GRIFFON

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
Griffon is a type of malware, malicious software designed to infiltrate and damage computers or devices without the user's knowledge. It can be spread through dubious downloads, emails, or websites, and once inside a system, it can steal personal information, disrupt operations, or even hold data for ransom. In 2020, Griffon was heavily used by cybercriminal group FIN7 during their spring and summer phishing campaigns, along with another malware named LOADOUT. The malware was also found on USB drives containing an Arduino microcontroller ATMEGA32U4, indicating a potential physical distribution method. In August 2020, researchers observed a significant shift in FIN7's tactics. Following a successful Griffon infection, they began deploying POWERPLANT, also known as "KillACK", a PowerShell-based backdoor with extensive capabilities. This marked a departure from their previous strategy of using LOADOUT and/or GRIFFON as first-stage malware in their intrusions. The attackers developed a PowerLinks-style method to achieve persistence and execute the Griffon implant at each user logon. Another instance of the Griffon implant was stored inside the registry to maintain its presence. Furthermore, the Griffon implant had the ability to take screenshots, save them at "%TMP%/image.png", send them back to the attackers, and then delete them, demonstrating its potential for comprehensive surveillance.
What's your take? (Question 1 of 0)
e700e0c9-1c90-4cb3-b1d2-3e08cbba77ce Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the GRIFFON Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
FIN7.5: the infamous cybercrime rig β€œFIN7” continues its activities
MITRE
6 months ago
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
CERT-EU
a year ago
US Military Personnel Targeted by Unsolicited Smartwatches Linked to Data Breaches
CERT-EU
a year ago
US Military Personnel Targeted by Unsolicited Smartwatches Linked to Data Breaches