Reportseverity: High2023-12-28

Microsoft links Sangria Tempest (FIN7) to Clop ransomware deployment via App Installer abuse

published by Microsoft Security Response Center

Actor

FIN7?? · UnknowneCrime

Long-running financially-motivated crew historically tied to the Carbanak intrusion set. Initially targeted point-of-sale systems in the U.S. hospitality and retail sectors (300+ companies, 1,000+ lo…

Summary

Microsoft Threat Intelligence reported that Sangria Tempest (ELBRUS / Carbon Spider / FIN7) was abusing the ms-appinstaller URI scheme to distribute the EugenLoader downloader, which in turn delivered the Carbanak backdoor and Gracewire malware as precursors to human-operated ransomware. Microsoft tied the activity to Sangria Tempest's April 2023 Clop ransomware campaign, the group's first ransomware operation since late 2021.

Primary source

microsoft.com

Other FIN7 events

2024-07-17SentinelLabs ties AvNeutralizer EDR-killer to FIN7 and multiple RaaS gangs
2018-08-01DOJ unseals indictments against three FIN7 leaders
2017-05-01MITRE ATT&CK catalogs FIN7 as financially-motivated intrusion set

Summary

Tags

Primary source

Other FIN7 events