The Russia-linked FIN7 cybercrime group has been enhancing its operations with new tactics, techniques, and procedures (TTPs), including advanced Endpoint Detection and Response (EDR) bypasses and automated attacks, according to a new report from SentinelLabs.

Active since 2012, FIN7 is an elusive and persistent cybercrime group known for its financial motivations. The group has been active for over a decade, consistently evolving its tactics to exploit various industry sectors.

Initially, the group specialized in using Point of Sale (POS) malware for financial fraud. However, since 2020, FIN7 has shifted its focus to ransomware operations, affiliating with notorious Ransomware-as-a-Service (RaaS) groups such as REvil and Conti. The group also launched its own RaaS programs under the names Darkside and subsequently BlackMatter.

One of the most notable tools associated with these operations is AvNeutralizer, also known as AuKill. This highly specialized tool is designed to tamper with security solutions and has been marketed in the criminal underground, where it has been adopted by multiple ransomware groups.

A new version of AvNeutralizer has been observed, employing a previously unseen technique to tamper with security solutions by leveraging the Windows built-in driver ProcLaunchMon.sys (TTD Monitor Driver).

Initially, AvNeutralizer was used exclusively by FIN7 for six months, targeting multiple endpoint security solutions. The researchers believe that the group had been collaborating with the Black Basta ransomware operation at the time.

However, beginning in January 2023, there was a significant increase in the usage of updated versions of AvNeutralizer by various ransomware groups. This indicates that the tool was no longer exclusive to Black Basta, which had shifted several TTPs and removed AvNeutralizer from its arsenal.

Further investigation suggests that AvNeutralizer was likely sold on criminal underground forums, with Black Basta being one of the early adopters. The tool is now being advertised for prices ranging between $4,000 and $15,000 on various cybercrime forums.