FIN7 Advanced Persistent Threat Group – Indicators of Compromise
FIN7 is an Advanced Persistent Threat group that has attacked over one hundred organisations in the United States and Europe, including government bodies. Several individuals from the group have been prosecuted, but it is believed that there are others who continue to engage in cyber crime.
The group is highly proficient at using social engineering to gain a foothold. FIN7’s incursion methods include malicious macros in fake documents and spear phishing campaigns. FIN7 is known to impersonate government bodies and make telephone contact with pre-determined employees to gain trust. Once infection has been achieved, the group usually deploys the Carbanak backdoor to maintain access to affected devices. FIN7 is therefore sometimes known as the Carbanak group.
FIN7 uses digital certificates on its phishing documents and backdoors, which has allowed it to defeat a range of security controls that would have otherwise limited the execution of malicious code. It has also used the native string substitution methods in the Windows command prompt to obfuscate their payloads. The group has gone to the lengths of creating a front company called Combi Security to disguise its activities.
FIN7 usually attempts to obtain payment card details from affected organisations, but when this has not been obtainable then it has switched to targeting finance departments.
Fin7 is known by many names. The FIN7 name itself is often associated with retail and hospitality credit card number heists, while another group—perhaps another division of the same entity, or a pre-existing gang that Fin7 spun off from—focuses on targeting financial organizations to directly steal and launder money. This bank heist operation has been called Carbanak or Cobalt (after a tool called Cobalt Strike), or some variation; Fin7 is sometimes called by these names as well.
The following IP addresses and domains sould be blocked :-
IP Addresses
| 107[.]161[.]159[.]17 |
| 107[.]181[.]160[.]12 |
| 107[.]181[.]160[.]75 |
| 162[.]244[.]32[.]168 |
| 162[.]244[.]32[.]175 |
| 179[.]43[.]140[.]82 |
| 179[.]43[.]140[.]85 |
| 179[.]43[.]160[.]162 |
| 179[.]43[.]160[.]215 |
| 185[.]104[.]8[.]173 |
| 198[.]100[.]119[.]28 |
| 204[.]155[.]30[.]100 |
| 204[.]155[.]30[.]100 |
| 23[.]249[.]162[.]161 |
| 5[.]8[.]88[.]64 |
| 94[.]140[.]120[.]132 |
| 95[.]215[.]45[.]95 |
| 95[.]215[.]46[.]70 |
| 95[.]215[.]46[.]76 |
| 185[.]66[.]15[.]50 |
| 194[.]165[.]16[.]113 |
| 46[.]161[.]3[.]23 |
| 85[.]93[.]2[.]148 |
| 85[.]93[.]2[.]149 |
| 81[.]177[.]27[.]41 |
| 95[.]46[.]45[.]128 |
| 185[.]17[.]121[.]200 |
