The notorious FIN7 hacking group has been identified selling a custom tool called "AvNeutralizer," designed to bypass detection by disabling enterprise endpoint protection software on corporate networks.

Believed to be a Russian hacking group active since 2013, FIN7 initially focused on financial fraud, hacking organizations, and stealing debit and credit card information. 

Subsequently, the group ventured into the ransomware domain and became linked with the DarkSide and BlackMatter ransomware platforms. The same threat actors are also suspected of being associated with the BlackCat ransomware operation, which recently conducted an exit scam after pilfering a ransom payment from UnitedHealth.

FIN7 is notorious for its sophisticated phishing and social engineering attacks, which they use to gain initial access to corporate networks. Their methods have included impersonating BestBuy to distribute malicious USB drives and developing custom malware and tools.

The group also created a fake security company called Bastion Secure to recruit pentesters and developers for ransomware attacks without the applicants realizing the true nature of their work.

FIN7 is tracked under various aliases, including Sangria Tempest, Carbon Spider, and the Carbanak Group.

According to a new report by SentinelOne, one of the custom tools developed by FIN7 is "AvNeutralizer" (also known as AuKill), which was first seen in attacks by the BlackBasta ransomware operation in 2022. At that time, BlackBasta was the only ransomware operation using the tool, leading researchers to believe there was a connection between the groups.

However, SentinelOne's historical data showed that the tool had been used in attacks by five other ransomware operations, indicating widespread distribution.

"Since early 2023, our telemetry data reveals numerous intrusions involving various versions of AvNeutralizer," explains SentinelOne researcher Antonio Cocomazzi. "About 10 of these are attributed to human-operated ransomware intrusions deploying well-known RaaS payloads, including AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit."

Further investigation revealed that threat actors using the aliases "goodsoft," "lefroggy," "killerAV," and "Stupor" had been selling an "AV Killer" on Russian-speaking hacking forums since 2022, with prices ranging from $4,000 to $15,000. A 2023 report from Sophos detailed how AvNeutralizer/AuKill exploited the legitimate SysInternals Process Explorer driver to terminate antivirus processes on a device.

The threat actors claimed that this tool could disable any antivirus/EDR software, including Windows Defender and products from Sophos, SentinelOne, Panda, Elastic, and Symantec.

SentinelOne recently found that FIN7 had updated AvNeutralizer to use the Windows ProcLaunchMon.sys driver to hang processes, rendering them non-functional. "AvNeutralizer employs a combination of drivers and operations to create a failure in certain implementations of protected processes, ultimately causing a denial of service condition," explains SentinelOne.

"It uses the TTD monitor driver ProcLaunchMon.sys, available on default system installations, in conjunction with updated versions of the process explorer driver version 17.02 (17d9200843fe0eb224644a61f0d1982fac54d844), which has been fortified for cross-process operations abuse and is not currently blocked by Microsoft's WDAC list."

SentinelOne discovered additional custom tools and malware used by FIN7 that are not known to be sold to other threat actors, including Powertrash (a PowerShell backdoor), Diceloader (a lightweight C2-controlled backdoor), Core Impact (a penetration testing toolkit), and an SSH-based backdoor.

Researchers warn that FIN7's continuous evolution and innovation in tools and techniques, coupled with selling its software, make it a significant threat to enterprises worldwide. "FIN7's continuous innovation, particularly in its sophisticated techniques for evading security measures, showcases its technical expertise," concludes SentinelOne researcher Antonio Cocomazzi. "The group's use of multiple pseudonyms and collaboration with other cybercriminal entities makes attribution more challenging and demonstrates its advanced operational strategies."