made by IT company NCR Corp, FireEye said.

Compromising the NCR Corp. client would “give the attacker really good access within the environment,” Elwell added.

Mandiant said it shared its findings with NCR Corp. The latter company did not immediately respond to CyberScoop’s request for comment.

The news is the latest sign that FIN7 is resurgent after a period of relative quiet in late 2018 and early 2019. In August 2018, the U.S. Department of Justice announced the arrest of three Ukrainian men alleged to be members of FIN7, including the group’s alleged IT administrator, Fedir Hladyr. Last month, Hladyr pleaded guilty to wire fraud in U.S. federal court.

Earlier this year, it became clear that, despite the arrests, FIN7 wasn’t going away. In March, threat intelligence company Flashpoint highlighted what it said was new, stealthy malware used by FIN7. The code allowed the attackers persistent access to a machine that they could revisit when they wanted.

“We believe the industry pressure had an impact,” Elwell told CyberScoop. “And it appears they used that time to retool.”

“If one thing isn’t working, we seem them make small changes to malware so it gets past detection,” she added.

The revelations will reverberate among U.S. law enforcement officials who closely track FIN7. Such is the efficacy of FIN7 and other financially-motivated criminal outfits that the FBI has adapted the way it handles such cases, with one field office taking the lead and another providing support.