| 185[.]20[.]184[.]109 |
| 185[.]220[.]35[.]20 |
| 185[.]5[.]248[.]167 |
| 194[.]165[.]16[.]134 |
| 195[.]133[.]48[.]65 |
| 195[.]133[.]49[.]73 |
| 217[.]23[.]155[.]19 |
| 31[.]184[.]234[.]66 |
| 31[.]184[.]234[.]71 |
| 5[.]188[.]10[.]102 |
| 5[.]188[.]10[.]102 |
| 5[.]188[.]10[.]248 |
| 85[.]93[.]2[.]111 |
| 85[.]93[.]2[.]148 |
| 85[.]93[.]2[.]56 |
| 85[.]93[.]2[.]73 |
| 85[.]93[.]2[.]92 |
| 89[.]223[.]30[.]99 |
| 104[.]193[.]252[.]167 |
| 104[.]232[.]34[.]166 |
| 104[.]232[.]34[.]36 |
| 107[.]181[.]160[.]76 |
| 119[.]81[.]178[.]100 |
| 119[.]81[.]178[.]101 |
| 138[.]201[.]44[.]3 |
| 138[.]201[.]44[.]4 |
| 179[.]43[.]147[.]71 |
| 185[.]180[.]197[.]20 |
| 185[.]180[.]197[.]34 |
| 185[.]86[.]151[.]175 |
| 191[.]101[.]242[.]162 |
| 195[.]54[.]162[.]237 |
| 195[.]54[.]162[.]245 |
| 195[.]54[.]162[.]79 |
| 198[.]100[.]119[.]6 |
| 198[.]100[.]119[.]7 |
| 204[.]155[.]31[.]167 |
| 204[.]155[.]31[.]174 |
| 217[.]12[.]208[.]80 |
| 31[.]148[.]219[.]141 |
| 31[.]148[.]219[.]18 |
| 31[.]148[.]219[.]44 |
| 31[.]148[.]220[.]107 |
| 31[.]148[.]220[.]215 |
| 5[.]149[.]250[.]235 |
| 5[.]149[.]250[.]241 |
| 5[.]149[.]252[.]144 |
| 5[.]149[.]253[.]126 |
| 8[.]28[.]175[.]68 |
| 81[.]17[.]28[.]118 |
| 91[.]235[.]129[.]251 |
| 94[.]140[.]120[.]122 |
| 94[.]140[.]120[.]134 |
| 95[.]215[.]46[.]229 |
| 95[.]215[.]47[.]105 |
| 5[.]135[.]73[.]113 |
| 5[.]8[.]88[.]64 |
Domain Names
| bigred-tours[.]com |
| clients12-google[.]com |
| clients2-google[.]com |
| p3-marketing[.]com |
| cdn-googleapi[.]com |
| cdn-googleservice[.]com |
| acity-lawfirm[.]com |
| algew[.]me |
| aloqd[.]pw |
| amhs[.]club |
| anselbakery[.]com |
| apvo[.]club |
| arctic-west[.]com |
| auyk[.]club |
| b-bconsult[.]com |
| bcleaningservice[.]com |
| bigrussianbss[.]com |
| bipismol[.]com |
| bipovnerlvd[.]com |
| blopsadmvdrl[.]com |
| blopsdmvdrl[.]com |
| bnrnboerxce[.]com |
| bpee[.]pw |
| bureauofinspections[.]com |
| bvyv[.]club |
| bwuk[.]club |
| bwwrvada[.]com |
| cgqy[.]us |
| chatterbuzz-media[.]com |
| chenstravelconsulting[.]com |
| cihr[.]site |
| citizentravel[.]biz |
| cjsanandreas[.]com |
| ckwl[.]pw |
| cloo[.]com |
| cnkmoh[.]pw |
| cnlu[.]net |
| cnmah[.]pw |
| coec[.]club |
| coffee-joy-usa[.]com |
| cspg[.]pw |
| ctxdns[.]org |
| ctxdns[.]pw |
| cuuo[.]us |
| daskd[.]me |
| dbxa[.]pw |
| ddmd[.]pw |
| deliciouswingsny[.]com |
| dlex[.]pw |
| dlox[.]pw |
| dnstxt[.]net |
| dnstxt[.]org |
| doof[.]pw |
| dosdkd[.]mo |
| dpoo[.]pw |
| dsud[.]com |
| dtxf[.]pw |
| duglas-manufacturing[.]com |
| dvso[.]pw |
| dyiud[.]com |
| eady[.]club |
| enuv[.]club |
| eter[.]pw |
| extmachine[.]biz |
| facs[.]pw |
