FIN7 IOCs – Mandiant Identifies New POWERPLANT Samples

0

Mandiant Threat researchers have compiled a report on FIN7 activities from late 2021 to mid-2022, adversary continues to be very active, evolving, and trying new monetization methods. FIN7 continued to leverage PowerShell throughout their intrusions, including in a new backdoor called POWERPLANT, which FIN7 has continually developed over the last two years. Another new development is the evolution of the Birdwatch downloader, which has two variants now, named Crowview and Fowlgaze.


Evolution of Toolset Over Time

The PowerShell backdoor known as PowerPlant, which has been associated with FIN7 for years now, is still being developed into new variants, as Mandiant has identified version numbers ranging from 0.012 to 0.028.

In some intrusions, FIN7 was observed tweaking the functionality and adding new features to PowerPlant, and deploying the new version in the middle of the operation.

According to Mandiant, PowerPlant has replaced Loadout and Griffon in 2022 operations, while the Carbanak and Diceloader malware have also taken a back seat. During deployment, PowerPlant fetches different modules from the C2 server, so the resulting set of capabilities varies. Two of the most commonly deployed modules are named Easylook and Boatlaunch.

Easyloook is a reconnaissance utility that FIN7 has used for at least two years to capture network and system information details like hardware, usernames, registration keys, operating system versions, domain data, etc.

AMSI (antimalware scan interface) is a built-in Microsoft tool that helps detect malicious PowerShell execution, so Boatlaunch is there to help prevent that. Mandiant has spotted both 32-bit and 64-bit module versions.

Another new development is the evolution of the Birdwatch downloader, which has two variants now, named Crowview and Fowlgaze. Both variants are .NET-based, but contrary to Birdwatch, they feature self-deletion capabilities, come with embedded payloads, and support additional arguments.

Like Birdwatch, these new variants support retrieving payloads over HTTP and continue to offer basic reconnaissance operations that tell FIN7 what processes run on the system, what the network configuration is, and what web browser is used.

FIN7 and Ransomware

In at least two incident response engagements in 2020, FIN7 intrusion activities were recognized before ransomware encryption, including the utilization of MAZE and RYUK. Comparatively, in 2021, Mandiant ascribed dynamic FIN7 interruption action during an occurrence reaction commitment including ALPHV ransomware. In this large number of cases, the ransomware organization is presently credited with independently followed danger bunches because of variables of the examination and our visibility.

“In addition to evidence produced from intrusion data, secondary artifacts suggest FIN7 played a role in at least some DARKSIDE operations,” says Mandiant

“A low global prevalence code signing certificate used by FIN7 in 2021 to sign BEACON and BEAKDROP samples were also used to sign multiple unattributed DARKSIDE samples recovered in the wild.”

The specifically mentioned code signing certificate used by FIN7 contained the SSL subject common name of “OASIS COURT LIMITED

Indicators of Compromise (IOCs)

IndicatorNotes
0c6b41d25214f04abf9770a7bdfcee5dBOATLAUNCH 32bit
21f153810b82852074f0f0f19c0b3208BOATLAUNCH 64bit
02699f95f8568f52a00c6d0551be2de5POWERPLANT
0291df4f7303775225c4044c8f054360POWERPLANT
0fde02d159c4cd5bf721410ea9e72ee2POWERPLANT
2cbb015d4c579e464d157faa16994f86POWERPLANT
3803c82c1b2e28e3e6cca3ca73e6cce7POWERPLANT
5a6bbcc1e44d3a612222df5238f5e7a8POWERPLANT
833ae560a2347d5daf05d1f670a40c54POWERPLANT
b637d33dbb951e7ad7fa198cbc9f78bcPOWERPLANT
bce9b919fa97e2429d14f255acfb18b4POWERPLANT
d1d8902b499b5938404f8cece2918d3dPOWERPLANT
edb1f62230123abf88231fc1a7190b60POWERPLANT
findoutcredit[.]comPOWERPLANT C2
againcome[.]comPOWERPLANT C2
modestoobgyn[.]comPOWERPLANT C2
myshortbio[.]comPOWERPLANT C2
estetictrance[.]comPOWERPLANT C2
internethabit[.]comPOWERPLANT C2
bestsecure2020[.]comPOWERPLANT C2
chyprediction[.]comPOWERPLANT C2
d405909fd2fd021372444b7b36a3b806POWERTRASH Cryptor & CARBANAK Payload
122cb55f1352b9a1aeafc83a85bfb165CROWVIEW (BIRDWATCH/JssLoader Variant)
domenuscdm[.]comCROWVIEW/LOADOUT C2
936b142d1045802c810e86553b332d2dLOADOUT
23e1725769e99341bc9af48a0df64151LOADOUT
4d56a1ca28d9427c440ec41b4969caa2LOADOUT
50260f97ac2365cf0071e7c798b9eddaLOADOUT
spontaneousance[.]comLOADOUT C2
fashionableeder[.]comLOADOUT C2
incongruousance[.]comLOADOUT C2
electroncador[.]comLOADOUT C2
6fba605c2a02fc62e6ff1fb8e932a935BEAKDROP
49ac220edf6d48680f763465c4c2771eBEACON
astara20[.]comBEACON C2
coincidencious[.]comBEACON C2
52f5fcaf4260cb70e8d8c6076dcd0157Trojanized installer containing Atera Agent
78c828b515e676cc0d021e229318aeb6WINGNIGHT
70bf088f2815a61ad2b1cc9d6e119a7fWINGNIGHT
4961aec62fac8beeafffa5bfc841fab8FLYHIGH

Source : Mandiant / bleeping Computer


LEAVE A REPLY

Please enter your comment!
Please enter your name here