Russia-linked FIN7 hackers sell their security evasion tool to other groups on darknet

Avatar

A notorious cybercriminal group known as FIN7 advertises its custom tool for security evasion on darknet forums and sells it to other criminal gangs, researchers have found.

The tool, known as AvNeutralizer, is used by criminal hackers to bypass threat detection systems on victims’ devices. Researchers have previously discovered that the tool was used exclusively for six months by another hacker group, Black Basta.

In a new report, the cybersecurity firm SentinelOne said that it observed multiple ransomware groups using updated versions of AvNeutralizer, suggesting that the customer list  was no longer limited to Black Basta.

“We hypothesize that AvNeutralizer was likely sold on criminal underground forums, with Black Basta being one of the early buyers and adopters,” researchers added.

SentinelOne identified multiple advertisements across various underground forums, likely promoting the sale of AvNeutralizer. To mask its identity, FIN7 used various pseudonyms, including “goodsoft,” “lefroggy,” “killerAV,” and “Stupor.”

The price for the tool, set by users with these pseudonyms, ranged from $4,000 to $15,000. SentinelOne assesses “with high confidence” that these accounts belong to the FIN7 cluster.

“These threat actors are likely employing multiple pseudonyms on various forums to mask their true identity and sustain their illicit operations within this network,” researchers said.

FIN7 started developing AvNeutralizer in April 2022. This tool is customized for each buyer to target specific security systems they choose.

Since early 2023, AvNeutralizer has been used in numerous intrusions, including with the subsequent deployment of well-known ransomware strains such as AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit.

AvNeutralizer has been updated several times. The latest version discovered by SentinelOne includes a new method for bypassing security previously unseen in the wild. 

In particular, the new version uses a built-in Windows driver called “ProcLaunchMon.sys” along with the Process Explorer driver to interfere with security systems and avoid being detected.

FIN7 has been active since 2013 and is purportedly based in Russia. The group caused substantial financial losses in industries such as hospitality, energy, finance, high-tech and retail. Earlier in April, it allegedly targeted a large automotive manufacturer based in the U.S. late last year.

SentinelOne said that FIN7’s development and commercialization of specialized tools like AvNeutralizer within criminal underground forums “significantly enhance the group’s impact.”

“The group’s use of multiple pseudonyms and collaboration with other cybercriminal entities makes attribution more challenging and demonstrates its advanced operational strategies,” researchers said.

CybercrimeNewsMalware
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

Interpol operation nabs 300 with links to West African cyber fraud

Next Post

Attacks on Israeli orgs ‘more than doubled’ since October 7, cyber researcher says

Related Posts

Researchers Discover Command Injection Flaw in Wi-Fi Alliance’s Test Suite

A security flaw impacting the Wi-Fi Test Suite could enable unauthenticated local attackers to execute arbitrary code with elevated privileges. The CERT Coordination Center (CERT/CC) said the vulnerability, tracked as CVE-2024-41992, said the susceptible code from the Wi-Fi Alliance has been found deployed on Arcadyan FMIMG51AX000J routers. "This flaw allows an unauthenticated local attacker to
Avatar
Read More