FIN7 gang leveraged Powerplant backdoor in more complex operations

April 7, 2022
FIN7 Hacker Gang Powerplant Backdoor Malware Carbanak BEC POS Intrusion SQLRat

The notorious financially-motivated hacking group known as FIN7 or Carbanak has returned to the cybercrime scene to execute a campaign using the Powerplant backdoor alongside other new malicious payloads.

The threat group is dedicated to launching Business Email Compromise (BEC) operations and point-of-sale (PoS) system intrusions toward its victims.

Attacking several financial institutions worldwide since 2015, the threat group aims to steal people’s payment card credentials and continues to evolve its attack and intrusion methods to impact more targets effectively.

The FIN7 threat group utilises a wide range of custom malware during attacks, such as info-stealers, backdoors, SQLRat script dropper, and mailing USB drives to targeted companies to infect them with malware. Security experts have also tied the group to other ransomware operators like DarkMatter, REvil, and ALPHV/BlackCat.

There have been several arrests that FIN7 had faced during their time; however, recent observations show that the group is still actively launching attack campaigns using a new novel malware alongside new initial access vectors and shifting of strategies.

The group had gone beyond BEC and phishing scam initial intrusion methods.

 

With a new novel backdoor dubbed Powerplant, the group was seen leveraging supply chains, Remote Desktop Protocol (RDP), and stolen data to intrude on networks.

 

The Powerplant backdoor is distributed through the Griffon Java implant, which the group uses to maintain persistence as they access a victim’s server to steal data. The backdoor also helps install malicious payloads like the Birdwatch downloader and the Easylook reconnaissance tool.

The backdoor can also send packages and reconnaissance data to its C2 server, including web browser usage and network configuration data, while utilising the Beacon backdoor as a backup entry mechanism.

As of now, there are eight total separate uncategorised threat groups and seven other suspects attributed to the FIN7 gang. Experts believe that the group will continue to grow over time as they increase their speed, improve their target scope, and build a stronger connection with other ransomware cybercriminals.

About the author