FIN7 Cybercrime Group | AuKiller sale
New Security Bypass Methods and Ransomware Deployments
Intro
The threat actor known as FIN7, also referred to as Carbanak & Carbon Spider is a financially motivated cybercriminal group of Russian and Ukrainian origin that has been active since at least 2012.
Initially focused on financial fraud, FIN7 later expanded its activities to include ransomware operations, affiliating with groups such as DarkSide, BlackMatter, and BlackCat.The group has developed an arsenal of tools including Powertrash, Diceloader, Core Impact loader, an SSH-based backdoor, and AvNeutralizer (also known as AuKill).
AvNeutralizer | AuKiller
In July, SentinelOne discovered the latest version of AvNeutralizer, which includes a new method for bypassing security that has not been seen in the wild before. This development underscores the ongoing evolution of FIN7's tactics and their commitment to staying ahead of cybersecurity defenses.
Black Basta Group: Early Adopters and Special Relationship
The Black Basta Group has been identified as early adopters of the EDR bypass technology provided by AvNeutralizer. Evidence suggests that multiple custom tools used exclusively by Black Basta have been developed by one or more FIN7 developers. This link could indicate a special relationship between the two groups or that some individuals might be affiliated with both.
Wider Distribution & Sales
SentinelOne has also identified multiple advertisements across various underground forums promoting the sale of AvNeutralizer to additional threat groups. The tool is priced between 4.000 and 15.000 USD, making it accessible to more cybercriminal groups.
Since early 2023, AvNeutralizer has been utilized in numerous intrusions. It has facilitated the deployment of several well-known ransomware strains, including AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit.
Sources