FIN7 Fronts as Legitimate Company

The infamous financially motivated threat group FIN7 has been discovered to be posing as a legitimate company to hire penetration testers and other cybersecurity professionals to do the heavy lifting of the preliminary steps a typical ransomware attack would follow. FIN7 also tracked as Carbanak, is perhaps best known for attacks on Saks Fith Avenue and Lord & Taylor stores. Those attacks resulted in the subsequent sale of over 5 million payment cards on the dark web.

According to the US Department of Justice subsequent card fraud campaigns, including attacks on the hospitality industry, have cost the victims in excess of a billion USD and amounted to approximately 20 million bank card details being compromised.

Now, according to a recently published report by Gemini Advisory, FIN7 is portraying itself as a legitimate company to hire cybersecurity professionals to inadvertently make FIN7’s life much easier. This is not the first time the threat group has done this. Previously, the group pretended to be “Combi Security” and looked to hire unaware IT specialists in their carding campaigns.

fin7 hiring as a legitimate company

While the public focus on Combi Security shut down that operation. Now, similar tactics are being used to front “Bastion Security” as a legitimate company providing cybersecurity services. The discovery was made when a source of Gemini Advisory was offered a position at the company and the source was given access to the company’s penetration testing tools which turned out to be previously leaked FIN7 tools. Further, it was noted by researchers that,

“A Gemini source was offered a position as an IT specialist at “Bastion Secure Ltd”, a cybersecurity “company” seeking C++, Python, and PHP programmers, system administrators, and reverse engineers. A basic search for this company returns a legitimate-appearing website (www[.]bastionsecure[.]com), but analysis revealed that it is a fictitious cybersecurity company run by a cybercriminal group. During the interview process, the source was given several tools for test assignments that the source would use if employed.”

Up until 2020, FIN7 was predominantly focused on stealing and compromising victim bank card information. This was done either by compromising Point of Sale software and machines or by installing card information-stealing malware. However, since 2020, the group has been seen deploying ransomware strains, including Ryuk and Sodinokibi, on compromised networks.

The exact working relationship between FIN7 and both ransomware’s developers remains unclear but ransomware has become incredibly profitable with other threat groups looking to pivot from their traditional income sources. BlackMatter is an excellent example of this.

The tasks assigned to the source reflect FIN7’s change in tactics, pivoting from card-related malware attacks to ransomware, as the tasks reflected the attack chain of a typical ransomware attack. Researchers further stated,

“More broadly, FIN7’s decision to use a fake cybersecurity company to recruit IT specialists for its criminal activity is driven by FIN7’s desire for comparatively cheap, skilled labor. Bastion Secure’s job offers for IT specialist positions ranged between $800 and $1,200 USD a month, which is a viable starting salary for this type of position in post-Soviet states. However, this “salary” would be a small fraction of a cybercriminal’s portion of the criminal profits from a successful ransomware extortion or large-scale payment card-stealing operation. In effect, FIN7’s fake company scheme enables the operators of FIN7 to obtain the talent that the group needs to carry out its criminal activities, while simultaneously retaining a larger share of the profits...FIN7’s use of Bastion Secure—even after the discovery of Combi Security, the group’s previous fake cybersecurity company—indicates that FIN7 continues to believe that hiring unwitting IT specialists is the group’s best method for balancing the need for a technically skilled team against the operators’ desire for maximum profits.”

The “Hiring” Process

From the experiences of Gemini Advisory’s source, the interview process closely mimics the process a typical interview and hiring would follow. This can be separated into three stages starting with an interview. The second phase involves the potential “hire” to complete a series of practice assignments.

At this point no mention of the company’s criminality is made, however, this is soon to change. In the practice assignment phase, the potential hire is given several tools. Researchers believe this is strange as it is unlikely a company would be willing to hand out their custom tools but the supposed HR staff prefaces the giving out of tools is done to tech hires how to both manage and secure a client’s system.

The third phase is where things take an interesting turn. Here the potential hire is given a real-world task. It became clear to the source that Bastion Security was involved in the complete opposite of what they said, and was hiring individuals to conduct the initial stages of a ransomware attack. Researchers noted,

“In the third stage, Bastion Secure gave the source their first “real” assignment, and it became immediately clear that the company was involved in criminal activity. The fact that the Bastion Secure representatives were particularly interested in file systems and backups signals that FIN7 was more interested in conducting ransomware attacks than POS infections. For the first assignment, Bastion Secure provided the Gemini source with a “client company” to work on. The task would have been to use a script to collect information on domain administrators, domain trust relationships, file shares, backups, and hypervisors (the software responsible for creating and running virtual machines).”

As mentioned above it was the tools provided to the source and the reasoning behind their use that led Geminin Advisory to attribute the formation of Bastion Security and the hiring of individuals to effectively compromise target networks.

The tools themselves are made up of tools previously leaked and known form part of FIN7’s arsenal. The tools were given names like “Command Manager” but to the source and researchers, it was clear they were versions of Carbanak and Lizor/Tirion which had previously been attributed to the group.

It is clear that FIN7 still believes that they can fool prospective IT professionals into doing much of their heavy lifting. To go along with job postings, the group even developed a professional website to lend credence to their claims. Researchers concluded,

“FIN7’s decision to hire unwitting accomplices, as opposed to finding willing accomplices on the dark web, is likely due to greed. With willing accomplices, FIN7 would be forced to share a percentage of ransom payments totaling millions of dollars, whereas unwitting “employees” would work for monthly salaries in the low thousands, which are commensurate with the labor markets in post-Soviet states. However, FIN7’s greed also afforded Gemini a view into the proprietary tools of this prolific threat team, as well as the exposure of another fake FIN7 company.”

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal