{ "id": "2b63b77e-6fe2-41c9-83d0-98eb1f460770", "created_at": "2026-04-06T00:08:07.040681Z", "updated_at": "2026-04-10T03:35:52.893452Z", "deleted_at": null, "sha1_hash": "a2d505adba04334a4d8f4af8ee02394dd3b63734", "title": "FIN7 Takes Another Bite at the Restaurant Industry", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3207577, "plain_text": "FIN7 Takes Another Bite at the Restaurant Industry\r\nBy Michael Gorelik\r\nArchived: 2026-04-02 12:35:28 UTC\r\nOn June 7, 2017, Morphisec Lab identified a new, highly sophisticated fileless attack targeting restaurants across\r\nthe US. The ongoing campaign allows hackers to seize system control and install a backdoor to steal financial\r\ninformation at will. It incorporates some never before seen evasive techniques that allow it to bypass most security\r\nsolutions – signature and behavior based.\r\nIntroduction\r\nAside from these updated techniques, Morphisec’s investigation revealed an almost perfect match to FIN7 attack\r\nmethods. Past highly successful and damaging attacks on banks, SEC personnel, large restaurant chains and\r\nhospitality organizations have all been attributed to the financially-motivated FIN7 group. FIN7, which is also\r\nassociated with the Carbanak gang, must be seen as one of the leading threat actor groups operating today.\r\nLike past attacks, the initial infection vector is a malicious Word document attached to a phishing email that is\r\nwell-tailored to the targeted business and its day-to-day operations. The Word document executes a fileless attack\r\nthat uses DNS queries to deliver the next shellcode stage (Meterpreter). However, in this new variant, all the DNS\r\nactivity is initiated and executed solely from memory – unlike previous attacks which used PowerShell\r\ncommands.\r\nOpenDNS investigate data, shared in coordination with the Cisco Advanced Threat Research \u0026 Efficacy Team,\r\nshows that this is a large-scale, currently active attack with peaks of more than 10K DNS requests per hour.\r\nAlarmingly, the detection score on VirusTotal for all of the documents continues to be 0/56 from the time the first\r\ndocuments were uploaded (1.6.2017) up until the date of this publication. This means the attackers successfully\r\nbypass static analysis by most of the security solutions.\r\nBy contrast, Morphisec’s Moving Target Defense-based technology prevents the attack in its early stages, before\r\nany channel to the attacker is opened.\r\nhttps://blog.morphisec.com/fin7-attack-modifications-revealed\r\nPage 1 of 12\n\nTechnical Analysis\r\nBelow we describe the full technical details, beginning with the initial email through the final Meterpreter session\r\nused to hijack the computer.\r\nPhishing Email:\r\nAs seen in the email below, FIN7’s attack campaign targets restaurants. The content of the email is well crafted to\r\navoid suspicion. Some of the email attachments are called menu.rtf, others Olive Garden.rtf or Chick Fil A\r\nOrder.rtf (all the identified hashes are listed at the end).\r\nWord Delivery:\r\nhttps://blog.morphisec.com/fin7-attack-modifications-revealed\r\nPage 2 of 12\n\nThe attached .rtf file uses OLE and has many similarities to previous FIN7 attacks. But this attack, instead of\r\nactivating hta files (mshta.exe) from within the link, executes obfuscated JavaScript code. All the victim needs to\r\ndo is double click on the envelope and press OK.\r\nJavascript Code Snippets:\r\nThe first stage JavaScript copies additional JavaScript code snippets in txt format from the RTF document into a\r\nrandom directory “C:Users\u003cUser Name\u003e\u003cRandom guid\u003e”. The same code snippets are combined into a second\r\nstage JavaScript in “C:Users\u003cUser Name\u003e”. Additionally, the first stage JavaScript creates a scheduled task that\r\nexecutes the second stage code within a minute – this delayed execution helps to bypass behavior analysis since\r\nthe second stage is not directly executed by the first stage.\r\nhttps://blog.morphisec.com/fin7-attack-modifications-revealed\r\nPage 3 of 12\n\nPersistency:\r\nIn some cases, an additional scheduled task “AdobeFlashSync” is created for persistency. This task is executed\r\nevery 25 minutes and will repeat the actions described above – recreating the JavaScript code which later will\r\ncreate and execute a PowerShell script (described below).\r\nSecond Stage Javascript into Powershell:\r\nThe second stage JavaScript creates a PowerShell file with the same name in the same directory. Afterwards, it\r\ndeletes its own JavaScript code traces.\r\nhttps://blog.morphisec.com/fin7-attack-modifications-revealed\r\nPage 4 of 12\n\nThe PowerShell script executes a compressed first stage PowerShell child process, which then performs a second\r\nstage PowerShell process. The latter PowerShell injects a shellcode into its own process using well-known\r\nCreateThread and VirtualAlloc techniques:\r\n \r\nShellcode:\r\nhttps://blog.morphisec.com/fin7-attack-modifications-revealed\r\nPage 5 of 12\n\nThe shellcode phase of this attack is unique and demonstrates the constantly advancing abilities of the attackers.