Sangria Tempest Threat Actor Profile

Sangria Tempest (also known as FIN7) is a sophisticated threat actor group that targets organisations in the banking, retail, and hospitality sectors, for the purposes of financial gain.

The group was initially identified in 2016. However, discrepancies exist with regards to classifying the group as a legitimate advanced persistent threat (APT) group or a cybercriminal group, more generally. The disagreement seems to have been the result of Sangria Tempest being attributed to a cluster of operations that has overlapped with other groups such as Cobalt Gang. It is possible that Sangria Tempest is actually the same as the Carbanak group, due to the similarities that exist within their choice of tactics. It also remains a possibility that both groups collaborate closely with one another.

Sangria Tempest is motivated by securing financial credentials and related data. Their methods of intrusion have developed since the group’s inception and include specially crafted phishing emails and documents, obfuscating hidden LNK shortcut files in DOCX and RTF documents, exploitation of both PowerShell commands and Microsoft Dynamic Data Exchange (DDE), and infiltrating Point of Sale (POS) systems in retail stores. However, it is almost certainly the case that their motivation of financial gain is to be identified as the constant factor throughout the distribution of their campaigns.

Targeted Sectors

Sangria Tempest targets organisations in the banking, retail, and hospitality sectors.

Threat Actor Motivations

The motives of Sangria Tempest can be evaluated by observing the strategies they apply within the context of their campaigns. Due to their target set, as well as the list of intrusion methods applied by the group, it is almost certainly the case that Sangria Tempest operations are motivated purely on the basis of financial gain.

Threat Actor Activity Timeline

• 2020: Sangria Tempest initiated a phishing campaign against various organisations, involving the implementation of LOADOUT and GRIFFON malware.
• 2021: Sangria Tempest was reported to have established a fraudulent security firm by the name of “Bastion Secure”, masquerading as a legitimate organisation, hiring researchers and manipulating them to implement the deployment of ransomware.
• April 2021: Sangria Tempest initiated attack campaigns which included the group pivoting from their typical initial access compromise methods of LOADOUT and GRIFFON malware deployment to POWERPLANT and BEACON.
• November 2022: Sangria Tempest threat actors were reported to have deployed Black Basta ransomware within the attack chain of their campaigns.
• April 2023: Sangria Tempest were detected to have compromised systems via the utilisation of the Domino malware tool.
• April 2023: Sangria Tempest compromised and deployed malware to Veeam Backup servers, by exploiting the vulnerability, tracked as CVE-2023-27532.

Associated Malware

BIOLOAD: Sangria Tempest utilised this newly crafted tool, developed in C++, to implement new builds of the Carbanak backdoor and was detected to be similar to the BOOSTWRITE malware. The malware applies the binary planting technique that abuses a method used by Windows to search for dynamic-link libraries (DLLs) required to load into a programme.

BOOSTWRITE: This is a malicious loader that is typically launched via abuse of the DLL search order of applications used by Sangria Tempest. The malware affects Windows operating systems and has been known to use the DWriteCreateFactory function to load additional modules.

GRIFFON: A JavaScript malware variant without any associated persistence mechanisms. The malware is implemented for the purposes of establishing command-and-control (C2) communications.

Indicators of Compromise

Sangria Tempest Associated IP Addresses:

• 198[.]100[.]119[.]6
• 91[.]194[.]254[.]93
• 204[.]155[.]31[.]174
• 91[.]194[.]254[.]38
• 31[.]148[.]219[.]141
• 91[.]194[.]254[.]246
• 198[.]100[.]119[.]7
• 91[.]194[.]254[.]92
• 91[.]194[.]254[.]37
• 91[.]194[.]254[.]94
• 204[.]155[.]31[.]167
• 91[.]194[.]254[.]39
• 91[.]194[.]254[.]90

Sangria Tempest Associated File Hashes (SHA256):

• 01bdcbda0ac780f3c04cb8a0ed6ef3af11976dd30e69677a17089d47e9fbefd6

Sangria Tempest Associated Domains:

• road-to-dominikana[.]biz
• critical-damage333[.]org
• nikaka-ost[.]xyz
• pasteronixus[.]com
• levetas-marin[.]com
• coral-trevel[.]com
• androidn[.]net
• travel-maps[.]info
• my-amateur-gals[.]com
• di-led[.]com
• zaydo[.]website
• ass-pussy-fucking[.]net
• datsun-auto[.]com
• skaoow-loyal[.]net
• narko-cartel[.]com
• dragonn-force[.]com
• baltazar-btc[.]com
• cameron-archibald[.]com
• akkso-dob[.]in
• castello-casta[.]com
• comixed[.]org
• akkso-dob[.]xyz
• publics-dns[.]com
• ihave5kbtc[.]org
• brazilian-love[.]org
• ihave5kbtc[.]biz
• skaoow-loyal[.]xyz
• vincenzo-bardelli[.]com
• chugumshimusona[.]com
• nikaka-ost[.]in
• pasteronixca[.]com
• zaydo[.]co
• casas-curckos[.]com
• adventureseller[.]com
• maorkkk-grot[.]xyz
• zaydo[.]space
• casting-cortell[.]com
• glonass-map[.]com
• akamai-technologies[.]org
• ppc-club[.]org
• wascodogamel[.]com
• gooip-kumar[.]com
• namorushinoshi[.]com
• marcello-bascioni[.]com

