Talk to us.

Want to talk to a live person about how good our product is? Send us your information.

Is FIN7 Returning to Their Roots?

It’s been months since the arrest of key figures of the Carbanak group yet the actor group continues to be a formidable adversary for the world’s top banks and other financial institutions, launching consistent campaigns against a host of targets. They continue to ramp up operational tempo and evolve the nature of their attacks.

Carbanak (aka Cobalt gang, FIN7) came to the fore of public attention in the summer of 2016 with their “jackpotting” attacks against financial institutions in Asia, which reported netted the group over $3 million dollars. Since that time, they have purportedly amassed over a billion dollars from institutions globally in the ensuing years, evolving their TTPs as they go.

More recently observed has been a tactic originally employed to pilfer payment cards from a host of North American retail victims. It has been repurposed to focus on more sophisticated spearphishing attacks targeting banking institutions and their employees.

During this evolution, analysts at HYAS have continued to use Comox’s proprietary data to monitor domain activity, successfully identifying and monitoring new C2 infrastructure as it is created. This infrastructure includes dropper domains used by their malware and additional domains employed in their spearphishing activities.

HYAS analysts also identified a unique naming convention used with a select group of email service providers that Carbanak members have historically implemented in their registration records. In the fall of 2018, while reviewing a host of magecart C2 domains, this same combination of unique naming convention and choice of service providers was identified in over 150 domains linked to magecart attacks.

There has been a tremendous amount of important work done in recent months to identify a number of groups tied to magecart activities. This proprietary and previously undisclosed email convention brings into question whether Carbanak actors may have returned to their roots, and joined the fold in pursuing this avenue of attack in stealing payment card data.