Russia’s FIN7 is peddling its EDR-nerfing malware to ransomware gangs

Prolific Russian cybercrime syndicate FIN7 is using various pseudonyms to sell its custom security solution-disabling malware to different ransomware gangs.

AvNeutralizer malware was previously thought to be solely linked to the Black Basta group, but fresh research has uncovered various underground forum listings of the malicious software now believed to be created by FIN7 operatives.

Cybercriminals would specify the specific endpoint detection and response (EDR) solutions they wanted to bypass, and then a custom builder would be provided for them...

Prices range between $4,000 and $15,000 and evidence suggests that AvNeutralizer has been marketed since at least 2022, with a surge in engagements involving FIN7's tool appearing in early 2023. 

SentinelOne's researchers said the malware is effective at disabling endpoint security products from its own portfolio and Windows Defender, as well as Sophos, Panda Security, Elastic, and Symantec.

Black Basta was spotted using AvNeutralizer a couple of years ago, but various other ransomware campaigns which started in 2023 began using the malware to evade detection too. 

Criminals using well-known ransomware-as-a-service (RaaS) variants such as LockBit, ALPHV/BlackCat, Trigona, AvosLocker, and Medusa all showed they found value in AvNeutralizer, although concrete links between FIN7 and these RaaS operations haven't been firmly established.

When purchasing the tool from what SentinelOne now believes to be pseudonyms adopted by FIN7, cybercriminals would specify the specific endpoint detection and response (EDR) solutions they wanted to bypass, and then a custom builder would be provided for them.

"Considering the available evidence and prior intelligence, we assess with high confidence that 'goodsoft,' 'lefroggy,' 'killerAV' and 'Stupor' [personas] belong to the FIN7 cluster," said Antonio Cocomazzi, staff offensive security researcher at SentinelOne, in a blog this week. 

"Furthermore, these threat actors are likely employing multiple pseudonyms on various forums to mask their true identity and sustain their illicit operations within this network."

AvNeutralizer is also under continuous development and has proven to be a mainstay of FIN7's arsenal of tools, which include backdoors, PowerShell scripts, and pentesting kits.

The most recent version, the earliest sighting of which was dated April 2023, introduced a novel tampering technique using ProcLaunchMon.sys, a built-in TTD monitor driver in Windows, to create a denial of service condition in specific processes.

The full details of how FIN7 crashes EDR solutions are detailed in SentinelOne's blog but in essence, it suspends the child processes of targeted protected processes. The latter then fails because they can no longer communicate with the former.

It should also be said that this isn't a catch-all method to kill EDR processes – more than ten other user mode and kernel mode techniques are used to bust top security solutions. These are all well-documented already, though.

The importance of attribution

SentinelOne said that now it has a clearer understanding of AvNeutralizer, how it is marketed and who is using it, the team is able to track malicious activity more accurately and carry out better-informed retrospective analyses.

FIN7 has been in play since 2012 and over the past 12 years it has continually evolved tactics from the early days of deploying point-of-sale (PoS) card-stealing malware to becoming a fully fledged ransomware gang in 2020. 

At times it has been affiliated with the likes of REvil and Conti, but also went on to form its own RaaS operation in the form of Darkside, which later rebranded to BlackMatter after it hit Colonial Pipeline.

• Iran's MuddyWater phishes Israeli orgs with custom BugSleep backdoor
• China's FortiGate attacks more extensive than first thought
• Researchers claim Windows Defender can be fooled into deleting databases
• Microsoft squashes SmartScreen security bypass bug exploited in the wild

When its members weren't trying to conceal themselves behind an array of pseudonyms, they were creating fake companies, such as Combi Security and Bastion Secure, to conceal their actions and hire unwitting IT professionals to help them set up ransomware attacks. It didn't work out too well for some of them.

Despite the numerous arrests of FIN7 members over the years, the group strides on to this day and continues to evolve, making the task of attribution that more important.

"FIN7's continuous innovation, particularly in its sophisticated techniques for evading security measures, showcases its technical expertise," said Cocomazzi. 

"The group's use of multiple pseudonyms and collaboration with other cybercriminal entities makes attribution more challenging and demonstrates its advanced operational strategies. We hope this research will inspire further efforts to understand and mitigate FIN7's evolving tactics." ®