Despite the arrest of alleged group leaders, the advanced persistent threat (APT) group known as Fin7/Carbanak has reportedly been using GRIFFON malware to target approximately 130 companies, according to Kaspersky Lab.
According to a recent investigation conducted by experts at Kaspersky, the cyber gang launched spear-phishing campaigns throughout 2018, successfully distributing the malware through emails. Over the course of weeks, operators exchanged messages with their unsuspecting victims. After establishing this trusted connection, the bad actors delivered malicious documents as attachments.
“The emails were efficient social-engineering attempts that appealed to a vast number of human emotions (fear, stress, anger, etc.) to elicit a response from their victims. One of the domains used by the attackers in their 2018 campaign of spear phishing contained more than 130 email aliases, leading us to think that more than 130 companies had been targeted by the end of 2018,” researchers wrote.
Researchers observed evidence of collaboration with the AveMaria botnet and other groups known as either CobaltGoblin or EmpireMonkey. In addition, experts reported that the malicious actors created a fake company disguised as a legitimate cybersecurity vendor. The website of this fake organization, though, is apparently registered to the same server that the hacking group uses as a command and control center.
The groups are reportedly using the fraudulent company to recruit unsuspecting freelance vulnerability researchers, program developers and interpreters through online job sites. Researchers suspect that some of those who were hired by this fake company did not suspect that the organization was conducting illicit activity as the employees listed the business on their résumés.
“Modern cyberthreats can be compared to the mythical creature Hydra of Lerna – you cut off one of its heads and it grows two new ones,” said Yury Namestnikov, security researcher at Kaspersky Lab, in the May 8 press release.
“Therefore, the best way to protect yourself from such actors is to implement advanced, multi-layered protection: install all software patches as soon as they are released and do regular security analysis across all networks, systems and devices.”