The Carbanak/Fin7 syndicate have been attributed to numerous intrusions in the banking, hospitality, retail, and other Industry verticals with a goal for collecting financial information of all types. The syndicate is recognized for using APT-style tactics to compromise their targets and escalate their privileges before searching for systems or individuals with access to financial data. While they may use APT-style tactics to penetrate these target networks, achieve persistence, RSA Research does not consider them to be an APT as they are not particularly advanced with their malware and tools and techniques. The highly effective syndicate employs commodity or leaked tools to thwart network defenders’ abilities to identify Carbanak/Fin7 intrusions.
RSA Research, through both open research and several Incident Reponse (IR) engagements, recently completed a summary review of the Carbanak/Fin7 group's tactics, techniques, and procedures (TTPs) to include a focus on stage 2 malware and associated timeline of activity. The full report details many of those findings in order to help defenders better understand the group's capabilities.
UPDATE [Nov 30]: Walk through a unique Carbanak/Fin7 intrusion with RSA's Incident Response team.
Learn more about the Carbanak/Fin7 syndicate and how you can defend against them