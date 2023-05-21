The notorious group of cybercriminals known as FIN7 has been observed while distributing Cl0p ransomware (also known as Clop), marking the first ransomware campaign of these bad actors who had stopped towards the end of 2021.

Microsoft, which took over the business in April 2023, is tracking the financially motivated actor under its new taxonomy known as Tempest Sangria.

What do FIN7 experts say?

“In these recent attacks, Sangria Tempest uses the POWERTRASH PowerShell script to load the post-exploitation tool Lizar and gain a foothold in a target network,” has said the Microsoft Cyber ​​Threat Intelligence team, adding “Then they use OpenSSH and Impacket to move laterally and distribute Clop ransomware.”

FIN7 (also known as Carbanak, ELBRUS and ITG14) has been linked to other ransomware families such as Black Basta, DarkSide, REvil and LockBit, with the menacing actor acting as a precursor for Maze and Ryuk ransomware attacks.

Active since at least 2012, the group has a “curriculum” of attacks with a wide range of organizations ranging from software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation and utilities.

Another notable tactic from the group is its template creation fake security companiessuch as Combi Security and Bastion Secure, to recruit employees to conduct ransomware attacks and other operations.

Last month, IBM Security X-Force has revealed that members of the now defunct Conti ransomware gang are using a new piece of malware called Domino that was developed by the cybercrime cartel.

FIN7’s use of POWERTRASH to distribute Lizar (also known as DICELOADER or Tirion) was also made known by WithSecure a few weeks ago regarding attacks exploiting a high-severity flaw in Veeam Backup & Replication software (CVE-2023-27532) to gain initial access.

The latest development signals FIN7’s continued reliance on various ransomware families to target victims as part of a shift in its monetization strategy by shifting from payment card data theft to extortion.