cyber crime

COOPERATION BETWEEN FIN7 AND RYUK GROUP

executive Summary

This summer, Truesec observed an attacker using FIN7 tools and techniques (including CARBANAK RAT) to take over the corporate network. In a follow-up attack approximately six weeks later, this foothold was used to deploy RYUK on the victim’s network.  

This attack marks the first time Truesec has observed a combination of FIN7 tools and RYUK ransomware, indicating that the pattern of FIN7 attacks has changed. So far, FIN7 has not been associated with attacks. This also shows that the cooperation between FIN7 and RYUK Group (also known as WIZARD SPIDER or FIN6) is closer than Truesec has previously known.  

FIN7 may just sell the access rights to the RYUK group, but FIN7 and WIZARD SPIDER may have a closer connection and may belong to the same organized network. 

Introduction 

Threat actors continue to evolve and change their methods. FIN7 is an economically motivated threat organization. Since mid-2015, it has been targeting retail, catering and hotel industries in the past. As we all know, they use CARBANAK RAT for email hijacking and point of sale attacks.  

This summer, Truesec observed an attacker using FIN7 tools and techniques (including CARBANAK RAT) to take over the corporate network. Later, this foothold was used to deploy RYUK on the victim’s network.  

This attack marks the first time Truesec has observed a combination of FIN7 tools and RYUK ransomware, indicating that the pattern of FIN7 attacks has changed. So far, FIN7 has not been associated with ransomware attacks. 

Given that ransomware has become the preferred technology for economically motivated attacks, it is not surprising that FIN7 has also turned to ransomware. The attack also shows that FIN7 is now cooperating with the RYUK team (also known as WIZARD SPIDER or FIN6) in an economically motivated attack.  

After the attacker took control of the network, the first two stages of the attack were clearly marked by criminal threat actors FIN7. The JavaScript backdoor, its installation method, and CARBANAK RAT are all tools attributed to FIN7. Once the attacker has control of the network, he will not try to identify the resources in the network at this time.  

Approximately six weeks after the initial breach, data stolen and ransomware were deployed in the subsequent phase. This part of the attack was done using  tools and techniques instructed by the RYUK Ransomware Group (also known as WIZARD SPIDER or FIN6). This is also carried out from a completely different infrastructure from the initial stage of FIN7.  

The progress of the attack clearly showed that the different stages of the attack were carried out by different teams. The FIN7 team may now be more focused on gaining access and then let the RYUK team take over and deploy the ransomware. 

This shows that the cooperation between FIN7 and RYUK Group is closer than Truesec has previously known. FIN7 may just sell access rights to the RYUK group, but the connection between the two groups may be stronger. As we all know, the RYUK group has signed contracts with branches to gain a foothold in ransomware attacks. 

Therefore, it now appears that both FIN7 and WIZARD SPIDER may be part of the same large organized network. 

IOCs

dmnadmin[.]com
sendbits.m2stor4ge[.]xyz
myrric-uses.singlejets[.]com
besaintegration[.]com
sephardimension[.]com

45.11.180.14
45.11.180.76
45.11.180.83
45.91.93.89
46.166.161.104
46.166.161.159
170.130.55.85
185.163.45.185
185.212.44.231
185.212.47.100
193.178.169.203
194.76.225.76
194.76.225.77
194.76.225.78
194.76.225.79
194.76.226.202
195.2.93.17

166686d538ec9a0e0550347149aac4cc
bded054d3176eefeedb4470df9ee4716
9836248a42ff7fa89ae8d6d849d361f7
0c392bc26565bdd41b7a663efd60bf0c
1643b85e7f459c6ffe1e5ab9ebb53f93
166686d538ec9a0e0550347149aac4cc
Bded054d3176eefeedb4470df9ee4716
9836248a42ff7fa89ae8d6d849d361f7
0c392bc26565bdd41b7a663efd60bf0c
1643b85e7f459c6ffe1e5ab9ebb53f93
E50b973d43a77d7a2c1bf56e22d64d168ee8c170
27588165c1235dc41214195030d5620091d41261
5d75b53aedf4111959106ed73ea6488ce2edbe8e
Fbf16fab3ca49ea2562a8eefcb90e8249380fcb5
3e42d07d89ef8d66b9a60664a53cbe7ae423c11c
E50b973d43a77d7a2c1bf56e22d64d168ee8c170
27588165c1235dc41214195030d5620091d41261
5d75b53aedf4111959106ed73ea6488ce2edbe8e
Fbf16fab3ca49ea2562a8eefcb90e8249380fcb5
3e42d07d89ef8d66b9a60664a53cbe7ae423c11c
1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7
53430abd76a5cfcfada4962cd8925b2e32620c44a8863b445ba145f42dbfea64
D9a6dd7216faafc65d419d09b6b7b5ddf24991a1f65f23113dde40d4936eea55
363775ec196dc5f5c435068b4237c42c2038bd15ef40fd453fa1f49c827bdaf2
8141f47a1ee8453ac01daacb16cab2d18b37a9045edc5f20c9019d4327576704
1bbe96a888c6e3a52cdb0676f38a8a379a72e6f4ade58f101a0559c7ad6f99c7
53430abd76a5cfcfada4962cd8925b2e32620c44a8863b445ba145f42dbfea64
D9a6dd7216faafc65d419d09b6b7b5ddf24991a1f65f23113dde40d4936eea55
363775ec196dc5f5c435068b4237c42c2038bd15ef40fd453fa1f49c827bdaf2
8141f47a1ee8453ac01daacb16cab2d18b37a9045edc5f20c9019d4327576704