Security News > 2024 > July > Russia’s FIN7 is peddling its EDR-nerfing malware to ransomware gangs

Prolific Russian cybercrime syndicate FIN7 is using various pseudonyms to sell its custom security solution-disabling malware to different ransomware gangs.

AvNeutralizer malware was previously thought to be solely linked to the Black Basta group, but fresh research has uncovered various underground forum listings of the malicious software now believed to be created by FIN7 operatives.

Criminals using well-known ransomware-as-a-service variants such as LockBit, ALPHV/BlackCat, Trigona, AvosLocker, and Medusa all showed they found value in AvNeutralizer, although concrete links between FIN7 and these RaaS operations haven't been firmly established.

"Considering the available evidence and prior intelligence, we assess with high confidence that 'goodsoft,' 'lefroggy,' 'killerAV' and 'Stupor' [personas] belong to the FIN7 cluster," said Antonio Cocomazzi, staff offensive security researcher at SentinelOne, in a blog this week.

The full details of how FIN7 crashes EDR solutions are detailed in SentinelOne's blog but in essence, it suspends the child processes of targeted protected processes.

FIN7 has been in play since 2012 and over the past 12 years it has continually evolved tactics from the early days of deploying point-of-sale card-stealing malware to becoming a fully fledged ransomware gang in 2020.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/07/18/russias_fin7_is_peddling_its/