Russian-speaking threat group FIN7
, also known as Carbanak, has remained active despite the indictment of some of its members in 2018 and the sentencing of one of its managers last year, with the group found to have continuously developed its toolset, reports BleepingComputer.
A report from Mandiant revealed that FIN7 has continued to develop its PowerPlant backdoor into new variants, which are then distributed as the hacking operation happens. The PowerPlant backdoor has become the group's main malware this year, replacing Griffon and Loadout, with the malware retrieving various modules from the command-and-control server.
EasyLook, which has been used by FIN7 for network and system information collection for at least two years, and Boatlaunch, which patches PowerShell processes to evade Microsoft's antimalware scan interface, have been the most commonly launched modules, according to the report.
Moreover, FIN7 has been increasing its involvement with different ransomware groups.
"In addition to evidence produced from intrusion data, secondary artifacts suggest FIN7 played a role in at least some DARKSIDE operations
. A low global prevalence code signing certificate used by FIN7 in 2021 to sign BEACON and BEAKDROP samples were also used to sign multiple unattributed DARKSIDE samples recovered in the wild," researchers wrote.