The financially motivated threat actor known as FIN7 has been observed using multiple pseudonyms across several underground forums to likely advertise a security dodging tool known to be used by ransomware groups like AvosLocker, Black Basta, BlackCat, LockBit, and Trigona.
"AvNeutralizer (aka AuKill), a highly specialized tool developed by FIN7 to tamper with security solutions, has been marketed in the criminal underground and used by multiple ransomware groups," cybersecurity company SentinelOne said in a report shared with The Hacker News.
FIN7, an e-crime group of Russian and Ukrainian origin, has been a persistent threat since at least 2012, shifting gears from its initial targeting of point-of-sale (PoS) terminals to acting as a ransomware affiliate for now-defunct gangs such as REvil and Conti, before launching its own ransomware-as-a-service (RaaS) programs DarkSide and BlackMatter.
The threat actor, which is also tracked under the names Carbanak, Carbon Spider, Gold Niagara, and Sangria Tempest (formerly Elbrus), has a track record of setting up front companies like Combi Security and Bastion Secure to recruit unwitting software engineers into ransomware schemes under the pretext of penetration testing.
Over the years, FIN7 has demonstrated a high level of adaptability, sophistication, and technical expertise by retooling its malware arsenal – POWERTRASH, DICELOADER (aka IceBot, Lizar, or Tirion), and a penetration testing tool called Core Impact that's delivered via the POWERTRASH loader – notwithstanding the arrests and sentencing of some of its members.
This is also evidenced in the large-scale phishing campaigns undertaken by the group to deliver ransomware and other malware families by deploying thousands of "shell" domains that mimic legitimate media and technology businesses, according to a recent report from Silent Push.
Alternately, these shell domains have been occasionally used in a conventional redirect chain to send users to spoofed login pages that masquerade as property management portals.
These typosquat versions are advertised on search engines like Google, tricking users searching for popular software into downloading a malware-laced variant instead. Some of the tools targeted include 7-Zip, PuTTY, AIMP, Notepad++, Advanced IP Scanner, AnyDesk, pgAdmin, AutoDesk, Bitwarden, Rest Proxy, Python, Sublime Text, and Node.js.
It's worth noting that FIN7's use of malvertising tactics was previously highlighted by both eSentire and Malwarebytes in May 2024, with the attack chains leading to the deployment of NetSupport RAT.
"FIN7 rents a large amount of dedicated IPs on a number of hosts, but primarily on Stark Industries, a popular bulletproof hosting provider that has been linked to DDoS attacks in Ukraine and across Europe," Silent Push noted.
The latest findings from SentinelOne show that FIN7 has not only used several personas on cybercrime forums to promote the sale of AvNeutralizer, but has also improvised the tool with new capabilities.
This is based on the fact that multiple ransomware groups began to use updated versions of the EDR impairment program as of January 2023, which was exclusively put to use by the Black Basta group until then.
SentinelLabs researcher Antonio Cocomazzi told The Hacker News that the advertisement of AvNeutralizer on underground forums shouldn't be treated as a new malware-as-a-service (MaaS) tactic adopted by FIN7 without additional evidence.
"FIN7 has a history of developing and using sophisticated tools for their own operations," Cocomazzi said. "However, selling tools to other cybercriminals could be seen as a natural evolution of their methods to diversify and generate additional revenue."
"Historically, FIN7 has used underground marketplaces to generate revenue. For example, the DoJ reported that since 2015, FIN7 successfully stole data for more than 16 million payment cards, many of which were sold on underground marketplaces. While this was more common in the pre-ransomware era, the current advertisement of AvNeutralizer could signal a shift or expansion in their strategy."
"This could be motivated by the increasing protections provided by nowadays EDR solutions compared to previous AV systems. As these defenses have improved, the demand for impairment tools like AvNeutralizer has grown significantly especially among ransomware operators. Attackers now face tougher challenges in bypassing these protections, making such tools highly valuable and expensive."
For its part, the updated version of AvNeutralizer employs anti-analysis techniques and, most importantly, leverages a Windows built-in driver called "ProcLaunchMon.sys" in conjunction with the Process Explorer driver to tamper with the functioning of security solutions and evade detection. The tool is believed to have been in active development since April 2022.
A similar version of this approach has also been put to use by the Lazarus Group, making it even more dangerous as it goes beyond a traditional Bring Your Own Vulnerable Driver (BYOVD) attack by weaponizing a susceptible driver already present by default in Windows machines.
Another noteworthy update concerns FIN7's Checkmarks platform, which has been modified to include an automated SQL injection attack module for exploiting public-facing applications.
"In its campaigns, FIN7 has adopted automated attack methods, targeting public-facing servers through automated SQL injection attacks," SentinelOne said. "Additionally, its development and commercialization of specialized tools like AvNeutralizer within criminal underground forums significantly enhance the group's impact."