Pulse Detail — Threat Intelligence

PULSE NAME

FIN7: Silent Push unearths 4000+ phishing and shell domains

WHITE FIN7 AlienVault 2024-07-11 Modified: 2024-08-10

IOCs

HIGH VOLUME

Silent Push threat analysts have uncovered an extensive series of campaigns linked to the FIN7 cybercrime group, including several hundred active phishing, spoofing, shell and malware delivery domains and IPs targeting various organizations. The campaigns utilize over 4000 domains and subdomains, with nearly half active in the past week. Prominent global brands like Louvre Museum, Meta, Reuters, Microsoft, and others have been targeted. The group employs tactics like spearphishing, malware distribution, and renting infrastructure from bulletproof hosting providers.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1189 T1056.003 T1486 T1176 T1583 T1566

MALWARE FAMILIES

Carbanak - S0030 Anunak Gracewire EugenLoader

Indicators of Compromise (91)

All FileHash-MD5 FileHash-SHA256 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	ff25441b7631d64afefdb818cfcceec7	—	2024-07-11
FileHash-SHA256	032d68449a93200aa257943b7e22e619e5ab383f61c7466f7872eeba5ea5b838	—	2024-07-11
FileHash-SHA256	03c84ae3bdd28341bdb9ef24918c3cad6c9ed27c768d351f23e6d37bf048f7a4	—	2024-07-11
FileHash-SHA256	184a400fe334027ff287ad0cf83c165fdf4605507c83ec054fb2b544f877163c	—	2024-07-11
FileHash-SHA256	1d17937f2141570de62b437ff6bf09b1b58cfdb13ff02ed6592e077e2d368252	—	2024-07-11
FileHash-SHA256	1e54b2e6558e2c92df73da65cd90b462dcafa1e6dcc311336b1543c68d3e82bc	—	2024-07-11
FileHash-SHA256	3869340562136d1d8f11c304f207120f9b497e0a430ca1a04c0964eb5b70f277	—	2024-07-11
FileHash-SHA256	41c671332b58f92187e32771ed1ba86c1ed256e36f036f74c91cf1aa7db07bc2	—	2024-07-11
FileHash-SHA256	43f4d0ae8f84c36d635423719562cdb0f5d9647b79a758a33fdf4aa7540f5622	—	2024-07-11
FileHash-SHA256	448559c22bf09e6526b67defddcace275d7a0c580a38b0961165bc1efdb3367e	—	2024-07-11
FileHash-SHA256	50b102938d29cc7f61c67da6981545c69f70c7178d009ec1999ee0ddfe81ebba	—	2024-07-11
FileHash-SHA256	63750019f4a8498edc008a343be90aac8fbb3307ba7eb519fc5df16258dff19c	—	2024-07-11
FileHash-SHA256	8a24b6f83761561d8b71429f586248f264139aee2d8349f375ccbba702e4ecb2	—	2024-07-11
FileHash-SHA256	9953bbe13394bc6cd88fd0d13ceff771553e3a63ff84dc20960b67b4b9c9e48e	—	2024-07-11
FileHash-SHA256	d73af3bd70f0f68846920d61fab8836cf8906a2876489801f6e130f4d92aa50d	—	2024-07-11
FileHash-SHA256	e8c6831d6e238df5a1f20fc00867b333474a659734ac46a9902fbbadaaf0b51e	—	2024-07-11
FileHash-SHA256	fbec6e79b663d4c5e660a7aff23e392a4f1311382923669548945e8346edbffb	—	2024-07-11
FileHash-SHA256	fdfd96f00e9e713cf86e2d32fb0c653b66fccc0e4969eac9f26d5cdcca98ff7d	—	2024-07-11
URL	http://accountverify.business-helpcase718372649.click/	—	2024-07-11
URL	http://app.rmscloud.pro/login/	—	2024-07-11
URL	http://identity-wpengine.com/session_id/login/	—	2024-07-11
