Summary
Team Cymru, Silent Push, and Stark Industries Solutions have released a report detailing a collaborative investigation between all three entities targeting the financial threat group, FIN7. Despite past disruptions, FIN7 remains active, employing a range of tactics to evade detection. Silent Push’s research identified a significant number of domains linked to FIN7, a portion of which were hosted on internal Stark’s infrastructure. This discovery prompted a deeper investigation in collaboration with Stark’s security team, which was released publicly.
Community Impact
The investigation highlights the importance of proactive measures in identifying and mitigating malicious activities. By working closely with hosting providers like Stark, the security community can collectively reduce the abuse of online infrastructure. The report concludes with recommendations for blocking, hunting, and remediating identified indicators of compromise (IOCs), included below, and reporting malicious activities to relevant authorities and hosting providers. RH-ISAC Members are also encouraged to review the FIN7 MISP Profile for the RH-ISAC Threat Actor Galaxy.
Background
The core of the investigation focus was on two clusters of potential FIN7 activity, traced back to infrastructure associated with Post Ltd in Russia and SmartApe in Estonia. These entities were found to be communicating with multiple Stark-assigned hosts exhibiting FIN7-related characteristics. The nature of these communications suggested potential management or research activities related to FIN7 infrastructure.
According to the report, it’s crucial to emphasize that this report is not an exhaustive analysis of FIN7’s infrastructure but rather a snapshot of activities hosted on Stark’s platform. The primary objectives were to demonstrate the value of collaboration in combating cyber threats and to encourage direct communication with hosting providers.
Indicators of Compromise
IP Address | Domain Name | Cluster (if applicable) |
103[.]35[.]188[.]245 | 2bonmai[.]buzz | Post Ltd |
103[.]35[.]189[.]143 | ttlpcs[.]lat | Both |
103[.]35[.]189[.]38 | clio[.]lat | |
103[.]35[.]189[.]38 | clio2024[.]top | |
103[.]35[.]189[.]40 | ariba[.]lat | Both |
103[.]35[.]190[.]215 | 2024-7zip[.]pw | |
103[.]35[.]190[.]215 | 7zip2024[.]info | |
103[.]35[.]190[.]40 | gogogononono[.]top | Both |
103[.]35[.]190[.]40 | gogogononono[.]xyz | Both |
103[.]35[.]190[.]40 | lexisnexis[.]lat | Both |
103[.]35[.]190[.]51 | dhlpost[.]lat | |
103[.]35[.]190[.]51 | dhlpost[.]nl | |
103[.]35[.]190[.]51 | dhlpost[.]sbs | |
103[.]35[.]191[.]137 | lexis2024[.]info | SmartApe |
103[.]35[.]191[.]137 | lexis2024[.]pro | SmartApe |
103[.]35[.]191[.]137 | lexisnex[.]pro | SmartApe |
103[.]35[.]191[.]137 | lexisnex[.]team | SmartApe |
103[.]35[.]191[.]137 | lexisnex[.]top | SmartApe |
103[.]35[.]191[.]137 | lexisnexis[.]one | SmartApe |
103[.]35[.]191[.]137 | lexisnexis[.]pro | SmartApe |
103[.]35[.]191[.]137 | lexisnexis[.]top | SmartApe |
176[.]120[.]75[.]99 | antispam-ms[.]pro | Post Ltd |
45[.]150[.]65[.]100 | blackrock-alladin[.]pro | Both |
45[.]150[.]65[.]100 | wilandsabim[.]info | Both |
45[.]150[.]65[.]46 | wuriye[.]com | Post Ltd |
45[.]150[.]67[.]143 | – | |
45[.]89[.]53[.]175 | 2024aimp[.]info | Both |
45[.]89[.]53[.]243 | gl-meet2024[.]com | |
45[.]89[.]53[.]243 | meet-gl[.]com | |
45[.]89[.]53[.]243 | meet-goo[.]net | |
45[.]89[.]53[.]243 | meet-goo[.]org | |
45[.]89[.]53[.]243 | meet[.]com[.]de | |
45[.]89[.]53[.]243 | meet2024[.]com | |
5[.]180[.]24[.]27 | gogogogogotests[.]xyz | Both |
5[.]252[.]22[.]213 | edankhk[.]top | SmartApe |
5[.]252[.]22[.]213 | miles-and-mroe[.]com | SmartApe |
5[.]252[.]22[.]213 | otpdank24[.]top | SmartApe |
5[.]252[.]22[.]213 | unicrebitdank[.]top | SmartApe |
5[.]252[.]22[.]213 | unicredibank[.]top | SmartApe |
86[.]104[.]72[.]125 | 2024clio[.]one | Both |
86[.]104[.]72[.]125 | 2024clio[.]top | Both |
86[.]104[.]72[.]125 | clio[.]pw | Both |
86[.]104[.]72[.]125 | clio2024[.]info | Both |
86[.]104[.]72[.]125 | clio2024[.]one | Both |
86[.]104[.]72[.]125 | law360[.]one | Both |
86[.]104[.]72[.]15 | 2024xero[.]com | |
86[.]104[.]72[.]16 | thomsonreuter[.]info | Both |
86[.]104[.]72[.]16 | thomsonreuter[.]pro | Both |
86[.]104[.]72[.]16 | westlaw[.]top | Both |
86[.]104[.]72[.]19 | 2024-7zip[.]info | Both |
86[.]104[.]72[.]19 | 2024-7zip[.]pw | Both |
86[.]104[.]72[.]208 | sapconcur[.]one | SmartApe |
86[.]104[.]72[.]208 | sapconcur[.]team | SmartApe |
86[.]104[.]72[.]208 | sapconcur[.]top | SmartApe |
86[.]104[.]72[.]22 | 2024mycase[.]com | Both |
86[.]104[.]72[.]22 | 2024mycase[.]win | Both |
86[.]104[.]72[.]22 | ms-antispam[.]live | Both |
86[.]104[.]72[.]22 | wilandsabim[.]info | Both |
86[.]104[.]72[.]23 | 2024-aimp[.]info | Both |
86[.]104[.]72[.]23 | 2024-aimp[.]pw | Both |
86[.]104[.]72[.]23 | 2024aimp[.]info | Both |
86[.]104[.]72[.]35 | 2024sage[.]win | Both |
91[.]228[.]10[.]81 | law2024[.]info | SmartApe |
91[.]228[.]10[.]81 | law2024[.]top | SmartApe |
91[.]228[.]10[.]81 | law360[.]one | SmartApe |
