GRIFFON

GRIFFON Description

There is a notorious hacking group called FIN7, which is believed to have been operating ever since 2015. For these four years, FIN7 has managed to cause a lot of trouble. They have launched campaigns against businesses all around the globe. This, of course, got the attention of law enforcement and finally, in August 2018 the US Department of Justice managed to track down three individuals of Ukrainian origin located in Spain, Germany and Poland. Once located, the cybercriminals were arrested. Since they are believed to be of high-ranking within FIN7 many believed that this was the end of the infamous hacking group. They were wrong. FIN7 never ceased its operations and mere months after the arrests were made, they launched attacks against 130 companies.

The way FIN7 operates is rather interesting and unusual. They create fraudulent companies, which pose as legitimate entities and then hire staff such as software developers, translators and penetration testers. These employees are lead to believe that they are just doing an ordinary job, while FIN7 is using their knowledge and skills to fuel their threatening operations behind closed doors.

Recently, FIN7 employed a rather complex hacking tool from their arsenal called GRIFFON. It serves the purpose of paving the way for other malware by providing the attackers with the ability to use four modules that work as second-stage payloads. It has been confirmed that GRIFFON has four modules within itself:

  1. Tinymet – a downloader that is one of the classic tools of FIN7.
  2. Screenshot Module – allows FIN7 to take screenshots of the user's desktop which are saved in the %TEMP% folder and later transferred to the server's of the attackers while wiping the screenshots from the victim's system, ensuring to cover the tracks.
  3. Info-Gathering Module – collects data about the system that GRIFFON has landed on and passes it on to FIN7.
  4. Persistence Module – it is likely that GRIFFON will infect many computers thus FIN7 have added a persistence module, which operates via the Windows Registry and only will be activated if the compromised system is detected to be of high-value, thus minimizing the risk of being spotted.

Just like many of FIN7's products, the GRIFFON Trojan also has a Command & Control server infrastructure to work with. It appears that the authors use the names of legitimate companies to disguise their unsafe domains – Servicebing-cdn.com and Logitech-cdn.com.

Businesses all around the world need to start taking cybersecurity more seriously because as we can see in this case, sometimes even arrests do not stop cybercriminals. Companies with weak security practices online become easy targets for the sharks lurking on the Internet. It is crucial that employees are taught what are the best practices for staying safe online. Most importantly, companies, as well as individuals, need to have a legitimate anti-malware suite and update it regularly.