Cyber Threat Actor: FIN7
| Actor Type | Location | Known Incidents |
Crime Syndicate
|
Russia
|
1 incident |
|---|
Profile
FIN7 is a financially motivated threat actor also known as the Cobalt Group and Carbanak. The group has been active since at least late 2016 and is widely believed to be based in Russia. Its primary objective is monetary gain through the theft of payment card data and the compromise of banking systems.
The actor targets financial institutions, banks, automated teller machine manufacturers, point‑of‑sale networks, retail companies and hospitality businesses. Geographically, its campaigns have focused on organizations in Eastern Europe and Russia as well as United States retail chains such as Burgerville, Chipotle, Chili’s, Saks Fifth Avenue and Lord & Taylor. The group’s activities are described as financially motivated, with suspected involvement in theft exceeding one billion dollars from banks, retailers and hospitality firms.
Typical tactics include spear‑phishing emails that masquerade as trusted financial partners or vendors, delivering weaponized Word documents with obfuscated VBA scripts or binary files with a jpg extension. These payloads often deploy JavaScript backdoors that achieve persistence via registry keys and are launched using regsvr32.exe, with command‑and‑control traffic encrypted using RC4. Reconnaissance tools such as CobInt/COOLPANTS connect to C2 servers like rietumu[.]me to gather information. The group also employs the Carbanak backdoor, the in‑memory loader BOOSTWRITE that uses DLL search order hijacking to execute malicious DLLs without touching the filesystem, and the RDFSNIFFER module that hooks into NCR Aloha Command Center Client to act as a remote access tool.
Attribution links FIN7 to a Russian organized cybercrime syndicate, with the Carbanak malware family frequently associated with the group. Public reporting notes that some members have been arrested in Spain, yet the organization remains active and continues to develop new malware strains such as BOOSTWRITE and RDFSNIFFER after those arrests.
Notable operations include a 2018 campaign against a Russian bank and a Romanian financial institution that used spear phishing to install ATM‑oriented malware and resulted in significant financial losses, the 2018 breach of Burgerville where customer credit‑card data was scraped from point‑of‑sale systems, the 2018 theft of more than five million payment cards from Saks Fifth Avenue and Lord & Taylor, and the 2016 compromise of Oracle’s MICROS point‑of‑sale support portal which facilitated credential theft and potential deployment of card‑stealing malware to customer devices.
