Professional Documents
Culture Documents
2021
July 26, 2021
* You have to be a Flashpoint’s customer to view Flashpoint’s curated intelligence reports. Please feel free to reach out
to programs@flashpoint-intel.com if you have any questions.
Summary: Financial cybercrime gang FIN7 has rebounded after the jailing of
some key members, launching a campaign that uses as a lure a legal complaint
involving the liquor company that owns Jack Daniels whiskey. The gambit
successfully compromised at least one law firm, giving them a shot of the
JSSLoader remote-access trojan (RAT), researchers said. “One of the victims of the
2
malicious legal complaint campaign was a law firm,” researchers said in a posting
this week. “The lure successfully bypassed the law firm’s email filters, and it was
not detected as suspicious by any of the firm’s employees.” The ultimate purpose
of installing the backdoor is unclear. FIN7 usually carries out targeted attacks on
point-of-sale systems at casual-dining restaurants, casinos and hotels; or, it
infiltrates systems to steal bank-card data and sell it. “It is plausible that
proficient financial cybercrime groups, such as FIN7, are providing initial access
to seasoned ransomware groups, such as REvil (aka Sodinokibi), Ryuk, etc. as a
way to monetize their access,” according to [eSentire’s Threat Response Unit].
Analyst comment: Organized cybercriminal groups are increasingly
resilient, showing advanced capabilities to maintain operations despite
arrests of key group members. This report on FIN7 also demonstrates that
threat actor groups may be pivoting from operations involving financial
information to initial access or ransomware because of higher payouts.
See also:
Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm Using Fake
Legal Complaint Against Jack Daniels’ Owner, Brown-Forman Inc. (eSentire)
*Actor Profile: "FIN7" (Flashpoint)
*Arrests and Takedowns: January-June 2021(Flashpoint)
* You have to be a Flashpoint’s customer to view Flashpoint’s curated intelligence reports. Please feel free to reach out
to programs@flashpoint-intel.com if you have any questions.
Summary: Dutch police have arrested two people for their alleged involvement
in a phishing fraud-as-a-service scheme, one of them a 15-year-old suspect and
the other a 24-year-old due to appear in court on Friday. The unnamed
24-year-old is accused of developing the phishing service kits, while the
15-year-old allegedly sold them. The younger suspect was released pending
further investigation. Dutch police also said they searched a third 18-year-old
suspect. Group-IB said the Fraud Family operation, which has mainly hit victims
in the Netherlands and Belgium since at least 2020 but perhaps as far back as
2018, is focused on stealing banking credentials. The criminals advertised their
service to less-skilled cyber crooks on the encrypted messaging app Telegram,
where Fraud Family’s eight channels have nearly 2,000 subscribers.
3
Analyst comment: Information theft continues to be a profitable line of
business for many threat actors. As this arrest indicates, threat actors are
increasingly shifting from cybercrime forums to Telegram to advertise their
illicit services. Phishing kits and phishing panels continue to create risk for for
organizations and contribute to a large volume of global cybercrime.
See also:
* You have to be a Flashpoint’s customer to view Flashpoint’s curated intelligence reports. Please feel free to reach out
to programs@flashpoint-intel.com if you have any questions.
Additional stories are included below, as they are of interest to threat intelligence
teams: