Reportseverity: Medium2024-07-17

SentinelLabs ties AvNeutralizer EDR-killer to FIN7 and multiple RaaS gangs

published by SentinelOne

Actor

FIN7?? · UnknowneCrime

Long-running financially-motivated crew historically tied to the Carbanak intrusion set. Initially targeted point-of-sale systems in the U.S. hospitality and retail sectors (300+ companies, 1,000+ lo…

Summary

SentinelLabs reported that FIN7 had been developing and marketing the 'AvNeutralizer' (a.k.a. AuKill) EDR-tampering tool on Russian-language criminal forums since at least April 2022, abusing the Windows ProcLaunchMon.sys driver to disable endpoint protection. The tool was observed in intrusions deploying AvosLocker, MedusaLocker, BlackCat, and LockBit ransomware, underlining FIN7's shift from operating its own POS-fraud crews toward enabling other ransomware affiliates.

Primary source

sentinelone.com

Other FIN7 events

2023-12-28Microsoft links Sangria Tempest (FIN7) to Clop ransomware deployment via App Installer abuse
2018-08-01DOJ unseals indictments against three FIN7 leaders
2017-05-01MITRE ATT&CK catalogs FIN7 as financially-motivated intrusion set

Summary

Tags

Primary source

Other FIN7 events