FIN7, lands malware in law firm using fake legal complaint

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp
Share on email
Share on print

Despite multiple arrests and the conviction of several members of the notorious cybercrime gang, FIN7 (a.k.a. Carbanak Group), the group continues to develop its business model and toolset throughout 2021. During the first week of June 2021, eSentire’s Threat Response Unit (TRU) witnessed an opportunistic malspam campaign that was conducted by the FIN7 group. The criminal group used a fake legal complaint centering around Brown-Forman Inc. Brown-Forman is a large, US-based wine and spirits company and the maker of the popular Jack Daniels whisky. On June 10, external researchers observed a USPS mail delivery notification lure. It was associated with the same infrastructure set as the legal complaint lure. Toward the end of June, a ProofPoint researcher documented a Windows 11 lure used to deliver JSSLoader.

One of the victims of the malicious legal complaint campaign was a law firm. The lure successfully bypassed the law firm’s email filters, and it was not detected as suspicious by any of the firm’s employees. eSentire’s TRU team identified the malicious document through threat hunting activities.

The initial stage of the malware arrives as an Excel attachment, which downloads and executes a variant of the JSSLoader Remote Access Trojan (RAT). The variant has been reported as being used by the FIN7 group. The malicious Excel document leverages Windows Management Instrumentation (WMI) to install the RAT. Once installed, JSSLoader provides the threat group with a backdoor to the victim’s computer and the organization.

FIN7 objectives
FIN7 is a financially motivated cybercrime group which gained notoriety for stealing millions of credit card numbers from businesses around the world. One security research team reported that the crime group stole more than a billion dollars between 2015 and 2018 from companies globally. US federal law officials filed court documents on June 17, 2021 stating that FIN7 had more than 70 members, all assigned to various departments under the larger organization. The court documents went on to say that the FIN7 leaders would organize their personnel into different teams. These teams are tasked with creating malware, crafting phishing documents and collecting money from compromised victims. As for the US victims, court officials stated that the group went after hundreds of US companies infecting organizations ranging from the burrito chain Chipotle and the department store Saks Fifth Avenue. FIN7 is one of many cyber gangs observed participating in Magecart attacks. Magecart is a consortium of malicious hacker groups who target online shopping cart systems, such as the Magento system, to steal customer payment card information.

FIN7 has also been associated with the Ryuk ransomware group. In December 2020, security researchers at Trusec observed an attacker use the tools and techniques of FIN7 to gain a foothold into an enterprise. In a second attack against the company, almost six weeks later, that same foothold was used to launch Ryuk ransomware into the victim’s environment. The Truesec researchers stated that this was the first instance where they had observed a combination of FIN7 tools and the RYUK ransomware. Until this incident, they said they had never seen FIN7 associated with ransomware attacks. The TRU has also never observed a connection between FIN7 and the Ryuk ransomware group. Truesec theorized “it was possible FIN7 simply sold the access to the Ryuk group, but it is probable that FIN7 and the Ryuk gang are more closely affiliated and may be part of the same organized crime network.” No matter which theory is correct, this implies that few criminal organizations are out of scope for FIN7, since ransomware can often monetize intrusions regardless of the industry.

Similar conclusions can be drawn from the recent analysis on the victimology of the Avaddon ransomware group, which demonstrates a diverse set of victim targets, across business sectors and revenue volumes. These observations are part of a trend of modern, financially motivated attacks which implement a threat model that is effective, regardless of an organization’s industry. If FIN7 cannot make use of an organization they have compromised, they are likely to participate in the “initial access market,” selling or trading access to the victim entity with another threat actor or threat group. Those threat actors are likely to be a ransomware group or its affiliates to monetize the access.

FIN7’s malicious spam campaign using a legal lure involving Brown-Forman Inc.
During this attack, the initial email arrives alleging a legal complaint for wine and spirits company, Brown-Forman, as observed by the TRU team, as well as other researchers. Brown-Forman is one of the largest American-owned spirits and wine companies and among the top 10 largest global spirits companies.

Several researchers reported this lure, indicating that this was not a single incident, but most likely an opportunistic spam campaign. Corporate users might immediately suspect a random legal complaint, that arrives via email, from a large spirits and wine company. However, law firms deal with legal complaints across industry verticals regularly so the content would not be considered out of the ordinary. Thus, law firms may be more susceptible to this topic.

FIN7’s shifting lures
On June 10, external researchers observed FIN7 using a USPS-themed email attachment. The USPS lure is more generic and thus, more opportunistic in nature. And as mentioned previously, during the last week of June, a Proofpoint researcher saw a Windows 11 lure which led to the JSSLoader.

Whatever the specific intentions of FIN7, they appear to be actively adjusting their lures to maximize campaign success. For example, the legal complaint lure hit Internet users’ email inboxes the first week of June, just one month before settlement claims were due for a class action suit against Brown-Forman regarding a ransomware breach the company suffered in August 2020. The infamous REvil (Sodin) gang took credit for the ransomware attack. Although the company said they were able to disrupt the attack before their data could be encrypted, the REvil gang broadcasted on their blog/leak site that they had access to Brown-Forman’s systems for over a month and stole a terabyte of their company data.

The fact that the TRU spotted FIN7 launching a malicious email campaign in June 2021, using the Brown-Forman legal complaint as a lure, and it was approximately one month before claim forms were due from victims is coincidental. Whether FIN7 is connected to the REvil (Sodinokibi) attack against Brown-Forman or whether they are simply capitalizing on public news regarding the case remains to be seen. In further examining potential connections between FIN7 and REvil, in August 2020 a Swiss security company promised to demonstrate connections between the two threat groups in a series of blog posts but never provided sufficient evidence. It appears that they were left waiting for confirmation from the ransomware victims. Regardless, what we do know for sure is that cybercriminals use well-timed lures and try to predict the susceptibility of a theme for their threat campaigns, and they will use lures built around social trends , global crises and routine events.


To stay up to date on the latest, trends, innovations, people news and company updates within the global security market please register to receive our newsletter here.

Media contact

Rebecca Morpeth Spayne,
Editor, Security Portfolio

Tel: +44 (0) 1622 823 922



Subscribe to our newsletter

Don't miss new updates on your email