{ "id": "a053a8e8-ba39-46ad-93dc-e8e9054f1aea", "created_at": "2026-04-06T00:11:46.237625Z", "updated_at": "2026-04-10T03:35:52.810914Z", "deleted_at": null, "sha1_hash": "26c5f04f3e4ff48ffca259637b7473a2b93ee213", "title": "FIN7 Not Finished – Morphisec Spots New Campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1701923, "plain_text": "FIN7 Not Finished – Morphisec Spots New Campaign\r\nBy Michael Gorelik\r\nArchived: 2026-04-05 16:39:40 UTC\r\nThis blog was co-authored by Alon Groisman.\r\nIt seems like the rumors of FIN7’s decline have been hasty. Just a few months after the well-publicized indictment\r\nof three high-ranking members in August, Morphisec has identified a new FIN7 campaign that appears to be\r\ntargeting the restaurant industry.\r\nFIN7, also known as Carbanak, is one of the major threat groups tracked by Morphisec and numerous other\r\nsecurity entities, and among the top three criminal computer intrusion cases that the FBI is currently working.\r\nFIN7 is composed of a very sophisticated network of developers and hackers and brings in an estimated $50\r\nmillion a month. They target very specific industries, hospitality – hotels and restaurants – being one of them, and\r\nare behind a string of high-profile breaches including Red Robin, Chili’s, Arby’s, Burgerville, Omni Hotels and\r\nSaks Fifth Avenue, among many others.\r\nFIN7 is known for its stealth techniques and ability to continuously evade security systems. In the case of\r\nBurgerville, malware sat on the company’s network collecting payment data for nearly a year before it was\r\ndiscovered. And that was only due to an FBI investigation.\r\nIn this blog post, we present our findings on two campaigns, which occurred in the first and second weeks of\r\nNovember. These campaigns follow patterns similar to those presented by FireEye in August but with just enough\r\nvariations to bypass many security vendors.\r\nTechnical Description\r\nThe initial document was probably sent within the Baltic region (or tested there). It was submitted to VirusTotal\r\nfrom Latvia. The name of the document translated from Russian is “new questioner”. It is password-protected\r\nwith the password: “goodmorning”.\r\nOprosnik_new.doc 6e1230088a34678726102353c622445e1f8b8b8c9ce1f025d11bfffd5017ca82)\r\nhttps://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign\r\nPage 1 of 10\n\nIt uses social engineering to convince the recipient to enable macros through the use of the images, logo and\r\ntagline of a newly launched, legitimate VPN tool InvinciBull by cybersecurity company Finjan.\r\nIf the “enable macro” button is activated, the following obfuscated Macro runs and the next stage obfuscated\r\nJavaScript is extracted from the form caption, similar to the last several FIN7 campaigns.\r\nhttps://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign\r\nPage 2 of 10\n\nExamining the metadata of the document, it clearly shows that the document was created on the 11.02.2018:\r\nFollowing deobfuscation of the macro, we notice known FIN7 patterns of executing JavaScript from VBScript\r\nwith the slight modification of copying the wscript.exe file and renaming it to mses.exe. This may allow it to\r\nbypass some EDR solutions that are tracing WScript by name.\r\nhttps://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign\r\nPage 3 of 10\n\nBelow is the obfuscated JavaScript that is written to the temp directory as error.txt file. The obfuscation pattern is\r\nsimilar to previously seen FIN7 patterns and most probably is a derivation of the same obfuscation toolkit.\r\nhttps://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign\r\nPage 4 of 10\n\nDeobfuscated JavaScript\r\nThe deobfuscated JavaScript is actually a backdoor component that directly communicates to the C2 server (in\r\nthis case hxxps://bing-cdn[.]com). It executes the response which is yet another JavaScript command, which can\r\nbe evaluated by eval. Although there have been slight modifications in the Macro delivery in the last couple of\r\ncampaigns, the JavaScript backdoor stays the same, including its communication protocol.\r\nDuring the first request, the MAC address and the computer domain are also delivered to the target C2. We believe\r\nthat the next stage is only delivered to specific targets based on domains as the data that is delivered in the first\r\nrequest is very limited.\r\nhttps://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign\r\nPage 5 of 10\n\nYara Rules\r\nSome additional observations that can be used to create Yara-rules for this campaign are the locations of the\r\nloaded VBControl files that are written in clear text as part of the document files:\r\nAdditional Samples\r\nAfter this search, we identified more samples that were created just a couple of days ago and point to a known C2\r\nregistered to the same entity (hxxps://googleapi-cdn[.]com)\r\nBelow is a summary of information for one of those documents:\r\nThe document was submitted from Ukraine (yet another former soviet union country) with the name\r\n“dinners.doc” (f5f8ab9863dc12d04731b1932fc3609742de68252c706952f31894fc21746bb8).\r\nThe document again uses the social engineering technique of spoofing a known and trusted entity to convince the\r\nvictim to enable macros.\r\nhttps://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign\r\nPage 6 of 10\n\nBased on the submission date and creation time, the document is sent to the target within 2-3 days.\r\nThe macro is nearly identical to that described above except that wscript-\u003escript, errors-\u003esettings, has multiple\r\ncaptions instead of a single one.\r\nhttps://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign\r\nPage 7 of 10\n\nThe JavaScript backdoor is decrypted into a similar backdoor:\r\nConclusion\r\nLike the Hydra, cutting off one, or even three, heads of FIN7 barely slows it down. With the holiday rush nearly\r\nupon us, we expect the threat group to step up its activities to take advantage of increased email traffic flow and\r\nseasonal staff that may be less security conscious. Workers in any industry should stay vigilant against social\r\nengineering methods – although with today’s highly targeted campaigns this can sometimes be tough to spot. And\r\nnever enable macros unless you are 100 percent certain that the file is safe. \r\nhttps://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign\r\nPage 8 of 10\n\nAbout the author\r\nMichael Gorelik\r\nhttps://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign\r\nPage 9 of 10\n\nChief Technology Officer\r\nMorphisec CTO Michael Gorelik leads the malware research operation and sets technology strategy. He has\r\nextensive experience in the software industry and leading diverse cybersecurity software development projects.\r\nPrior to Morphisec, Michael was VP of R\u0026D at MotionLogic GmbH, and previously served in senior leadership\r\npositions at Deutsche Telekom Labs. Michael has extensive experience as a red teamer, reverse engineer, and\r\ncontributor to the MITRE CVE database. He has worked extensively with the FBI and US Department of\r\nHomeland Security on countering global cybercrime. Michael is a noted speaker, having presented at multiple\r\nindustry conferences, such as SANS, BSides, and RSA. Michael holds Bsc and Msc degrees from the Computer\r\nScience department at Ben-Gurion University, focusing on synchronization in different OS architectures. He also\r\njointly holds seven patents in the IT space.\r\nSource: https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign\r\nhttps://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign" ], "report_names": [ "fin7-not-finished-morphisec-spots-new-campaign" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434306, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/26c5f04f3e4ff48ffca259637b7473a2b93ee213.pdf", "text": "https://archive.orkl.eu/26c5f04f3e4ff48ffca259637b7473a2b93ee213.txt", "img": "https://archive.orkl.eu/26c5f04f3e4ff48ffca259637b7473a2b93ee213.jpg" } }