A financially motivated threat actor known as FIN7 has been spotted using multiple aliases on several underground forums to likely promote a tool known to be used by ransomware groups such as Black Basta.
“AvNeutralizer (aka AuKill), a highly specialized tool developed by FIN7 to manipulate security solutions, is sold in the criminal underground and used by various ransomware groups,” according to cybersecurity firm SentinelOne said in a report shared with The Hacker News.
FIN7, an electronic crime group of Russian and Ukrainian origin, was a a constant threat has since at least 2012 shifted from an initial focus on point-of-sale (PoS) terminals to operating as a ransomware affiliate for now-defunct gangs such as REvil and Conti, before launching its own ransomware-as-a-service (RaaS) programs DarkSide and BlackMatter .
The threat actor, which also goes by the names Carbanak, Carbon Spider, Gold Niagara, and Sangria Tempest (formerly Elbrus), has a track record of creating shell companies like Combi Security and Bastion Secure to lure unwitting software engineers into ransomware under the guise of penetration testing.
Over the years, FIN7 has demonstrated a high level of adaptability, sophistication and technical expertise, retooling its malware arsenal – POWERTRASH, LOADER (aka IceBot, Lizar, or Tirion), and a penetration testing tool called Core Impact which comes via the POWERTRASH bootloader – notwithstanding arrests and sentences with some of its members.
This is evidenced by the group’s large-scale phishing campaigns to spread ransomware and other malware families by deploying thousands of “shell” domains that mimic legitimate media and technology companies, according to a recent report by Silent Push.
Alternatively, these shell domains were sometimes used in a normal redirect chain to send users to fake login pages posing as property management portals.
These versions of typosquat are advertised on search engines like Google, tricking users looking for popular software into downloading the malware version instead. Some of the targeted tools include 7-Zip, PuTTY, AIMP, Notepad++, Advanced IP Scanner, AnyDesk, pgAdmin, AutoDesk, Bitwarden, Rest Proxy, Python, Sublime Text, and Node.js.
It should be noted that FIN7 used the tactic of malicious advertising highlighted earlier both eSentire and Malwarebytes in May 2024, with chain attacks leading to the deployment of the NetSupport RAT.
“FIN7 leases a large number of dedicated IP addresses on a number of hosts, but primarily on Stark Industriesa popular bulletproof hosting provider that has been linked to DDoS attacks in Ukraine and across Europe,” Silent Push noted.
SentinelOne’s latest findings show that FIN7 not only used multiple personas on cybercrime forums to promote the sale of AvNeutralizer, but also improvised the tool with new capabilities.
This is based on the fact that since January 2023, several ransomware groups have started using updated versions of the EDR degradation program that were intended exclusively for Black Basta group until then.
SentinelLabs researcher Antonio Coccamazzi told The Hacker News that advertising AvNeutralizer on underground forums should not be considered a new malware-as-a-service (MaaS) tactic adopted by FIN7 without further evidence.
“FIN7 has a history of developing and using sophisticated tools for its own operations,” Kokamazzi said. “However, selling tools to other cybercriminals can be seen as a natural evolution of their methods of diversification and generating additional income.”
“Historically, FIN7 has used underground markets to generate income. For example, the Ministry of Justice informed that since 2015, FIN7 has successfully stolen data from more than 16 million payment cards, many of which were sold on underground markets. While this was more common in the pre-ransomware era, AvNeutralizer’s current advertising may indicate a shift or expansion in their strategy.”
“This may be motivated by the increased protection that modern EDR solutions provide compared to previous AV systems. As these defenses have improved, the demand for degradation tools like AvNeutralizer has grown significantly, especially among ransomware operators. Attackers now face tougher challenges in circumventing these defenses. , which makes such tools very valuable and expensive.”
For its part, the updated version of AvNeutralizer uses anti-analysis techniques and, most importantly, uses a built-in Windows driver called “ProcLaunchMon.sys“together with Process Explorer a driver for tampering with security and detection evasion solutions. The tool is believed to have been under active development since April 2022.
There was also a similar version of this approach put into use by the Lazarus Group, which makes it even more dangerous as it goes beyond the traditional Bring Your Own Vulnerable Driver (BYOVD) attack by weaponizing a vulnerable driver that is present by default on Windows machines.
Another noteworthy update concerns FIN7 Checkmarks platformwhich has been modified to include an automated SQL injection attack module for exploiting public applications.
“In its campaigns, FIN7 used automated attack techniques, targeting public servers through automated SQL injection attacks,” SentinelOne said. “Furthermore, its development and commercialization of specialized tools such as AvNeutralizer in criminal underground forums greatly enhances the group’s influence.”
