The financially motivated FIN7 group has been seen using various aliases across underground forums to promote a security-evasion tool used by ransomware groups such as AvosLocker, Black Basta, BlackCat, LockBit, and Trigona.
The tool, named AvNeutralizer (also known as AuKill), was developed by FIN7 to disable security solutions. This tool has been marketed in the criminal underground and utilized by several ransomware groups.
FIN7, a cybercrime group originating from Russia and Ukraine, has been active since at least 2012. Initially targeting point-of-sale (PoS) terminals, they have since shifted to working as a ransomware affiliate for now-defunct groups like REvil and Conti, and have launched their own ransomware-as-a-service (RaaS) programs, DarkSide and BlackMatter.
Also known as Carbanak, Carbon Spider, Gold Niagara, and Sangria Tempest, FIN7 has a history of setting up front companies like Combi Security and Bastion Secure to recruit software engineers under the guise of penetration testing. Despite the arrests of some members, FIN7 has shown adaptability and technical skill by constantly updating their malware, including tools like POWERTRASH, DICELOADER (IceBot, Lizar, or Tirion), and the Core Impact penetration testing tool.
FIN7 has been involved in large-scale phishing campaigns, deploying thousands of “shell” domains mimicking legitimate media and technology businesses to deliver ransomware and other malware. These domains sometimes redirect users to spoofed login pages, tricking them into downloading malware-laced versions of popular software such as 7-Zip, PuTTY, and Notepad++.
FIN7’s malvertising tactics led to the deployment of NetSupport RAT. According to Silent Push, FIN7 rents dedicated IPs on various hosts, primarily Stark Industries, a bulletproof hosting provider linked to DDoS attacks in Ukraine and Europe.
FIN7 has been using multiple personas on cybercrime forums to promote AvNeutralizer and has enhanced the tool with new features. Since January 2023, several ransomware groups have adopted updated versions of this EDR impairment program, previously used exclusively by the Black Basta group.
Selling tools to other cybercriminals could be seen as a natural evolution of FIN7’s methods to diversify and generate additional revenue. Historically, FIN7 has used underground marketplaces to sell stolen data, and the advertisement of AvNeutralizer could signal a shift in their strategy due to the increasing effectiveness of modern EDR solutions.
The updated AvNeutralizer employs anti-analysis techniques and leverages a Windows built-in driver, “ProcLaunchMon.sys,” along with the Process Explorer driver to tamper with security solutions. This tool has been in development since April 2022. A similar approach has been used by the Lazarus Group, making it even more dangerous as it weaponizes a vulnerable driver already present in Windows machines.
Additionally, FIN7’s Checkmarks platform has been modified to include an automated SQL injection attack module for exploiting public-facing applications. FIN7 has adopted automated attack methods, targeting public-facing servers with SQL injection attacks and enhancing their impact by commercializing specialized tools like AvNeutralizer on criminal underground forums.
To defend against threats like the security-bypassing tool, organizations should implement comprehensive security measures. This includes using advanced endpoint detection and response (EDR) solutions capable of identifying and mitigating sophisticated attacks. Apply the principle of least privilege to limit access to sensitive systems and data, and continuously monitor for unusual network activity.
