RESOURCES

🔒Cynode Tips and Tricks (T&T) Friday

Good Friday Cynode Network!

This week's Tips & Tricks focuses on one of the most sophisticated and persistent cybercriminal groups, FIN7 (also known as Carbanak Group), and how to defend against it.

FIN 7 has been behind numerous high-profile attacks targeting the financial, retail, and hospitality industries. Known for their advanced tactics, techniques, and procedures (TTPs), FIN7 has executed large-scale ransomware, phishing, and malware-based campaigns to steal sensitive financial data.

✅ FIN7 Campaigns and Malware

FIN7 employs a range of malware in their campaigns, with Carbanak and BadRabbit being the main tools for execution.

• Carbanak Campaign: Carbanak RAT is used to infiltrate financial institutions, manipulate banking systems, and exfiltrate funds.

• BadRabbit Ransomware Campaign: Delivered via phishing emails and compromised websites, BadRabbit encrypts files and demands ransom payments.

• Phishing Campaigns: FIN7 uses spear-phishing emails to deliver Cobalt Strike or Carbanak RAT, which allow attackers to establish a persistent backdoor and gain unauthorized access.

✅ Detection Tips for FIN7 Activity

1. Suspicious Email Attachments

Watch for phishing emails with malicious Word or Excel attachments containing embedded macros or payloads like Cobalt Strike or Carbanak RAT.

IOCs:

•Carbanak: d5bfa104fdad9a60d1f6f12b7edaa4c5f1bde55faeeefcf5179709ef00ccf0de

•BadRabbit: e9bc3d4404f58f1ec3f3c1c2c3b3d35c9a3f50cdbaf1b1eb84233e62ed8004e4

2. Unusual Network Activity

Monitor for outbound connections from internal systems to external IP addresses, signaling Cobalt Strike C2communication or Carbanak exfiltration attempts.

IOCs:

•Cobalt Strike C2: 185.213.118.10

•ShellTea RDP Exploits: 178.213.211.58

•BadRabbit Malware Domain: adobeadobe.com

•Cobalt Strike C2: legitglobaldns.com

3. Lateral Movement Detection

Use EDR tools to detect signs of lateral movement within networks. If attackers are exploiting RDP vulnerabilities or using ShellTea to escalate privileges, it can help pinpoint the attack.

IOCs:

•Carbanak Persistence: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\shell64

4. Ransomware Indicators

Keep an eye on file changes or encryption attempts by monitoring for unusual file extensions or mass renaming, indicating BadRabbit ransomware activity.

IOCs:

•BadRabbit Ransomware: C:\Windows\Temp\harshfile.exe

•Cobalt Strike: C:\Windows\Temp\beacon.dll

5. Privilege Escalation

Set alerts for unusual privilege escalation events or the creation of local administrator accounts. This could indicate an attacker’s attempt to escalate privileges to move laterally.

IOCs:

•Cobalt Strike Beacon: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\runonce

•Carbanak Persistence: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\shell64

6. Abnormal User Logins

Track logins from suspicious locations or unusual times. Attackers using stolen credentials may trigger alerts for abnormal login activity.

✅ Why This Matters:

Understanding FIN7's campaigns, malware, TTPs, and IOCs helps organizations defend against these sophisticated threats. This post outlines key indicators across their known infrastructure.

By matching detection tips with indicators of compromise, teams can quickly identify and stop FIN7 attacks. Regular monitoring of network traffic, email activity, and file integrity is essential for early detection.

Want to learn more? Contact us here: https://cynode.com/get-in-touch