Ransomware, Threat Management

FIN7 cybergang tied to April PaperCut attacks

FIN7 bursts back into ransomware, teaming up with Clop affiliate DEV-0950

The infamous hacking group FIN7 is back in business after a two-year hiatus. Researchers say the cybergang is likely teaming up with another prolific ransomware group called DEV-0950, according to Microsoft Security team researchers.

The two groups appear to have joined forces to push the prolific Clop (aka. Cl0p) strain of ransomware, which was used in a string of recent attacks, including a February campaign targeting of Fortra GoAnywhere MFT secure file transfer tool.

Microsoft said FIN7, which it tracks as Sangria Tempest, likely worked with competing Clop and its affiliate DEV-0950, which it calls Lace Tempest. FIN7 used DEV-0950 tools to exploit the critical server vulnerability PaperCut (CVE-2023-27350), impacting millions of computers worldwide last month.

In a SC Media exclusive, Microsoft Security warned customers of its Defender Threat Intelligence platform customers it documented DEV-0950/Lace Tempest tools being used as a tactic in initial exploitation of the PaperCut bug. It reported “Lace Tempest delivers Sangria Tempest tooling beginning in April 2023.”

“Microsoft… observed the PaperCut exploitation from Lace Tempest leading to a handoff to Sangria Tempest hands-on[1]keyboard activity. The recent incorporation of unique Sangria Tempest tooling in Lace Tempest attacks may suggest collaboration between the two groups,” Microsoft said.  

It said it had not seen these two groups collaborating before.

Microsoft first posted to its Twitter thread last week that it believed the two criminal groups were working together in a ransomware campaign.

“Clop is the latest ransomware strain that Sangria Tempest has been observed deploying over the years. The group previously deployed REvil and Maze before managing the now-retired DarkSide and BlackMatter ransomware operations,” Microsoft tweeted.

In a report prepared for paying customers of its Defender Threat Intelligence platform, Microsoft said it had not identified an initial access vector pattern related to Sangria Tempest’s recent Clop ransomware deployment. However, it did say once the group gains access to a system, it begins its activity with a custom, highly obfuscated PowerShell script (POWERTRASH), ia64.ps1. The script is used to reflectively load additional payloads into the system, in this case an embedded Lizar (or Diceloader) dynamic-link library (DLL).

“Reflective loading conceals the launch of the payload by designating and then launching a payload within the process memory rather than on disk,” the Defender TI report said. “Lizar is a post-exploitation kit, also originating from the group, which allowed them to gain a foothold into the compromised environment.”

Highlighting the links between FIN7/Sangria Tempest and DEV-0950/Lace Tempest, Microsoft noted that like Sangria Tempest, Lace Tempest incorporated POWERTRASH into their campaign targeting PaperCut servers. And in one identified Lace Tempest attack, the group used POWERTRASH to deliver Lizar.

Microsoft said once Sangria Tempest had established a foothold in a compromised system, it used commodity tools such as OpenSSH, to achieve persistence, and Impacket for lateral movement, Windows credential dumping, and remote launching.

Sangria Tempest installed OpenSSH, a tunneling tool, in C:\Windows\OpenSSH instead of the standard OpenSSH path in System32.

The group used Impacket’s Windows Management Instrumentation (WMI) modules to remotely launch a PowerShell script out of C:\windows\temp\ to deploy the Clop ransomware payload from the same folder.

Sangria Tempest renamed the payload as win.exe and then deleted the PowerShell scripts and text files after launch.

Microsoft said Sangria Tempest dropped a ransom note claiming to have exfiltrated data from the compromised systems.

“Although the group historically exfiltrated data for double extortion, in this recent activity, Microsoft was unable to identify any data exfiltration tools. A notable detail is that the ransomware note found had extensive details about the stolen data, with a custom set of threats for the victim.”

As well as re-emerging on the ransomware scene with these new campaigns, FIN7 has also been observed carrying out other types of attacks in recent months.

Since February, the group, along with former members of the now-defunct Conti ransomware operation, have been targeting corporate networks with a novel Domino malware.

And since March, FIN7 has been facilitating Lizar/Diceloader to attack Veeam Backup and Replication instances that have not been patched to remediate the CVE-2023-27532 vulnerability.

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.