216.73.217.22

FIN7: Silent Push unearths 4000+ phishing and shell domains

· Published 11/07/2024 11:51 · Modified 11/07/2024 12:06

Export JSON

Essential information

Published
11/07/2024 11:51
Modified
11/07/2024 12:06
Tags
2024-07-11 anunak carbanak eugenloader gracewire phishing spoofing
Related entities
94 observables, 1 intrusion sets (apt), 6 techniques (mitre), 4 malware, 9 others

Description

Silent Push threat analysts have uncovered an extensive series of campaigns linked to the FIN7 cybercrime group, including several hundred active , , shell and malware delivery domains and IPs targeting various organizations. The campaigns utilize over 4000 domains and subdomains, with nearly half active in the past week. Prominent global brands like Louvre Museum, Meta, Reuters, Microsoft, and others have been targeted. The group employs tactics like spearphishing, malware distribution, and renting infrastructure from bulletproof hosting providers.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (94)

  • 103.35.191.28
  • 89.105.198.190
  • 103.113.70.142
  • 166.88.159.37
  • www.wpenglneweb.com
  • www.tivi2.com
  • http://themetasupporrtbusiness.nexuslink.click/
  • http://kun-quang-api.lordofscan.pro/LoginProcess/api/login_submit
  • http://identity-wpengine.com/session_id/login/
  • http://app.rmscloud.pro/login/
  • http://accountverify.business-helpcase718372649.click/
  • themetasupporrtbusiness.nexuslink.click
  • kun-quang-api.lordofscan.pro
  • book.louvre-ticketing.com
  • accountverify.business-helpcase718372649.click
  • zoomms-info.com
  • xn--manulfe-kza.com
  • xn--bitwardn-h1a.com
  • wpenglneweb.com
  • womansvitamin.com
  • westlaw.top
  • webex-install.com
  • wal-streetjournal.com
  • trydropbox.com
  • trezor-web.io
  • treidingviw-web.xyz
  • treidingviw-web.shop
  • treidingviw-web.lol
  • tredildlngviw.xyz
  • tredildlngviw.shop
  • thomsonreuter.pro
  • thomsonreuter.info
  • techevolveproservice.com
  • rupaynews.com
  • restproxy.com
  • redfinneat.com
  • quicken-install.com
  • paybx.world
  • paris-journey.com
  • onepassreglons.com
  • netfiix-abofrance.com
  • netepadtee.com
  • multyimap.com
  • miidjourney.net
  • louvrebill.click
  • louvrebil.click
  • louvre-event.com
  • lexisnexis.day
  • identity-wpengine.com
  • https-twitter.com
  • hotnotepad.com
  • hcm-paycor.org
  • harvardyardcollection.com
  • go-ia.site
  • go-ia.info
  • ggooleauth.xyz
  • escueladeletrados.com
  • emeraldblockestates.com
  • driv7.com
  • driv3.net
  • dr1ve.xyz
  • ddcccuuu.online
  • cybercloudsecure.com
  • cybercloudsec.com
  • costsco1.com
  • concuur.com
  • concur.re
  • concur.pm
  • concur.cfd
  • autodesk.pm
  • bloomberg-t.com
  • ariba.one
  • app-trello.com
  • androiddeveloperconsole.com
  • americangiftsexpress.com
  • 2024sharepoint.lat
  • affinitycloudenergy.com
  • fdfd96f00e9e713cf86e2d32fb0c653b66fccc0e4969eac9f26d5cdcca98ff7d
  • fbec6e79b663d4c5e660a7aff23e392a4f1311382923669548945e8346edbffb
  • e8c6831d6e238df5a1f20fc00867b333474a659734ac46a9902fbbadaaf0b51e
  • d73af3bd70f0f68846920d61fab8836cf8906a2876489801f6e130f4d92aa50d
  • 9953bbe13394bc6cd88fd0d13ceff771553e3a63ff84dc20960b67b4b9c9e48e
  • 8a24b6f83761561d8b71429f586248f264139aee2d8349f375ccbba702e4ecb2
  • 63750019f4a8498edc008a343be90aac8fbb3307ba7eb519fc5df16258dff19c
  • 50b102938d29cc7f61c67da6981545c69f70c7178d009ec1999ee0ddfe81ebba
  • 448559c22bf09e6526b67defddcace275d7a0c580a38b0961165bc1efdb3367e
  • 43f4d0ae8f84c36d635423719562cdb0f5d9647b79a758a33fdf4aa7540f5622
  • 41c671332b58f92187e32771ed1ba86c1ed256e36f036f74c91cf1aa7db07bc2
  • 3869340562136d1d8f11c304f207120f9b497e0a430ca1a04c0964eb5b70f277
  • 1e54b2e6558e2c92df73da65cd90b462dcafa1e6dcc311336b1543c68d3e82bc
  • 1d17937f2141570de62b437ff6bf09b1b58cfdb13ff02ed6592e077e2d368252
  • 184a400fe334027ff287ad0cf83c165fdf4605507c83ec054fb2b544f877163c
  • 03c84ae3bdd28341bdb9ef24918c3cad6c9ed27c768d351f23e6d37bf048f7a4
  • 032d68449a93200aa257943b7e22e619e5ab383f61c7466f7872eeba5ea5b838

Intrusion sets (APT) (1)

  • FIN7 GOLD NIAGARAITG14
    The MITRE Corporation Confidence 100

    [FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, …

    First seen 01/01/1970 · Last seen 16/11/5138 Published 16/12/2025 19:39 · Modified 27/03/2026 01:13

Techniques (MITRE) (6)

Malware (4)

  • Gracewire
    Family
    Published 11/07/2024 11:51 · Modified 11/07/2024 11:51
  • EugenLoader
    Family
    Published 11/07/2024 11:51 · Modified 11/07/2024 11:51
  • Anunak
    Family
    Published 11/07/2024 11:51 · Modified 11/07/2024 11:51
  • Carbanak - S0030
    Family
    Published 11/07/2024 11:51 · Modified 11/07/2024 11:51

Others (9)

  • Utilities
  • Consulting
  • Retail
  • Hospitality
  • Technology
  • Healthcare
  • Media
  • Transportation
  • Finance

External references