Campaigns
Domino Effect

Domino Effect

FIN7ContiTrickbotDominoloaderCarbanakCobalt StrikeDomino Loader
Former members of the Conti ransomware group use malware developed by the FIN7 group for financial purposes, compromising systems for follow-on exploits; FIN7 has used the "Domino" tool in its attacks since at least last October.

Indicators of Compromise

jurisdictionient.com
advantagendum.com
bungalowphotographyblog.com
mainstreamology.com
enpfereschemry.tk
bloodshedize.com
embarrassmentozoa.com
startmakingsenseofself.com
capermission.com
paralyzedoary.com
uncertaintology.com
ceremonal.com
corpily.com
treatmenthuse.com
refrigeratoraholic.com
revokeodoe.com
fgfotr.com
www.prodaft.com
healingwithclarity.com
implicationious.com
fidespair.com
colorpickerdesk.com
hypothesizery.com
neighborhoodlumish.com
hong-security.com
badibebiro.tk
bypassociation.com
nonremittalable.com
civilizationidium.com
injuryless.com
listlypdilaho.tk
migrationable.com
spectrummel.com
spontaneousable.com
tnskvggujjqfcskwk.com
overwhelmance.com
disciplineaged.com
hilariousology.com
legislationient.com
daresponsibility.com
wisecrackism.com
participatist.com
prescriptionosphere.com
vmware-cdn.com
spoolopedia.com
moviedvdpower.com
trainthecatch.com
unitious.com
alexisdanger.com
dppnmjep33rf6ct3.onion
domestickum.com
jurisdictionious.com
unfortunatenism.com
firefighterology.com
deprivationant.com
civilizationogen.com
headquartersance.com
curriculumance.com
huskerblackshirts.com
shareholderma.com
paralyzedious.com
conglomeratology.com
hyphenatedance.com
podestablished.com
xft6kit4fj5mnzsdt75ejf2spriszgaqpujclwimvfz7gtangi72suad.onion
diametermes.com
magnetichodroma.com
digitalsoundmaker99.com
spherdoorgfinversbrookin.tk
consolidatology.com
representativance.com
rungestance.com
vmwarize.com
agriculturedema.com
red6djrs7fbkchy3.onion
selldunlop.site
hidrofilms.com
engagementance.com
dempoloka.com
ba2xy52xrtagkrh3.onion
gradientada.com
gemmiparalyzed.com
feedsterbomiditsign.tk
bank4america.com
baradical.com
comforthodox.com
dullism.com
disturbancology.com
preoccupationology.com
realmlet.com
eyebrowaholic.com
mekanuum.com
cannstattraction.com
blowoffaholic.com
dyrepopo.gq
jaglamorous.com
tioblutrockbarneyprec.tk
indulgology.com
fairedale.com
opposedent.com
nonremittalology.com
petshopbook.com
battlefieldant.com
computerraba.com
salespersonance.com
uoplotr.com
keywordsance.com
hemispherious.com
225ppqutwykx2or3.onion
inspirationizable.com
expressdesign9.com
associationable.com
sdidrichsen.com
appointmentology.com
monstrousance.com
squiblydoo.blog
bravenging.com
offspringance.com
4r7hlqzkxl5xtjxn.onion
hypothesizious.com
passiondiamond.site
complicational.com
browm-forman.com
colormiagi.com
bgumuduxnkkecg3b.onion
culturehiphopcafe.com
thiecorbeluno.tk
thresholdback.com
richesk.com
primeautorecon.com
develupdate.com
tableofcolorize.com
cooperativology.com
wastermedrent.com
callnogrenisso.tk
compliancestress.com
pigeonious.com
astonishingism.com
maundertake.com
heronoid.com
executivance.com
2cedhihsepjtcpwuwes77cle5wb6ml7e5ys6ivsb4a4ivlrw2vc4wwad.onion
fndqgtdkj4v6g4aq.onion
peresist.com
zabirman.com
conglomeratoid.com
landscapesboxdesign9.com
updateabases.com
massacreisland.com
observationogen.com
4ktbtv54flfhs6ea.onion
legislationient.comlegislationient.com
acquisitionism.com
caribbeanthreatin.tel
cnc.pinklander.com
theelitevailcollection.com
postification.com
attractivology.com
halfious.com
monusorge.com
weapondage.com
satisfactionance.com
freshenvironmentaldesigns.com
consciousance.com
myofibrilliance.com
unfortunatance.com
upperdunk.com
allegramorristown.com
declarationogenic.com
yumanufacture.com
softowii.com
skedoilltd.com
shortcut.save
horoscopelatae.com
vincentolife.com
shareholderery.com
spacemetic.com
illustratance.com
closaholic.com
help.online-ncr.com
hawrickday.com
negotiationogen.com
downloadlinkle.com
untypicaldesign9.com
legislationable.com
amusient.com
discriminatoid.com
milkmovemoney.com
undertakism.com
brown-formam.com
countrysidable.com
comlegislationient.com
mathematicsable.com
es-megadom.com
medinamarina.com
temptationone.com
nattplot.com
unsplitigation.com
mozillaupdate.com
findoutcredit.com
myshortbio.com
incongruousance.com
purestealconstruction.com
astara20.com
estetictrance.com
trkhaus.ru
domenuscdm.com
dnsservicekl2.ru
modestoobgyn.com
againcome.com
internethabit.com
bestsecure2020.com
this.events
widisusez.com
o.properties.name
courtlincolnglave.com
electroncador.com
dns22dns22.ru
jardinoks.com
fashionableeder.com
groundworkseasy.com
spontaneousance.com
altocloudzone.live
coincidencious.com
chyprediction.com