URL	http://kun-quang-api.lordofscan.pro/LoginProcess/api/login_submit	—	2024-07-11
URL	http://themetasupporrtbusiness.nexuslink.click/	—	2024-07-11
domain	2024sharepoint.lat	—	2024-07-11
domain	affinitycloudenergy.com	—	2024-07-11
domain	americangiftsexpress.com	—	2024-07-11
domain	androiddeveloperconsole.com	—	2024-07-11
domain	app-trello.com	—	2024-07-11
domain	ariba.one	—	2024-07-11
domain	autodesk.pm	—	2024-07-11
domain	bloomberg-t.com	—	2024-07-11
domain	concur.cfd	—	2024-07-11
domain	concur.pm	—	2024-07-11
domain	concur.re	—	2024-07-11
domain	concuur.com	—	2024-07-11
domain	costsco1.com	—	2024-07-11
domain	cybercloudsec.com	—	2024-07-11
domain	cybercloudsecure.com	—	2024-07-11
domain	ddcccuuu.online	—	2024-07-11
domain	dr1ve.xyz	—	2024-07-11
domain	driv3.net	—	2024-07-11
domain	driv7.com	—	2024-07-11
domain	emeraldblockestates.com	—	2024-07-11
domain	escueladeletrados.com	—	2024-07-11
domain	ggooleauth.xyz	—	2024-07-11
domain	go-ia.info	—	2024-07-11
domain	go-ia.site	—	2024-07-11
domain	harvardyardcollection.com	—	2024-07-11
domain	hcm-paycor.org	—	2024-07-11
domain	hotnotepad.com	—	2024-07-11
domain	https-twitter.com	—	2024-07-11
domain	identity-wpengine.com	—	2024-07-11
domain	lexisnexis.day	—	2024-07-11
domain	louvre-event.com	—	2024-07-11
domain	louvrebil.click	—	2024-07-11
domain	louvrebill.click	—	2024-07-11
domain	miidjourney.net	—	2024-07-11
domain	multyimap.com	—	2024-07-11
domain	netepadtee.com	—	2024-07-11
domain	netfiix-abofrance.com	—	2024-07-11
domain	onepassreglons.com	—	2024-07-11
domain	paris-journey.com	—	2024-07-11
domain	paybx.world	—	2024-07-11
domain	quicken-install.com	—	2024-07-11
domain	redfinneat.com	—	2024-07-11
domain	restproxy.com	—	2024-07-11
domain	rupaynews.com	—	2024-07-11
domain	techevolveproservice.com	—	2024-07-11
domain	thomsonreuter.info	—	2024-07-11
domain	thomsonreuter.pro	—	2024-07-11
domain	tredildlngviw.shop	—	2024-07-11
domain	tredildlngviw.xyz	—	2024-07-11
domain	treidingviw-web.lol	—	2024-07-11
domain	treidingviw-web.shop	—	2024-07-11
domain	treidingviw-web.xyz	—	2024-07-11
domain	trezor-web.io	—	2024-07-11
domain	trydropbox.com	—	2024-07-11
domain	wal-streetjournal.com	—	2024-07-11
domain	webex-install.com	—	2024-07-11
domain	westlaw.top	—	2024-07-11
domain	womansvitamin.com	—	2024-07-11
domain	wpenglneweb.com	—	2024-07-11
domain	xn--bitwardn-h1a.com	—	2024-07-11
domain	xn--manulfe-kza.com	—	2024-07-11
domain	zoomms-info.com	—	2024-07-11
hostname	accountverify.business-helpcase718372649.click	—	2024-07-11
hostname	book.louvre-ticketing.com	—	2024-07-11
hostname	kun-quang-api.lordofscan.pro	—	2024-07-11
hostname	themetasupporrtbusiness.nexuslink.click	—	2024-07-11
hostname	www.tivi2.com	—	2024-07-11
hostname	www.wpenglneweb.com	—	2024-07-11

References (1)

↗ https://www.silentpush.com/blog/fin7/