\r\nThe shellcode is the primary differentiating technique between this campaign and past attacks by FIN7 and other\r\nthreat actors. \r\nThis shellcode iterates over process environment block and looks immediately for dnsapi.dll name (xor 13) and its\r\nDnsQueryA function. Basically, FIN7 implemented a shellcode that gets the next stage shellcode using the DNS\r\nmessaging technique directly from memory. This way they can successfully evade many of the behavior based\r\nsolutions.\r\nIn the DNS query pattern, it is very clear to see that alphabetical modification of the subdomain prefix is used:\r\nhttps://blog.morphisec.com/fin7-attack-modifications-revealed\r\nPage 6 of 12\n\nEach such DNS query results in an additional snippet of shellcode being appended to a reallocated buffer. When,\r\nfinally, the first stage shellcode receives a special “FF” signal, it then executes the delivered shellcode. (It takes a\r\nfew minutes for the DNS queries to finish. The last query is to the subdomain ihc[.]stage[.]12019683[.]ns2[.]true-deals[.]com):\r\n \r\nThe delivered second stage shellcode is encrypted:\r\nhttps://blog.morphisec.com/fin7-attack-modifications-revealed\r\nPage 7 of 12\n\nMeterpreter: \r\nAfter decryption of the second stage shellcode, the shellcode deletes the ‘MZ’ prefix from within a very important\r\npart of the shellcode. This prefix indicates it may be a dll, and its deletion helps the attack to evade memory\r\nscanning solutions.\r\nJust before this step executed, we extracted the dll from memory and uploaded it to VirusTotal. If this dll was\r\nsaved on disk, many security solutions would immediately identify it as a CobaltStrike Meterpreter, which is used\r\nby many attackers and pen testers. Having a Meterpreter session on a compromised computer allows for full\r\ncontrol of the computer and exfiltration of any data, and in some cases lateral movement inside the organization.\r\nhttps://blog.morphisec.com/fin7-attack-modifications-revealed\r\nPage 8 of 12\n\nConclusion\r\nFIN7 constantly upgrades their attacks and evasion techniques, thus becoming even more dangerous and\r\nunpredictable. The analysis of this attack shows, how easy it is for them to bypass static, dynamic and behavior\r\nbased solutions. These attacks pose a severe risk to enterprises.\r\nFileless attacks are on the rise – Carbon Black reports that researchers found a 33% rise in severe non-malware\r\nattacks in Q4 2016 compared to Q1. Defenders will see more attacks on their businesses by hacker groups\r\nutilizing memory for evasion while keeping executable artifacts far away from disk.\r\nIn this continuously evolving threat landscape, enterprises need to look for new defenses that are resilient to such\r\nchanges and are able to prevent fileless attacks. Morphisec specializes in preventing in-memory attacks, using\r\nMoving Target Defense to make the target itself unpredictable.\r\nhttps://blog.morphisec.com/fin7-attack-modifications-revealed\r\nPage 9 of 12\n\nArtifacts\r\nDocuments: \r\n2781526f6b302da00661b9a6a625a5a6ecf4ffccafa61202e9b0e9b61b657867\r\nc357396ca82fdcd6b6f46b748f2b6941051dbc81be5326cf9548e6e95507af7c\r\nffebcc4d2e851baecd89bf11103e3c9de86f428fdeaf0f8b33d9ea6f5ef56685\r\nDomains: \r\ntrue-deals[.]com; strikes-withlucky[.]com\r\nEmail account in registration is: isvarawski@yahoo.com\r\nAttacker email account: adrian.1987clark@yahoo.com\r\nAbout the author\r\nhttps://blog.morphisec.com/fin7-attack-modifications-revealed\r\nPage 10 of 12\n\nMichael Gorelik\r\nChief Technology Officer\r\nMorphisec CTO Michael Gorelik leads the malware research operation and sets technology strategy. He has\r\nextensive experience in the software industry and leading diverse cybersecurity software development projects.\r\nPrior to Morphisec, Michael was VP of R\u0026D at MotionLogic GmbH, and previously served in senior leadership\r\npositions at Deutsche Telekom Labs. Michael has extensive experience as a red teamer, reverse engineer, and\r\ncontributor to the MITRE CVE database. He has worked extensively with the FBI and US Department of\r\nHomeland Security on countering global cybercrime. Michael is a noted speaker, having presented at multiple\r\nindustry conferences, such as SANS, BSides, and RSA. Michael holds Bsc and Msc degrees from the Computer\r\nhttps://blog.morphisec.com/fin7-attack-modifications-revealed\r\nPage 11 of 12\n\nScience department at Ben-Gurion University, focusing on synchronization in different OS architectures. He also\r\njointly holds seven patents in the IT space.\r\nSource: https://blog.morphisec.com/fin7-attack-modifications-revealed\r\nhttps://blog.morphisec.com/fin7-attack-modifications-revealed\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://blog.morphisec.com/fin7-attack-modifications-revealed" ], "report_names": [ "fin7-attack-modifications-revealed" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434087, "ts_updated_at": 1775792152, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a2d505adba04334a4d8f4af8ee02394dd3b63734.pdf", "text": "https://archive.orkl.eu/a2d505adba04334a4d8f4af8ee02394dd3b63734.txt", "img": "https://archive.orkl.eu/a2d505adba04334a4d8f4af8ee02394dd3b63734.jpg" } }