That PowerShell script was POWERTRASH, an obfuscated malware loader that's been attributed to FIN7 in the past. ![]() However, FIN7 also expanded into ransomware, being associated with the Darkside and BlackMatter ransomware families, and more recently BlackCat/ALPHV.Ī forensic analysis on the compromised Veeam servers showed that the SQL Server process “sqlservr.exe” that's related to the Veeam Backup instance was used to execute a batch shell script, which in turn downloaded and executed a PowerShell script directly in memory. ![]() The group was known in its early years for launching malware attacks against organizations from the retail, restaurant, and hospitality sectors with the goal of stealing credit card information. Tools and techniques used consistent with past FIN7 activityįIN7 or Carbon Spider is a cybercrime group that has been in operation since at least 2013 and has been associated with the Carbanak malware family. The post-exploitation activity included setting up persistence, system and network reconnaissance, credential extraction and lateral movement. Researchers from cybersecurity firm WithSecure investigated two such compromises so far, dating from late March, but they believe are likely part of a larger campaign. ![]() It's not yet clear how attackers are breaking into the servers, but a possibility is that they're taking advantage of a vulnerability patched in the popular enterprise data replication solution last month. Researchers warn that a financially motivated cybercrime group known as FIN7 is compromising Veeam Backup & Replication servers and deploying malware on them.
0 Comments
Leave a Reply. |