FIN7
FIN7
One-liner: A financially motivated cybercrime group known for targeting retail, hospitality, and restaurant sectors through sophisticated phishing and point-of-sale (POS) malware.
🎯 What Is It?
FIN7 (also tracked as Carbon Spider, ELBRUS, Sangria Tempest) is one of the most prolific financially motivated threat groups. Active since at least 2015, they specialize in:
- Point-of-sale (POS) system compromise for credit card theft
- Sophisticated phishing campaigns using malicious documents
- Ransomware operations (later evolved to deploy Darkside/BlackMatter)
Estimated impact: Billions of dollars in losses across 100+ companies worldwide.
🤔 Why It Matters
FIN7 is a prime case study for Threat Emulation because:
- Well-documented TTPs in MITRE ATT&CK
- Targets common industries (retail, hospitality)
- Demonstrates full kill chain from phishing to exfiltration
- CTID provides ready-to-use emulation plans
🔬 Attack Methodology
Typical Attack Chain
1. Spear Phishing Email (malicious .docx/.rtf with embedded .lnk)
↓
2. User Opens Document → Executes Hidden LNK/Script
↓
3. Carbanak/SQLRat Payload Downloads
↓
4. Persistence via Scheduled Tasks/Registry
↓
5. Lateral Movement (Cobalt Strike, Mimikatz)
↓
6. POS System Access → Credit Card Harvesting
↓
7. Data Exfiltration (or Ransomware Deployment)
Key TTPs (MITRE ATT&CK)
| Tactic | Technique | FIN7 Implementation |
|---|---|---|
| Initial Access | Spear Phishing (T1566) | RTF/DOCX with embedded LNK files |
| Execution | User Execution (T1204) | Victim opens malicious document |
| Execution | Command Shell (T1059.003) | Windows Command Shell for commands |
| Persistence | Scheduled Task (T1053.005) | Maintains access via scheduled tasks |
| Defense Evasion | Obfuscation (T1027) | Heavily obfuscated scripts |
| Credential Access | Mimikatz (T1003) | LSASS memory dumping |
| Lateral Movement | Remote Services (T1021) | RDP, PsExec for movement |
| Collection | POS Data (T1119) | Pillowmint malware for card scraping |
| C2 | Cobalt Strike (T1071) | HTTP/HTTPS for command and control |
🛠️ Tools & Malware
| Tool | Purpose |
|---|---|
| Carbanak | Backdoor for persistent access |
| SQLRat | SQL-based remote access tool |
| Pillowmint | POS malware for credit card scraping |
| Cobalt Strike | C2 framework |
| Mimikatz | Credential harvesting |
| AdFind | Active Directory reconnaissance |
| Darkside | Ransomware (later operations) |
🎯 Targeting
| Sector | Geography | Objective |
|---|---|---|
| Retail | Primarily US | Credit card theft |
| Hospitality | US, Europe | POS compromise |
| Restaurant | US | Financial fraud |
| (Later) Various | Global | Ransomware extortion |
🛡️ Detection & Prevention
Detection Opportunities
| Phase | Detection Approach |
|---|---|
| Phishing | Email sandboxing, LNK file analysis |
| Execution | Script block logging, child process monitoring |
| Persistence | Scheduled task creation monitoring (Event ID 4698) |
| Credential Access | LSASS access alerts (Sysmon Event ID 10) |
| Lateral Movement | Anomalous RDP/PsExec activity |
| C2 | Beacon detection, unusual HTTP patterns |
Mitigations
- Block macros/LNK execution from email attachments
- Application whitelisting for POS systems
- Network segmentation (isolate POS from corporate)
- Endpoint detection and response (EDR) on all endpoints
- Credential hygiene (LSASS protection, credential tiering)
📋 Emulation Resources
| Resource | Link |
|---|---|
| MITRE ATT&CK | FIN7 Group Page |
| CTID Emulation Plan | FIN7 Adversary Emulation |
| ATT&CK Navigator | Pre-built FIN7 layer |
| YARA Rules | Pillowmint detection signatures |
🎤 Interview Angles
Common Questions
- "Describe a financially motivated APT and their TTPs."
- "How would you detect a FIN7-style attack?"
- "What makes FIN7 a good candidate for threat emulation?"
STAR Story
Situation: Retail organization concerned about POS system security after competitor breach.
Task: Design threat emulation based on realistic adversary for the sector.
Action: Selected FIN7 as target adversary. Used CTID emulation plan to test spear phishing detection, scheduled task persistence, and lateral movement. Collaborated with SOC to identify gaps.
Result: Discovered no alerts for malicious LNK execution or scheduled task creation. Built 5 new detection rules. Implemented POS network segmentation based on findings.
🔗 Related Concepts
- Threat Emulation
- MITRE ATT&CK
- TTPs (Tactics, Techniques, Procedures)
- Phishing
- Command and Control (C2)
- Data Exfiltration
- Atomic Red Team
📚 References
- MITRE ATT&CK FIN7: https://attack.mitre.org/groups/G0046/
- Mandiant FIN7 Evolution Report
- eSentire FIN7 Analysis
- CTID FIN7 Emulation Library