Posted: May 21, 2019

GRIFFON Description

The activities of the FIN7 hacking group were first detected and researched back in 2015, and since then, this group of criminals has been involved in hundreds of attacks against companies around the world. However, it seemed that the group’s activities would cease in 2018 when the Department of Justice released a statement saying that a large number of individuals linked to the cyber attacks had been arrested.

Unfortunately, this was not the last time we got to hear from the FIN7 hacking group since some of its members appear to be still active, and they have launched a series of attacks against over 130 companies just a few months after the arrests happened. FIN7’s activities are a bit extraordinary since the hacking group appears to create fake companies that are then used to hire innocent employees that specialize in translation, penetration testing and software developers – these people may have no idea that their professional skills are being used for ill-minded purposes.

One of the malware pieces used in this recent campaign carries the name GRIFFON, and it serves as a multi-functional backdoor that is used to bring a second-stage payload to the compromised system. So far, malware researchers have observed four separate modules being delivered via GRIFFON:

  • A module used to gather information about the compromised host, therefore allowing the attackers to find out more about the system they are dealing with, and what information can be extracted from it.
  • A downloader called Tinymet that has been used in previous FIN7 campaigns.
  • A screenshot module that enables the attackers to take regular screenshots of the victim’s desktop and save the files to the %TEMP% folder. After this, it uses the GRIFFON Trojan to transmit the file back to the attacker’s server and deletes the original copy.
  • A persistence module that is only used if the attackers detect a high-value target. This enables the GRIFFON Trojan to gain persistence by modifying the Windows Registry.

The GRIFFON Trojan connects to Command & Control servers that are reached via fraudulent domains which have been given names that sound like legitimate companies – Logitech-cdn(dot)com and Servicebing-cdn(dot)com.

It seems that a few arrests are not enough to halt the activities of threatening hacking groups like FIN7. Their attacks keep evolving, and this means that the security practices employed by companies should evolve too – employees should be instructed on how to avoid potentially harmful files, and the network must be protected by a trustworthy firewall and anti-virus software suite.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to GRIFFON may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.