Tracking FIN7 malware honeypots, new AI deepfake lures - Zach Edwards (Silent Push)

Presented at the VB2024 conference in Dublin, 2 - 4 October 2024. ↓ Slides: https://www.virusbulletin.com/uploads/pdf/conference/vb2024/slides/Slides-Tracking-FIN7-malware-honeypots-new-AI-deepfake-lures.pdf ↓ Paper: N/A → Details: https://www.virusbulletin.com/conference/vb2024/abstracts/tracking-fin7-malware-honeypots-new-ai-deepfake-lures/ ✪ PRESENTED BY ✪ • Zach Edwards (Silent Push) ✪ ABSTRACT ✪ FIN7 (also known as Sangria Tempest) is a financially motivated threat group with links to Russia, that has been operating since at least 2013, and that was previously thought to have been eliminated by the DOJ. From a single origin point, Silent Push threat analysts uncovered an extensive series of ongoing FIN7 campaigns, including several hundred active phishing, spoofing, shell and malware delivery domains and IPs targeting the numerous enterprise organizations and products. We found thousands of parked FIN7 domains, and by monitoring these daily for changes, we’ve been able to find malicious infrastructure as soon as it launches. One of the most recent FIN7 malware delivery lures is being used across several domains and promotes 'AI Deepfake Nude Generating Software', which leads to D3F@ck Loader and at least one additional payload. Other software being targeted with fake websites and malicious payloads includes 7-zip, PuTTY, ProtectedPDFViewer, AIMP, Notepad++, Advanced IP Scanner, AnyDesk, pgAdmin, AutoDesk, Bitwarden, Rest Proxy, Python, Sublime Text, and Node.js. Our presentation will highlight current methods FIN7 is using to target enterprise organizations with ransomware payloads, and details about the malware we’ve seen across the group's infrastructure in 2024.