Sangria Tempest Associated URLs:

• hxxp[://]31[.]148[.]219[.]141:80/cd
• hxxp[://]204[.]155[.]31[.]174:8080/cd
• hxxp[://]31[.]148[.]219[.]141:443/cd
• hxxp[://]204[.]155[.]31[.]174:443/cd
• hxxp[://]198[.]100[.]119[.]7:8080/cd
• hxxp[://]204[.]155[.]31[.]167:443/cd
• hxxp[://]31[.]148[.]219[.]141:8080/cd
• hxxp[://]204[.]155[.]31[.]167:80/cd
• hxxp[://]204[.]155[.]31[.]167:8080/cd
• hxxp[://]204[.]155[.]31[.]174:80/cd
• hxxp[://]198[.]100[.]119[.]7:443/cd
• hxxp[://]198[.]100[.]119[.]7:80/cd

Exploited Vulnerabilities

• CVE-2016-5195 (CVSSv3 Score: 8.8 – High Severity) (Dirty COW) – A race condition in mm/gup.c in Linux that allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping.
• CVE-2023-27532 (CVSSv3 Score: 7.5 – High Severity) – A vulnerability in Veeam Backup & Replication component that allows encrypted credentials stored in the configuration database to be obtained.

Mitre Methodologies

Resource Development
T1588.002 – Obtain Capabilities: Tool

Initial Access
T1078 – Valid Accounts
T1566 – Phishing
T1190 – Exploit Public-Facing Application
T1195.002 – Supply Chain Compromise: Compromise Software Supply Chain
T1566.001 – Phishing: Spearphishing Attachment

Execution
T1204.002 – User Execution: Malicious File
T1059.001 – Command and Scripting Interpreter: PowerShell
T1047 – Windows Management Instrumentation
T1059.005 – Command and Scripting Interpreter: Visual Basic
T1059.007 – Command and Scripting Interpreter: JavaScript
T1569.002 – System Services: Service Execution

Persistence
T1078 – Valid Accounts
T1574.002 – Hijack Execution Flow: DLL Side-Loading

Privilege Escalation
T1055.012 – Process Injection: Process Hollowing
T1574.002 – Hijack Execution Flow: DLL Side-Loading

Defense Evasion
T1140 – Deobfuscate/Decode Files or Information
T1497.001 – Virtualization/Sandbox Evasion: System Checks
T1027.002 – Obfuscated Files or Information: Software Packing
T1036 – Masquerading
T1055.012 – Process Injection: Process Hollowing
T1218 – System Binary Proxy Execution
T1553.002 – Subvert Trust Controls: Code Signing
T1562.001 – Impair Defenses: Disable or Modify Tools
T1622 – Debugger Evasion
T1070 – Indicator Removal
T1562.009 – Impair Defenses: Safe Mode Boot
T1574.002 – Hijack Execution Flow: DLL Side-Loading

Credential Access
T1552.001 – Unsecured Credentials: Credentials In Files
T1555.003 – Credentials from Password Stores: Credentials from Web Browsers
T1187 – Forced Authentication

Discovery
T1082 – System Information Discovery
T1057 – Process Discovery
T1083 – File and Directory Discovery
T1497.001 – Virtualization/Sandbox Evasion: System Checks
T1033 – System Owner/User Discovery
T1087.002 – Account Discovery: Domain Account
T1622 – Debugger Evasion
T1615 – Group Policy Discovery

Lateral Movement
T1091 – Replication Through Removable Media
T1021 – Remote Services

Collection
T1005 – Data from Local System
T1113 – Screen Capture
T1115 – Clipboard Data

Command and Control
T1071.001 – Application Layer Protocol: Web Protocols
T1105 – Ingress Tool Transfer
T1071.002 – Application Layer Protocol: File Transfer Protocols

Impact
T1495 – Firmware Corruption
T1496 – Resource Hijacking
T1486 – Data Encrypted for Impact

Cyber Kill Chain

• Reconnaissance: Sangria Tempest harvests email addresses and other victim data for the purposes of implanting their initial access techniques of spear phishing.
• Weaponisation: Sangria Tempest engineers the malware components within their arsenal (such as BIOLOAD and GRIFFON) as well as embedding attachments with exploits to deliver via their spear phishing attacks.
• Delivery: Sangria Tempest delivers the malicious links via spear phishing emails.
• Exploitation: Sangria Tempest implements a variety of techniques such as the utilisation of PowerShell and Windows Management Instrument (WMI) to execute their attack.
• Installation: Sangria Tempest deploys malware such as BIOLOAD to install the Carbanak backdoor. To maintain persistence, the group uses application shimming databases to modify programme behaviours of the target system. At this stage, the group have also been detected to have injected code into processes as well as hijacking DLLs to evade detection within the target environment.
• Command & Control (C2): To set up a channel of communication with the target system, the group implements a variety of the C2 mechanisms, such as utilising standard application layer protocol and disguising traffic with a standard cryptographic protocol.
• Actions on Objectives: The establishment of the C2 communication channels provides the threat actor group with a means to exfiltrate data in encrypted form.

Additional information

• MITRE ATT&CK Profile
• Trend Micro Report
• Cynet Blog