November 30, 2023

Researchers have spotted the FIN7 hacking group is likely teaming up with another prolific ransomware group called DEV-0950 to exploit the famous Fortra GoAnywhere MFT Zeroday bug achieving it through Cl0p ransomware.

Microsoft which tracks the vulnerability as Sangria Tempest, likely worked with competing Clop and its affiliate DEV-0950, which it calls Lace Tempest. FIN7 used DEV-0950 tools to exploit the critical server vulnerability PaperCut.

Microsoft Security warned customers of its Defender Threat Intelligence platform  documented DEV-0950/Lace Tempest tools being used as a tactic in initial exploitation of the PaperCut bug. It said it had not seen these two groups collaborating before.


Microsoft in the report said it had not identified an initial access vector pattern related to Sangria Tempest’s recent Clop ransomware deployment. However, it did say once the group gains access to a system, it begins its activity with a custom, highly obfuscated PowerShell script (POWERTRASH), ia64.ps1. The script is used to reflectively load additional payloads into the system, in this case an embedded Lizar DLL.

Highlighting the links between FIN7/Sangria Tempest and DEV-0950/Lace Tempest, Microsoft noted that like Sangria Tempest, Lace Tempest incorporated POWERTRASH into their campaign targeting PaperCut servers. And in one identified Lace Tempest attack, the group used POWERTRASH to deliver Lizar.

Once after the initial foothold is obtained in a compromised system, Sangria Tempest it used commodity tools such as OpenSSH, to achieve persistence, and Impacket for lateral movement, Windows credential dumping, and remote launching.

Sangria Tempest installed OpenSSH, in C:\Windows\OpenSSH instead of the standard OpenSSH path in System32.  The group used Impacket’s WMI modules to remotely launch a PowerShell script out of C:\windows\temp\ to deploy the Clop ransomware payload from the same folder.


Sangria Tempest renamed the payload as win.exe and then deleted the PowerShell scripts and text files after launch. It also dropped a ransom note claiming to have exfiltrated data from the compromised systems.

As well as re-emerging on the ransomware scene with these new campaigns, FIN7 has also been observed carrying out other types of attacks in recent months. Since February, the group, along with former members of the now-defunct Conti ransomware operation, have been targeting corporate networks with a novel Domino malware.

And since March, FIN7 has been facilitating Lizar/Diceloader to attack Veeam Backup and Replication instances that have not been patched to remediate the CVE-2023-27532 vulnerabilities

Leave a Reply

%d bloggers like this: