GRIFFON

Griffon is a type of malware, malicious software designed to infiltrate and damage computers or devices without the user's knowledge. It can be spread through dubious downloads, emails, or websites, and once inside a system, it can steal personal information, disrupt operations, or even hold data for ransom. In 2020, Griffon was heavily used by cybercriminal group FIN7 during their spring and summer phishing campaigns, along with another malware named LOADOUT. The malware was also found on USB drives containing an Arduino microcontroller ATMEGA32U4, indicating a potential physical distribution method. In August 2020, researchers observed a significant shift in FIN7's tactics. Following a successful Griffon infection, they began deploying POWERPLANT, also known as "KillACK", a PowerShell-based backdoor with extensive capabilities. This marked a departure from their previous strategy of using LOADOUT and/or GRIFFON as first-stage malware in their intrusions. The attackers developed a PowerLinks-style method to achieve persistence and execute the Griffon implant at each user logon. Another instance of the Griffon implant was stored inside the registry to maintain its presence. Furthermore, the Griffon implant had the ability to take screenshots, save them at "%TMP%/image.png", send them back to the attackers, and then delete them, demonstrating its potential for comprehensive surveillance.