4000+ Domains Used By FIN7 Actors Mimic Popular Brands

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Russian-linked FIN7 (aka Sangria Tempest, ATK32, Carbon Spider, Coreid, ELBRUS, G0008, G0046, and GOLD NIAGARA) is a financial cybercrime group that has been around since 2013 and it specifically targets the US industries.

To achieve this goal, it uses spearphishing, ransomware, malicious browser extensions, and drive-by compromises. 

Even after repeated attempts to bring them down, they have still managed to keep operating mainly through the theft of data and credit card information.

Cybersecurity researchers at Silent Push recently identified that more than 4000 domains used by FIN7 actors have been mimicking popular brands.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files

FIN7 Actors Mimic Popular Brands

FIN7 is a group of hackers who are largely based in Russia, and it is made up of more than 70 individuals working in various departments. 

They have been involved in elaborate cyber attacks before and they continue to pose a major risk to the global security framework.

However, it still remains active as shown in the current observations by both Microsoft Threat Intelligence and Silent Push.

The group has maintained its TTPs, which are spear phishing campaigns that use shell domains to impersonate various genuine companies.

This new domain, cybercloudsec[.]com shares similarities with one of the previous front businesses of FIN7 known as Combi Security which indicates that the group is still operational despite some of its members being arrested.

To target famous brands, FIN7 employs a complex strategy of turning shell domains into phishing sites.

Targeting particular users through the morphing content, these domains often associate with other similar ones.

RMS Cloud portal phishing page (Source – Silent Push)

The group deploys redirects, multistage phishing campaigns, and sometimes impersonates legitimate-looking open directories that could have such files that are potentially harmful.

Open directory (Source – Silent Push)

FIN7 achieves this by targeting different brands such as tech firms, financial industry players, and property management systems in an elusive manner.

By using bulletproof hosts like Stark Industries with dedicated IPs they do so. In some cases, the MSIX malware is spread via Google ads with a popup for “Requires Browser Extension”.

For example, their tactics consist of misusing technological platforms such as SAP Concur, Microsoft SharePoint, and also developer tools as well.

Investigations into a sample LexisNexis.msix malware disclosed that it is designed to target domain-joined machines in order to gain access to Administrative rights or Active Directory accounts.

This includes opening real websites as diversions and checking the active directory membership. It involves deploying a NetSupport RAT for remote administration after a phishing attack strategy has been performed on them.

Two dedicated IOFA Feeds were created by the cybersecurity researchers under which all the FIN7 domains and IPs were mentioned.

While this data may be exported in different formats or accessed through an API.

Apart from that, a TLP Amber report is being developed for enterprise customers.

The report contains queries, lookups, and scans used to identify FIN7 infrastructure including private parameters omitted from public disclosure for security purposes.

IOFAS

  • 103.113.70[.]142
  • 103.35.191[.]28
  • 89.105.198[.]190
  • 2024sharepoint[.]lat
  • accountverify.business-helpcase718372649[.]click/ 
  • affinitycloudenergy[.]com
  • americangiftsexpress[.]com
  • androiddeveloperconsole[.]com
  • app.rmscloud[.]pro
  • app-trello[.]com
  • ariba[.]one
  • autodesk[.]pm
  • bloomberg-t[.]com
  • book.louvre-ticketing[.]com
  • concur[.]cfd
  • concur[.]pm
  • concur[.]re
  • concuur[.]com
  • costsco1[.]com
  • cybercloudsec[.]com
  • cybercloudsecure[.]com
  • dr1ve[.]xyz
  • driv3[.]net
  • driv7[.]com
  • escueladeletrados[.]com
  • ggooleauth[.]xyz
  • go-ia[.]info
  • go-ia[.]site
  • harvardyardcollection[.]com
  • hcm-paycor[.]org
  • https-twitter[.]com
  • hotnotepad[.]com
  • identity-wpengine[.]com/session_id/login/
  • kun-quang-api.lordofscan[.]pro/LoginProcess/api/login_submit
  • lexisnexis[.]day
  • ln[.]run/supportcenterbusiness
  • louvre-event[.]com
  • louvrebil[.]click
  • miidjourney[.]net
  • multyimap[.]com
  • netepadtee[.]com
  • netfiix-abofrance[.]com
  • onepassreglons[.]com
  • paris-journey[.]com
  • paybx[.]world
  • quicken-install[.]com
  • redfinneat[.]com
  • restproxy[.]com
  • rupaynews[.]com
  • techevolveproservice[.]com
  • themetasupporrtbusiness.nexuslink[.]click
  • themetasupporrtbusiness.nexuslink[.]click/ 
  • thomsonreuter[.]info
  • tredildlngviw[.]shop
  • tredildlngviw[.]xyz
  • treidingviw-web[.]lol
  • treidingviw-web[.]shop
  • treidingviw-web[.]xyz
  • trezor-web[.]io
  • trydropbox[.]com
  • wal-streetjournal[.]com
  • webex-install[.]com
  • westlaw[.]top
  • womansvitamin[.]com
  • wpenglneweb[.]com
  • www.tivi2[.]com
  • www.wpenglneweb[.]com
  • xn--manulfe-kza[.]com
  • xn--bitwardn-h1a[.]com
  • zoomms-info[.]com

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo