Fin7 helps ransomware gangs with EDR bypass

SentinelOne warned that Fin7, a financially motivated threat group that has been active for more than a decade, is selling a detection evasion tool to other cybercriminals, including ransomware gangs.

In a blog post published on Wednesday, Antonio Cocomazzi, staff offensive security researcher at SentinelOne, detailed evolving tactics, techniques and procedures (TTPs) Fin7 uses to evade detection, exploit vulnerabilities to gain system access and maintain persistence in the victim environment. Cocomazzi warned that Fin7 leverages a variety of effective tools including one SentinelOne tracks as AvNeutralizer, which can now tamper with endpoint detection and response (EDR) tools.

SentinelOne believes Fin7 started developing and marketing the specialized EDR bypass tool in April of 2022. Since then, SentinelOne has connected AvNeutralizer to ransomware activity. The custom tool has received several updates too, with the most recent update including a "previously unseen tampering method," according to the blog post.

The update is one example of how Fin7 continues to become more skilled, a concerning trend on the threat landscape. "Our investigation into FIN7's activities highlights its adaptability, persistence and ongoing evolution as a threat group. In its campaigns, FIN7 has adopted automated attack methods, targeting public-facing servers through automated SQL injection attacks," Cocomazzi wrote in the blog post.

Recent threat campaigns leveraged AvNeutralizer, which Fin7 updated to take advantage of Windows built-in driver capability, a "previously unseen in the wild" technique. Cocomazzi said the customized tool ultimately leads to a denial-of-service condition on the affected system.

"It employs the TTD monitor driver ProcLaunchMon.sys, available on default system installations in the system drivers directory, in conjunction with updated versions of the process explorer driver with version 17.02 (17d9200843fe0eb224644a61f0d1982fac54d844), which has been hardened for cross process operations abuse and is currently not blocked by the Microsoft's WDAC list," the blog read.

While the tool continues to be updated, SentinelOne has observed multiple intrusions involving different versions since early 2023. The cybersecurity vendor attributed 10 of the intrusions to ransomware activity involving the AvosLocker, MedusaLocker, BlackCat and LockBit ransomware gangs. A recent Cisco Talos report also detailed ransomware groups' increasing ability to disable and evade antivirus programs and endpoint detection tools on a targeted machine.

SentinelOne believes that Fin7 likely marketed the tool on the dark web starting at $10,000, where it quickly garnered ransomware groups' attention. The Black Basta ransomware group was one of the first groups to utilize AvNeutralizer, but has since removed it from its tool belt.

"Our telemetry revealed that the EDR impairment tool, which we track as "AvNeutralizer" (aka AuKill), targeted multiple endpoint security solutions and was used exclusively by the group for six months," the blog said. "This reinforced our hypothesis that FIN7 and Black Basta might have had a close relationship."

However, beginning in January of 2023, SentinelOne observed an uptick in the usage of updated versions of AvNeutralizer by multiple gangs besides Black Basta which appeared to shift its TTPs.

Cocomazzi stressed that the ability to develop specialized tools like AvNeutralizer highlights Fin7's significant influence across the threat landscape. He told TechTarget Editorial that SentinelOne's research indicates that AvNeutralizer is designed to target a wide range of endpoint security tools. Researchers use the list of processes hardcoded in the binary to help identify potential candidates targeted by the tool.

"We have identified process names related to security solutions, including SentinelOne, as well as Windows Defender, Symantec, Sophos, Panda Security, Elastic, McAfee and Kaspersky," he told TechTarget Editorial. "It's important to note that while AvNeutralizer attempts to target these processes, SentinelOne's platform is built with anti-tampering mechanisms to protect against kernel-mode threats and counter such impairment attempts. We continuously update and enhance our security measures to stay ahead of evolving threats, ensuring robust protection for our customers."

Effective toolset

In addition to AvNeutralizer, SentinelOne discovered that Fin7 is also proficient with tools such as Powertrash, a PowerShell script that's used to evade defenses; Diceloader, which helps threat actors establish backdoors; and Core Impact, a penetration testing tool for exploitation activity that provides an SSH-based backdoor to maintain persistence in a victim environment.

"Each of these tools supports various attack phases carried out during the intrusions, allowing the group to adeptly infiltrate, exploit, persist and evade detection," the blog said.

Cocomazzi detailed previous Fin7 campaigns, including one that targeted public-facing Microsoft Exchange servers that were vulnerable to the ProxyShell exploit. He added that SentinelOne observed many attacks that exploited SQL injection flaws against public-facing servers through automated exploitation, which were primarily observed in 2022. Also in 2022, the Department of Justice sentenced a Fin7 threat actor named Denys Larmak from Ukraine, who exhibited advanced technical skills.

In addition to Fin7's toolset and adaptability, Cocomazzi emphasized the threat group's advanced techniques continue to improve.

Cocomazzi told TechTarget Editorial that Fin7 has remained active since 2012 due to its effective operational security and sophistication. For example, the group shifted from POS malware to conducting ransomware intrusions, which he said maximized financial gains based on the current threat landscape.

"Unlike typical cybercrime groups, Fin7 takes extensive measures to evade tracking by researchers and law enforcement. The group's use of multiple pseudonyms and collaboration with other cybercriminal entities complicates attribution, making it harder to track them. This approach has allowed FIN7 to continue its activities successfully despite multiple arrests of some members," Cocomazzi said.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.