Cybercrime , Fraud Management & Cybercrime , Ransomware

FIN7 Targeted US Automotive Giant In Failed Attack

Spear Phishing Messages Sent to Emplpyees With Admin Rights
FIN7 Targeted US Automotive Giant In Failed Attack
FIN7 targeted a major U.S. automaker. (Image: Shutterstock)

A Russia-based cybercriminal group targeted a large American auto manufacturer, more evidence of its shift to deep-pocketed victims the gang hopes will deliver a major payday.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

Threat analysis from BlackBerry tracked a spearphishing campaign in late 2023 from the FIN7 threat group aimed at the car maker.

FIN7 - also known as Carbon Spider, Elbrus and Sangria Tempest - targeted employees with “high levels of administrative rights." BlackBerry said the cyber defenders detected the campaign early on, locating an infected system and isolating it before hackers had a chance to penetrate deeper into the network through lateral movement.

BlackBerry with high confidence attributed the attack to FIN7 due to the group's signature obfuscation techniques and the use of known malware loading tools like PowerTrash, which Microsoft has linked to FIN7 actors.

FIN7 has been active since 2013. Threat analysts say that around 2020, it shifted to "big game hunting" - targeted, low-volume criminal activity conducted with the expectaitons of high returns from moneyed victims. It's used a number of techniques to gain illicit entry to corporate networks, incuding mailing decorative gift boxes containing infected thum drives (see: FIN7 Targets US Enterprises Via BadUSB).

FIN7 is affiliated with other cybercriminal groups including Gold Niagara, Alphv/BlackCat. Recent reports also indicate FIN7's involvement in deploying ransomware such as REvil and DarkSide, as part of their attacks, signaling a shift towards more aggressive tactics. Microsoft said last year the group has ties to the Clop ransomware gang.

In this campaign, the group used spear-phishing emails tailored to the intended victim containing links to a malicious URL, "," designed to mimic a legitimate IP scanning website." That IP address redirected victims to an attacker-owned Dropbox account, causing them to unknowingly downloaded a malicious executable, WsTaskLoad.exe.

The initial payload initiated a multi-stage execution process to deploy the final payload, a backdoor known as Anunak or Carbanak. As part of its execution flow, WsTaskLoad.exe read and decrypted an .wav file that acts as a loader. It extracted the encoded payload embedded within the seemingly benign audio file.

BlackBerry's analysis of the attacker's network infrastructure revealed a interconnected network of domains and proxy servers that FIN7 used to facilitate delivery and maintain access to compromised systems.

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.