GRIFFON

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Griffon is a type of malware, malicious software designed to infiltrate and damage computers or devices without the user's knowledge. It can be spread through dubious downloads, emails, or websites, and once inside a system, it can steal personal information, disrupt operations, or even hold data for ransom. In 2020, Griffon was heavily used by cybercriminal group FIN7 during their spring and summer phishing campaigns, along with another malware named LOADOUT. The malware was also found on USB drives containing an Arduino microcontroller ATMEGA32U4, indicating a potential physical distribution method. In August 2020, researchers observed a significant shift in FIN7's tactics. Following a successful Griffon infection, they began deploying POWERPLANT, also known as "KillACK", a PowerShell-based backdoor with extensive capabilities. This marked a departure from their previous strategy of using LOADOUT and/or GRIFFON as first-stage malware in their intrusions. The attackers developed a PowerLinks-style method to achieve persistence and execute the Griffon implant at each user logon. Another instance of the Griffon implant was stored inside the registry to maintain its presence. Furthermore, the Griffon implant had the ability to take screenshots, save them at "%TMP%/image.png", send them back to the attackers, and then delete them, demonstrating its potential for comprehensive surveillance.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Backdoor
Implant
Payload
Windows
t1059.005
t1070.004
T1090
Proxy
T1033
T1082
t1087.002
T1518
t1555.003
Spearphishing
Decoy
Phishing
Beacon
T1059
t1059.001
t1059.003
t1059.007
t1204.001
t1204.002
t1569.002
t1195.002
T1199
t1566.001
t1566.002
t1491.002
t1588.003
t1588.004
t1608.003
t1608.005
T1027
t1027.005
T1036
t1036.003
T1055
T1140
t1218.010
t1218.011
t1497.001
t1553.002
t1564.003
T1620
T1113
T1213
T1560
Lateral Move...
t1021.001
t1021.004
t1071.001
T1095
T1105
t1132.001
t1573.002
T1012
T1057
T1069
t1069.002
T1087
t1110.002
t1558.003
PowerShell
t1583.003
T1083
Mandiant
T1482
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CarbanakUnspecified
1
Carbanak is a sophisticated type of malware, short for malicious software, that is designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
DiceloaderUnspecified
1
Diceloader is a type of malware, short for malicious software, that is designed to infiltrate and damage computer systems. It can infect systems through various means such as suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, it can steal personal in
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
FIN7Unspecified
1
FIN7, a notorious threat actor group known for its malicious activities, has recently been identified as targeting a large U.S. carmaker with phishing attacks. This group, which has previously operated behind fake cybersecurity companies such as Combi Security and Bastion Secure to recruit security
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Cobalt/meterpreterUnspecified
1
None
Birdwatch/jssloaderUnspecified
1
None
Source Document References
Information about the GRIFFON Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
7 months ago
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
CERT-EU
a year ago
US Military Personnel Targeted by Unsolicited Smartwatches Linked to Data Breaches
CERT-EU
a year ago
US Military Personnel Targeted by Unsolicited Smartwatches Linked to Data Breaches
MITRE
a year ago
FIN7.5: the infamous cybercrime rig “FIN7” continues its activities