Hacker group FIN7 sells EDR evasion tools to other cybercriminals

Entrepreneurship is rife these days — even on the dark web. While the paths of cyber gangs are often winding and often involve alliances or rebrandings, FIN7’s latest activity creates a new dynamic in the cybersecurity world that organizations must monitor to reduce their vulnerabilities. SentinelOne recently tracked FIN7’s activities to reveal its history and current transactions.

FIN7 has attacked more than 100 US companies, including household names

FIN7, a Russian advanced persistent threat (APT) group, has a long reputation for sophisticated and persistent attacks across a range of industries. It is suspected of having created the software that caused the Colonial Pipeline breach. The group began in 2012 and has spent years using POS (point of sale) malware to create financial fraud across a wide range of industries, including hospitality, finance, energy, and retail.

According to the U.S. Attorney’s Office, FIN7 hacked more than 100 U.S. businesses between 2015 and 2018, including Chipotle Mexican Grill, Chili’s, Arby’s, Red Robin and Jason’s Deli. The gang stole more than 15 million customer card records from more than 6,500 individual POS terminals at more than 3,600 separate business locations.

Russian cyber gang embraces ransomware

Around 2021, the gang added ransomware to their repertoire and set up several fraudulent info sec companies: Combi Security, Bastion Secure and others. For these attacks, the cybercriminals even hired researchers to work for their fake company and unknowingly let their “employees” carry out ransomware attacks.

After three known ringleaders were sent to prison, the U.S. Attorney for the state of Washington declared in May 2023 that “FIN7 is no longer an entity.” In late 2023, however, a major automaker was attacked with malware that targeted people searching for a free network scanning tool. BlackBerry wrote in a blog post that it had high confidence that the attacker was FIN7 because the script used in the attack was identical to that used in other FIN7 Powertrash scripts.

Discover Ransomware Protection Solutions

FIN7 is now reportedly selling AvNeutralizer

Events in recent years suggest that FIN7 is now in partnership with AvNeutralizer. SentinelOne found that FIN7 has been associated with “the use of EDR evasion tools (AvNeutralizer) in ransomware attacks involving the Black Basta group.” By using AvNeutralizer, also known as AuKill, hackers can manipulate security solutions and then launch their own attacks. Initially, experts only saw Black Basta using the tool and assumed it was a partnership between the two groups.

“Since early 2023, our telemetry data reveals numerous breaches involving various versions of AvNeutralizer,” SentinelOne wrote. “Approximately 10 of these are attributed to human-initiated ransomware breaches that deployed known RaaS payloads, including AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit.”

The tool has now been linked to five different groups, making it likely that Black Basta was simply one of the first users.

Reports indicate that FIN7 is selling AvNeutralizer on Russian-language hacking forums, ranging in price from $4,000 to $15,000. The post advertised that the tool took three years and $1 million to develop. Additionally, the tool acts as a post-exploration framework that infiltrates corporate networks and remains undetectable by traditional antivirus software.

The Impact of FIN7’s Sale of AvNeutralizer

SentinelOne wrote that FIN7’s “development and commercialization of specialized tools like AvNeutralizer within criminal underground forums significantly increases the group’s impact.” Because they are selling their tools, this move means that many other groups with less expertise and experience can now launch exceptionally sophisticated attacks very quickly. Furthermore, AvNeutralizer, combined with other FIN7 tools, makes the group even more dangerous than before.

“FIN7’s prowess in executing sophisticated cyberattacks relies on its versatile arsenal, which includes tools such as Powertrash, Diceloader, Core Impact, an SSH-based backdoor, and AvNeutralizer,” SentinelOne wrote. “Each of these tools supports different attack phases executed during breaches, allowing the group to nimbly infiltrate, exploit, persist, and evade detection.”

With the resurgence of FIN7 and the sale of AvNeutralizer, cybersecurity professionals should monitor the group’s current actions to reduce vulnerability and detect an attack early. While cyber gangs often evolve in cybersecurity, this current development is concerning and one to watch.

Want to know how IBM X-Force can help you with anything related to cybersecurity, such as incident response, threat intelligence or offensive security services? schedule an appointment here.

If you experience any cybersecurity issues or incidents, please contact X-force to help: US helpline 1-888-241-9812 | Worldwide hotline (+001) 312-212-8034.