May 2023, the U.S. attorney for Washington state declared “Fin7 is an entity no more,”
Fin7’s revival came in April 2024, when Blackberry wrote about an intrusion at a large automotive firm that began with malware served by a typosquatting attack targeting people searching for a popular free network scanning tool.
https://blogs.blackberry.com/en/2024/04/fin7-targets-the-united-states-automotive-industry
Now, researchers at security firm Silent Push say they have devised a way to map out Fin7’s rapidly regrowing cybercrime infrastructure, which includes more than 4,000 hosts that employ a range of exploits
https://www.silentpush.com/blog/fin7/
Fin7 domains targeting or spoofing brands including American Express, Affinity Energy, Airtable, Alliant, Android Developer, Asana, Bitwarden, Bloomberg, Cisco (Webex)
CNN, Costco, Dropbox, Grammarly, Google, Goto.com, Harvard, Lexis Nexis, Meta, Microsoft 365, Midjourney, Netflix, Paycor, Quickbooks, Quicken, Reuters, Regions Bank Onepass, RuPay, SAP (Ariba), Trezor, Twitter/X, Wall Street Journal, Westlaw, and Zoom, among others
typosquatting attacks, Fin7 registers domains that are similar to those for popular free software tools. Those look-alike domains are then advertised on Google so that sponsored links to them show up prominently in search results, which is usually above the legitimate source of the software in question
malicious site spoofing FreeCAD showing as sponsored by google
According to Silent Push, the software currently being targeted by Fin7 includes 7-zip, PuTTY, ProtectedPDFViewer, AIMP, Notepad++, Advanced IP Scanner, AnyDesk, pgAdmin, AutoDesk, Bitwarden, Rest Proxy, Python, Sublime Text, and Node.js.
Malwarebytes blogged about a similar campaign in April
https://www.threatdown.com/blog/corporate-users-targeted-via-malicious-ads-and-modals/
FIN7 rents a large amount of dedicated IP on Stark Industries - analysts have discovered numerous Stark Industries IPs that are solely dedicated to hosting FIN7 infrastructure