APT Groups1

FIN7

<b>Description of MISP:</b> Groups targeting financial organizations or people with significant financial assets.<br><br><b>Description of Mitre:</b> Carbanak is a threat group that mainly targets banks. It also refers to malware of the same name (Carbanak). It is sometimes referred to as FIN7, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. [1] [2]<br><br><b>Description of Etda:</b> FIN7 is a financially-motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. They often use point-of-sale malware. A portion of FIN7 was run out of a front company called Combi Security. FIN7 is sometimes referred to as {{Carbanak, Anunak}}, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. The reports about arrests made of the mastermind of Carbanak instead of FIN7. However, security research teams keep referring to this arrest for all FIN7 activities since.<br><br>

Gold NiagaraCarbanakCalciumCarbon SpiderAnunakNavigatorTAG-CR1ITG14APT-C-11ELBRUSGold WaterfallFIN7Sangria TempestATK 32

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Remediations
If your organization has been a victim of ransomware, we recommend seeking a solution where data can be restored and reputational loss mitigated, rather than paying the attackers.Ransom payments encourage attackers to continue their activity, validate their business model and incentivize additional cybercriminals to participate in this type of attack activity. Yet, even in these difficult situations, there are actions companies can take that can help mitigate risks and minimize damage. 

Estabilish and maintain offline backups.Ensure you have files safety stored from attacker accessibility with read only access.Availabity of backup files is a significant differentiator for organizations that can help recover from a ramsomware attack.
Implement a strategy to prevent unauthorized data theft,especially as it applies to uploading large amounts of data to legitimate cloud storage platforms that attackers can abuse
Employ user behavior analytics to identify potential security incidents.When triggered,assume a breach has taken place.Audit,monitor and quickly act on suspected abuse related to privileged accounts and groups.
Employ multifactor authentication on all remote access points into an enterprice network---with particular care given to secure or disable remote desktop protocol/RDP)access.Multiple ransomware attacks have been known to exploit weak RDP access to gain initial entry into a network.
Use penetration testing to identify weak points in enterprise networks and vulnerabilities that should be prioritized for patching.In particular,we recommend implementing mitigations for CVE-2019-19781,which multipe threat actors have used to gain initial entry into enterprises in 2020--including for ransomware attacks.İn addition,consider prioritizing the immediate remediation,as applicable,of the following frequently exploited software vulnerabilities:

CVE-2019-2725
CVE-2020-2021
CVE-2020-5902
CVE-2018-8453
VPN-related CVEs
CVE-2019-11510
CVE-2019-11539
CVE-2018-13379
CVE-2019-18935
CVE-2019-2725
CVE-2020-2021
CVE-2020-5902
CVE-2018-8453
VPN-related CVEs
CVE-2019-11510
CVE-2019-11539
CVE-2018-13379
CVE-2019-18935

Reports & References2

Observed Countries250

AD (642)
AE (44)
AF (528)
AG (635)
AI (417)
AL (738)
AM (368)
AO (787)
AQ (466)
AR (109)
AS (396)
AT (877)
AU (973)
AW (48)
AX (786)
AZ (104)
BA (261)
BB (183)
BD (840)
BE (228)
BF (782)
BG (395)
BH (161)
BI (46)
BJ (119)
BL (832)
BM (609)
BN (101)
BO (386)
BQ (42)
BR (773)
BS (166)
BT (4)
BV (200)
BW (646)
BY (93)
BZ (985)
CA (331)
CC (506)
CD (148)
CF (801)
CG (733)
CH (25)
CI (285)
CK (289)
CL (95)
CM (605)
CN (365)
CO (160)
CR (206)
CU (944)
CV (180)
CW (803)
CX (420)
CY (473)
CZ (121)
DE (255)
DJ (134)
DK (177)
DM (274)
DO (768)
DZ (538)
EC (238)
EE (344)
EG (525)
EH (897)
ER (388)
ES (745)
ET (331)
FI (392)
FJ (259)
FK (231)
FM (719)
FO (96)
FR (205)
GA (64)
GB (203)
GD (485)
GE (109)
GF (958)
GG (127)
GH (104)
GI (138)
GL (430)
GM (72)
GN (553)
GP (448)
GQ (557)
GR (38)
GS (819)
GT (195)
GU (425)
GW (837)
GY (686)
HK (655)
HM (172)
HN (560)
HR (20)
HT (973)
HU (207)
ID (655)
IE (896)
IL (264)
IM (242)
IN (818)
IO (677)
IQ (722)
IR (165)
IS (485)
IT (164)
JE (399)
JM (942)
JO (667)
JP (392)
KE (501)
KG (735)
KH (280)
KI (869)
KM (702)
KN (643)
KP (939)
KR (305)
KW (645)
KY (141)
KZ (29)
LA (363)
LB (417)
LC (76)
LI (585)
LK (293)
LR (99)
LS (663)
LT (241)
LU (371)
LV (987)
LY (662)
MA (218)
MC (434)
MD (810)
ME (357)
MF (763)
MG (92)
MH (538)
MK (487)
ML (635)
MM (185)
MN (540)
MO (879)
MP (680)
MQ (66)
MR (576)
MS (755)
MT (94)
MU (161)
MV (128)
MW (6)
MX (438)
MY (472)
MZ (645)
NA (22)
NC (749)
NE (166)
NF (59)
NG (588)
NI (663)
NL (108)
NO (817)
NP (10)
NR (257)
NU (725)
NZ (267)
OM (505)
PA (620)
PE (417)
PF (415)
PG (122)
PH (816)
PK (621)
PL (819)
PM (222)
PN (546)
PR (146)
PS (437)
PT (302)
PW (579)
PY (633)
QA (224)
RE (983)
RO (598)
RS (657)
RU (555)
RW (285)
SA (9)
SB (894)
SC (304)
SD (78)
SE (23)
SG (768)
SH (895)
SI (576)
SJ (390)
SK (422)
SL (940)
SM (885)
SN (1)
SO (396)
SR (179)
SS (176)
ST (62)
SV (574)
SX (53)
SY (233)
SZ (348)
TC (192)
TD (898)
TF (477)
TG (699)
TH (550)
TJ (2)
TK (618)
TL (241)
TM (822)
TN (824)
TO (916)
TR (446)
TT (169)
TV (834)
TW (333)
TZ (530)
UA (15)
UG (314)
UM (709)
US (929)
UY (370)
UZ (865)
VA (478)
VC (700)
VE (499)
VG (628)
VI (207)
VN (595)
VU (411)
WF (441)
WS (263)
XK (238)
YE (141)
YT (372)
ZA (964)
ZM (305)
ZW (590)