forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
fin7.yml
31 lines (31 loc) · 1.41 KB
/
fin7.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
name: FIN7
id: df2b00d3-06ba-49f1-b253-b19cef19b569
version: 1
date: '2021-09-14'
author: Teoderick Contreras, Splunk
type: batch
description: Leverage searches that allow you to detect and investigate unusual activities
that might relate to the FIN7 JS Implant and JSSLoader, including looking for Image
Loading of ldap and wmi modules, associated with its payload, data collection and
script execution.
narrative: FIN7 is a Russian criminal advanced persistent threat group that has primarily
targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. A
portion of FIN7 is run out of the front company Combi Security. It has been called
one of the most successful criminal hacking groups in the world. this passed few
day FIN7 tools and implant are seen in the wild where its code is updated. the FIN&
is known to use the spear phishing attack as a entry to targetted network or host
that will drop its staging payload like the JS and JSSloader. Now this artifacts
and implants seen downloading other malware like cobaltstrike and event ransomware
to encrypt host.
references:
- https://en.wikipedia.org/wiki/FIN7
- https://threatpost.com/fin7-windows-11-release/169206/
- https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded
tags:
category:
- Malware
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection