Irish Information Security Forum

FIN7 Spearphishes with GRIFFON, but Exposes Access to C2

Source: Recorded Future


Recorded Future


At the end of July 2022 Recorded Future identified a campaign by the cybercriminal threat group FIN7 that was spreading GRIFFON malware via a spearphishing attack, and obtained malicious samples of the malware.


They leveraged the samples to gain one-time access to a command-and-control (C2) server and interface used by FIN7 for GRIFFON-based attacks. The threat actors obfuscated the script using a custom string-encoding algorithm.


GRIFFON malware is a JScript-based JSloader backdoor that connects with a C2 server to receive and execute additional modules. The malware uses Windows Management Instrumentation (WMI) functions to collect system and network configuration data from its victims.  


GRIFFON is a lightweight JavaScript validator-style implant without any persistence mechanism. The malware is designed for receiving modules to be executed in-memory and sending the results to C2s. The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JavaScript, which allows cybercriminals to understand the context of the infected workstation.


Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer. This is how it works: An email arrives, apparently from a trustworthy source, but instead it leads the unknowing recipient to a bogus website full of malware. These emails often use clever tactics to get victims' attention. For example, the FBI has warned of spear phishing scams where the emails appeared to be from the National Center for Missing and Exploited Children.




Read the full Report

FIN7 spearfishes with GRIFFON Malware



If you are interested in finding out more about the IISF, or would like to attend one of our Chapter Meetings as an invited guest, please contact the
IISF Secretary:

By email:

By post:

David Cahill

Information Security

GPO, 1-117
D01 F5P2

Enhance your Cybersecurity knowledge and learn from those at the coalface of information Security in Ireland



We would like to thank these generous sponsors for their support. 

crowdstrike logo

zscaler logo



Sponsors are featured prominently throughout the IISF.IE website, social media channels as well as enjoying other benefits Read more


secured by edgescan digital security radar logo

© iiSf. All rights reserved. CRN: 3400036GH  - Privacy Statement  - Sponsorship  - Cybersecurity News Topics  - Cybersecurity Resources  - Produced by
LinkedIn Twitter