Despite FIN7 arrests, malicious activity continues

Although the suspected leader of the FIN7 cybergang was arrested, malicious activity somehow persists.

FIN7 specializes in attacking businesses to get access to financial data or PoS infrastructure.

Last year, Europol and the US Department of Justice arrested several cybercriminals suspected to be leaders of the FIN7 and Carbanak cybercriminal groups. News outlets announced the demise of those cybergangs, but our experts are still detecting signs of their activity. Furthermore, the number of interconnected groups using similar toolkits and the same infrastructure is growing. Here is a list of their main instruments and tricks with some advice on how to keep your business safe.


FIN7 specializes in attacking businesses to get access to financial data or PoS infrastructure. The group works through spear-phishing campaigns with sophisticated social engineering. For example, before sending malicious documents they might exchange dozens of normal messages with their victims to lull vigilance.

In most cases, the attacks used malicious documents with macros to install malware on the victim’s computer and scheduled tasks to make it persistent. Then it received modules and executed them in system memory. In particular, we have seen modules for gathering information, downloading additional malware, taking screenshots, and storing another instance of the same malware inside the registry (in case the first one is detected). Naturally, cybercriminals might create additional modules at any time.

CobaltGoblin/Carbanak/EmpireMonkey group

Other cybercriminals use similar tools and techniques, differing only in their targets — banks and developers of banking and money-processing software, in this case. The Carbanak (or CobaltGoblin, or EmpireMonkey) group’s main strategy is to gain a foothold in the victims’ networks and then find interesting endpoints with information they can monetize.

AveMaria botnet

AveMaria is a new botnet used to steal information. When a machine is infected, it starts collecting all possible credentials from various software: browsers, e-mail clients, messengers, and so forth. It also acts as a keylogger.

To deliver the payload, malefactors use spear phishing, social engineering, and malicious attachments. Our experts suspect their connections with Fin7 because of similarities in their methods and command-and-control (C&C) infrastructure. Another indicator of their connection is target distribution: 30% of the targets were small and midsize companies that are suppliers or service providers for bigger players and 21% were various types of manufacturing companies.


Our experts discovered a set of activity codenamed CopyPaste that targeted financial entities and companies in an African country. Actors used several methods and tools similar to those Fin7 employ. However, it is possible that these cybercriminals just used open-source publications and have no real ties with FIN7.

You can get technical details, including indicators of compromise, on

How to stay safe

  • Use security solutions with dedicated functionality aimed at detecting and blocking phishing attempts. Businesses can protect their on-premise e-mail systems with targeted applications inside the Kaspersky Endpoint Security for Business suite.
  • Introduce security awareness training and teach practical skills. Programs such as Kaspersky Automated Security Awareness Platform will help to reinforce skills and conduct simulated phishing attacks.
  • All of the aforementioned groups greatly benefit from unpatched systems in corporate environments. To limit their abilities, use a solid patching strategy and a security solution such as Kaspersky Endpoint Security for Business that can automatically patch critical software.