FIN7 Exploits Vulnerabilities in Veeam Backup Software

A Veeam Backup process was seen carrying out a shell command to download and implement a PowerShell script abusing the Veeam Backup & Replication vulnerability, CVE-2023-27532. Further analysis revealed that the script was in fact the Powertrash in-memory dropper, a tool that has been previously used by FIN7. Consequently, the group deployed Diceloader, a backdoor also referred to as Lizar.