| fbjz[.]pw |
| fhyi[.]club |
| firsthotelgroup[.]com |
| firstprolvdrec[.]com |
| fkij[.]net |
| flowerprosv[.]com |
| fredbanan[.]com |
| futh[.]pw |
| gcan[.]site |
| ge-stion[.]com |
| gjcu[.]pw |
| gjuc[.]pw |
| glavpojdfde[.]com |
| gnoa[.]pw |
| gnsn[.]us |
| goldman-travel[.]com |
| goproders[.]com |
| gprw[.]site |
| grand-mars[.]ru |
| grij[.]us |
| gsdg[.]site |
| guopksl[.]com |
| gxhp[.]top |
| hijrnataj[.]com |
| hilertonv[.]com |
| hilopser[.]com |
| hippsjnv[.]com |
| hldu[.]site |
| hoplessinple[.]com |
| hoplessinples[.]com |
| hopsl3[.]com |
| hvzr[.]info |
| idjb[.]us |
| ihrs[.]pw |
| imyo[.]site |
| itstravel-ekb[.]ru |
| ivcm[.]club |
| jblz[.]net |
| jersetl[.]com |
| jimw[.]club |
| jipdfonte[.]com |
| jiposlve[.]com |
| jjee[.]site |
| johsimsoft[.]org |
| jomp[.]site |
| josephevinchi[.]com |
| just-easy-travel[.]com |
| juste-travel[.]com |
| jxhv[.]site |
| kalavadar[.]com |
| kashtanspb[.]ru |
| kbep[.]pw |
| kiposerd[.]com |
| kiprovol[.]com |
| kiprovolswe[.]com |
| kjke[.]pw |
| kjko[.]pw |
| koldsdes[.]com |
| kshv[.]site |
| kuyarr[.]com |
| kwoe[.]us |
| ldzp[.]pw |
| lgdr[.]com |
| lhlv[.]club |
| lnoy[.]site |
| luckystartwith[.]com |
| lvrm[.]pw |
| lvxf[.]pw |
| manchedevs[.]org |
| maofmdfd5[.]com |
| meli-travel[.]com |
| melitravel[.]ru |
| mewt[.]us |
| mfka[.]pw |
| michigan-construction[.]com |
| mjet[.]pw |
| mjot[.]pw |
| mjut[.]pw |
| mkwl[.]pw |
| molos-2[.]com |
| mtgk[.]site |
| mtxf[.]com |
| muedandubai[.]com |
| muhh[.]us |
| mut[.]pw |
| mvze[.]pw |
| mvzo[.]pw |
| mxfg[.]pw |
| mxtxt[.]net |
| myspoernv[.]com |
| navigators-travel[.]com |
| neartsay[.]com |
| nevaudio[.]com |
| neverfaii[.]com |
| nroq[.]pw |
| ns0[.]site |
| ns0[.]space |
| ns0[.]website |
| ns1[.]press |
| ns1[.]website |
| ns2[.]press |
| ns3[.]site |
| ns3[.]space |
| ns4[.]site |
| ns4[.]space |
| ns5[.]biz |
| ns5[.]online |
| ns5[.]pw |
| ntlw[.]net |
| nwrr[.]pw |
| nxpu[.]site |
| oaax[.]site |
| odwf[.]pw |
| odyr[.]us |
| okiq[.]pw |
| oknz[.]club |
| olckwses[.]com |
| olgw[.]my |
| oloqd[.]pw |
| oneliveforcopser[.]com |
| onokder[.]com |
| ooep[.]pw |
| oof[.]pw |
| ooyh[.]us |
| orfn[.]com |
| otzd[.]pw |
| oxrp[.]info |
| oyaw[.]club |
| p3marketing[.]org |
| pafk[.]us |
| palj[.]us |
| park-travels[.]com |
| parktravel-mx[.]ru |
| partnersind[.]biz |
| pbbk[.]us |
| pbsk[.]site |
| pdoklbr[.]com |
| pdokls3[.]com |
| pgnb[.]net |
| pinewood-financial[.]com |
| pjpi[.]com |
| plusmarketingagency[.]com |
| ppdx[.]pw |
| prideofhume[.]com |
| pronvowdecee[.]com |
| proslr3[.]com |
| prostelap3[.]com |
| proverslokv4[.]com |
| provnkfexxw[.]com |
