Russia-linked FIN7 hackers sell their security evasion tool to other groups on darknet

A notorious cybercriminal group known as FIN7 advertises its custom tool for security evasion on darknet forums and sells it to other criminal gangs, researchers have found.

The tool, known as AvNeutralizer, is used by criminal hackers to bypass threat detection systems on victims' devices. Researchers have previously discovered that the tool was used exclusively for six months by another hacker group, Black Basta.

In a new report, the cybersecurity firm SentinelOne said that it observed multiple ransomware groups using updated versions of AvNeutralizer, suggesting that the customer list  was no longer limited to Black Basta.

“We hypothesize that AvNeutralizer was likely sold on criminal underground forums, with Black Basta being one of the early buyers and adopters,” researchers added.

SentinelOne identified multiple advertisements across various underground forums, likely promoting the sale of AvNeutralizer. To mask its identity, FIN7 used various pseudonyms, including “goodsoft,” “lefroggy,” “killerAV,” and “Stupor.”

The price for the tool, set by users with these pseudonyms, ranged from $4,000 to $15,000. SentinelOne assesses “with high confidence” that these accounts belong to the FIN7 cluster.

“These threat actors are likely employing multiple pseudonyms on various forums to mask their true identity and sustain their illicit operations within this network,” researchers said.

FIN7 started developing AvNeutralizer in April 2022. This tool is customized for each buyer to target specific security systems they choose.

Since early 2023, AvNeutralizer has been used in numerous intrusions, including with the subsequent deployment of well-known ransomware strains such as AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit.

AvNeutralizer has been updated several times. The latest version discovered by SentinelOne includes a new method for bypassing security previously unseen in the wild. 

In particular, the new version uses a built-in Windows driver called "ProcLaunchMon.sys" along with the Process Explorer driver to interfere with security systems and avoid being detected.

FIN7 has been active since 2013 and is purportedly based in Russia. The group caused substantial financial losses in industries such as hospitality, energy, finance, high-tech and retail. Earlier in April, it allegedly targeted a large automotive manufacturer based in the U.S. late last year.

SentinelOne said that FIN7's development and commercialization of specialized tools like AvNeutralizer within criminal underground forums “significantly enhance the group’s impact.”

“The group’s use of multiple pseudonyms and collaboration with other cybercriminal entities makes attribution more challenging and demonstrates its advanced operational strategies,” researchers said.