Largest FIN7 Malware Campaign Targets Global Companies Across 4000 Domains

Russian hacker group FIN7 launches a massive cyber attack utilizing over 4000 domains to targeted global corporations such as Microsoft, Meta, CNN, and more.

By Marco Rizal - Editor, Journalist 5 Min Read
Share this post?
Share this post?

Russian hacker group FIN7 launches a massive cyber attack utilizing over 4000 domains to targeted global corporations such as Microsoft, Meta, CNN, and more.

Cybersecurity company Silent Push has recently discovered more than 4,000 new domains and IP addresses that are associated with the well-known hacking group FIN7.

Despite previous claims of shutting down FIN7, the group has resurfaced and is now carrying out extensive phishing and malware attacks on a global scale.

Some notable targets of these attacks include the Louvre Museum, Meta (the company behind Facebook), and Reuters news agency. FIN7 employs deceptive websites that closely resemble legitimate ones, luring individuals into divulging their personal information or unwittingly installing malicious software.

It was found that almost half of the 4,000 domains and subdomains were active in the past week.

There are numerous fraudulent websites out there that are specifically created to deceive users and either steal their login information or distribute harmful malware.

FIN7 uses several methods to carry out their attacks, including:

  • Spearphishing: Sending carefully crafted emails with the intention of tricking individuals into revealing personal information and credit card details.
  • Ransomware: Type of malicious software that locks up your data and then demands payment in order to unlock it.
  • Malicious Browser Extensions: Exploiting the use of deceptive browser add-ons to gain unauthorized access to computers.
  • Web Portal Capture: Unauthorized collection of sensitive data through deceptive login pages.
  • Malvertising: A method that involves the use of harmful advertisements to distribute malware.
  • Hiding Infrastructure: Employing methods to evade detection.

FIN7 frequently establishes fraudulent companies to create the illusion of legitimacy and deceive individuals into engaging with their malicious content.

As an example, they utilized a website called cybercloudsec[.]com, masquerading as a legitimate cybersecurity company.

cybercloudsec website
Homepage of cybercloudsec[.]com

The group also creates numerous counterfeit websites that closely resemble those of reputable brands, with the intention of obtaining sensitive information or spreading malicious software.

FIN7's fraudulent websites lure in software users with enticing offers to download popular programs such as Python, Sublime Text, and Node.js.

Internet users should be aware that these downloads can potentially contain harmful malware that can damage computers. Take hotnotepad[.]com as an example. It claimed to provide a Python download, but in reality, it was a phishing scam.

Hotnotepad
Hotnotepad[.]com website (Credits: Silent Push)

Despite the Department of Justice's ongoing efforts, which have included successfully arresting and convicting key members, FIN7 remains operational.

According to Silent Push's findings, it appears that either the group has resurfaced or other hackers are utilizing their methods to carry out fresh attacks.

Silent Push has identified numerous active domains and IPs that are being used for phishing, spoofing, shell, and malware delivery purposes.

These malicious activities are specifically targeting companies including:

  • Louvre Museum
  • Meta (Facebook)
  • Reuters
  • Microsoft 365
  • Wall Street Journal
  • CNN
  • QuickBooks
  • Alliant Credit Union
  • Grammarly
  • Airtable
  • Webex
  • Bloomberg
  • Quicken
  • Cisco
  • Zoom
  • SAP Concur
  • Google
  • Asana
  • Workable
  • Microsoft SharePoint
  • Redfin
  • Manulife Insurance
  • American Express
  • Twitter
  • Costco
  • Dropbox
  • Netflix
  • Paycor
  • Harvard University
  • Affinity Energy
  • RuPay
  • Bitwarden
  • Trezor

One example is the domain dr1ve[.]xyz, which includes a deceptive prompt stating “The file could not be opened,” tricking users into clicking a download button.

dr1ve
Fake file could not be opened alert (Credits: Silent Push)

Although no instances of malware being delivered through this domain have been observed, there is a possibility for it to occur.

While the download seemed trustworthy during tests, it's important to note that users in different regions may receive a potentially harmful payload instead.

There are other domains, such as netepadtee[.]com and multyimap[.]com, that provide downloads for Sublime Text and Node.js. However, it should be noted that these downloads may potentially include malware as well.

Leave a comment