{ "type": "bundle", "id": "bundle--36b989bc-9e59-45d2-8998-64a5ba4da37f", "spec_version": "2.0", "objects": [ { "modified": "2023-03-22T03:51:04.185Z", "name": "FIN7", "description": "[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security. Since 2020 [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. [FIN7](https://attack.mitre.org/groups/G0046) may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider" ], "x_mitre_deprecated": false, "x_mitre_version": "2.2", "x_mitre_contributors": [ "Edward Millington" ], "type": "intrusion-set", "id": "intrusion-set--3753cc21-2dae-4dfb-8481-d004e74502cc", "created": "2017-05-31T21:32:09.460Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0046", "external_id": "G0046" }, { "source_name": "Carbon Spider", "description": "(Citation: CrowdStrike Carbon Spider August 2021)" }, { "source_name": "FIN7", "description": "(Citation: FireEye FIN7 March 2017) (Citation: FireEye FIN7 April 2017) (Citation: Morphisec FIN7 June 2017) (Citation: FireEye FIN7 Shim Databases) (Citation: FireEye FIN7 Aug 2018)" }, { "source_name": "GOLD NIAGARA", "description": "(Citation: Secureworks GOLD NIAGARA Threat Profile)" }, { "source_name": "FireEye CARBANAK June 2017", "description": "Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html" }, { "source_name": "FireEye FIN7 April 2017", "description": "Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" }, { "source_name": "FireEye FIN7 Aug 2018", "description": "Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" }, { "source_name": "Secureworks GOLD NIAGARA Threat Profile", "description": "CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021.", "url": "https://www.secureworks.com/research/threat-profiles/gold-niagara" }, { "source_name": "FireEye FIN7 Shim Databases", "description": "Erickson, J., McWhirt, M., Palombo, D. (2017, May 3). To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. Retrieved July 18, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html" }, { "source_name": "Morphisec FIN7 June 2017", "description": "Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.", "url": "http://blog.morphisec.com/fin7-attacks-restaurant-industry" }, { "source_name": "ITG14", "description": "ITG14 shares campaign overlap with [FIN7](https://attack.mitre.org/groups/G0046).(Citation: IBM Ransomware Trends September 2020)" }, { "source_name": "CrowdStrike Carbon Spider August 2021", "description": "Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.", "url": "https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" }, { "source_name": "FireEye FIN7 March 2017", "description": "Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.", "url": "https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html" }, { "source_name": "IBM Ransomware Trends September 2020", "description": "Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.", "url": "https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_domains": [ "enterprise-attack", "ics-attack" ], "x_mitre_attack_spec_version": "3.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] }