| pvze[.]club |
| qdtn[.]us |
| qefg[.]info |
| qlpa[.]club |
| qsez[.]club |
| qznm[.]pw |
| rdnautomotiv[.]biz |
| redtoursuk[.]org |
| reld[.]info |
| rescsovwe[.]com |
| revital-travel[.]com |
| revitaltravel[.]com |
| rmbs[.]club |
| rnkj[.]pw |
| rtopsmve[.]com |
| rzzc[.]pw |
| sgvt[.]pw |
| shield-checker[.]com |
| simpelkocsn[.]com |
| simplewovmde[.]com |
| soru[.]pw |
| sprngwaterman[.]com |
| strideindastry[.]biz |
| strideindustrial[.]com |
| strideindustrialusa[.]com |
| strikes-withlucky[.]com |
| swio[.]pw |
| tijm[.]pw |
| tnt-media[.]net |
| true-deals[.]com |
| trustbankinc[.]com |
| tsrs[.]pw |
| turp[.]pw |
| twfl[.]us |
| ueox[.]club |
| ufyb[.]club |
| utca[.]site |
| uwqs[.]club |
| vdfe[.]site |
| viebsdsccscw[.]com |
| viebvbiiwcw[.]com |
| vikppsod[.]com |
| vjro[.]club |
| vkpo[.]us |
| voievnenibrinw[.]com |
| vpua[.]pw |
| vpuo[.]pw |
| vqba[.]info |
| vwcq[.]us |
| vxqt[.]us |
| vxwy[.]pw |
| wein[.]net |
| wfsv[.]us |
| whily[.]pw |
| wider-machinery-usa[.]com |
| widermachinery[.]biz |
| widermachinery[.]com |
| wnzg[.]us |
| wqiy[.]info |
| wruj[.]club |
| wuc[.]pw |
| wvzu[.]pw |
| xhqd[.]pw |
| xnlz[.]club |
| xnmy[.]com |
| yamd[.]pw |
| ybnz[.]site |
| ydvd[.]net |
| yedq[.]pw |
| yodq[.]pw |
| yomd[.]pw |
| yqox[.]pw |
| ysxy[.]pw |
| zcnt[.]pw |
| zdqp[.]pw |
| zjav[.]us |
| zjvz[.]pw |
| zmyo[.]club |
| zody[.]pw |
| zrst[.]com |
| zugh[.]us |
| clients14-google[.]com |
| clients18-google[.]com |
| clients19-google[.]com |
| clients23-google[.]com |
| clients31-google[.]com |
| clients33-google[.]com |
| clients39-google[.]com |
| clients46-google[.]com |
| clients47-google[.]com |
| clients51-google[.]com |
| clients52-google[.]com |
| clients55-google[.]com |
| clients56-google[.]com |
| clients57-google[.]com |
| clients58-google[.]com |
| clients6-google[.]com |
| clients62-google[.]com |
| clients7-google[.]com |
| fda-gov[.]com |
| dropbox-security[.]com |
| google-sll1[.]com |
| google-ssls[.]com |
| google-stel[.]com |
| google3-ssl[.]com |
| google4-ssl[.]com |
| google5-ssl[.]com |
| ssl-googles4[.]com |
| ssl-googlesr5[.]com |
| stats10-google[.]com |
| stats25-google[.]com |
| treasury-government[.]com |
| usdepartmentofrevenue[.]com |
| bols-googls[.]com |
| moopisndvdvr[.]com |
| dewifal[.]com |
| essentialetimes[.]com |
| fisrdteditionps[.]com |
| fisrteditionps[.]com |
| micro-earth[.]com |
| moneyma-r[.]com |
| newuniquesolutions[.]com |
| wedogreatpurchases[.]com |
We have checked and some of the above domains show as malicious, and some show as no longer registered.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.