The notorious cybercrime group known as FIN7 has been observed deploying the Cl0p (aka Clop) ransomware, marking the threat actor’s first ransomware campaign since late 2021.
Microsoft, which detected such activity in April 2023, is tracking financially motivated actors under its new taxonomy Sangria Tempest.
“In the recent attack, Sangria Tempest used the POWERTRASH PowerShell script to load the Lizar post-exploit tool and gain a foothold into the target network,” the company’s threat intelligence team said. “They then used OpenSSH and Ipacket to move laterally and spread the Clop ransomware.”
FIN7 (aka Carbanak, ELBRUS, and ITG14) has been associated with other ransomware families such as Black Basta, DarkSide, REvil, and LockBit, with threat actors acting as precursors to the Maze and Ryuk ransomware attacks.
Active since at least 2012, this group has a track record targeting broad spectrum of organizations spanning software, consulting, financial services, medical devices, cloud services, media, food and beverage, transportation, and utilities.
Another important tactic in the playbook is a pattern of setting up fake security companies – Combi Security and Bastion Secure – to recruit employees to carry out ransomware attacks and other operations.
Last month, IBM Security X-Force revealed that members of the now-defunct Conti ransomware gang were using a new malware called Domino developed by a cyber-crime cartel.
FIN7’s use of POWERTRASH to deliver Lizar (aka DICELOADER or Tirion) was also highlighted by WithSecure a few weeks ago in regards to an attack exploiting a high-level flaw in Veeam’s Backup & Replication software (CVE-2023-27532) to get early access.
Recent developments mean FIN7 continues to rely on various ransomware families to target victims as part of a shift in monetization strategy by shifting from payment card data theft to extortion.