Even after several alleged members were arrested last year, FIN7 continues to show signs of life, as evidenced by the recent discovery of an administration panel tool called “Astra” and two new malware samples used in campaigns by the cybercriminal group in 2018.
Researchers from Flashpoint who uncovered the threat observed Astra-related activity from May through July 2018. However, Astra campaigns may date as far back as January of that year, and could still be active today, albeit invisible to the security community.
It was last August that the U.S. Department of Justice announced the arrests of three Ukrainian men who allegedly are all key players in FIN7, aka the Carbanak gang. Two of these arrests came in January 2018, while the third took place in June. Officials say the men allegedly disguised their illegal actions through a front company called Combi Security.
The fact that researchers detected Astra threat activity following these arrests suggests that FIN7 remains steadfast in its quest to steal payment card and financial data from hacked businesses around the world, despite interference from law enforcement authorities.
“Since the arrests, multiple IP addresses and domains supporting FIN7 campaigns have been observed in campaigns. FIN7 activity does not appear to have been impacted much by the arrests,” said Flashpoint Principal Threat Researchers Joshua Platt and Jason Reaves in a joint email interview with SC Media.
A March 20 blog post authored by the two researchers describes Astra as a script management stem, written in PHP, used to push attack scripts to infected computers. The PHP code made multiple references to Combi Security, helping Flashpoint connect the tool to FIN7.
Flashpoint identified the two previously unseen malware families associated with the Astra campaign activity as SQLRat and DNSbot.
SQLRat drops files and executes SQL scripts on infected host systems. “The use of SQL scripts is ingenious in that they don’t leave artifacts behind the way traditional malware does,” the blog post states. “Once they are deleted by the attackers’ code, there is nothing left to be forensically recovered. This technique has not been observed in previous campaigns associated with FIN7.”
DNSbot, meanwhile, is a multi-protocol backdoor through which attackers can push data between compromised machines via either DNS traffic or encrypted channels like HTTPS or SSL.
“Given [its] rather covert usage and unique methods, it is likely the Astra tool was of greater importance and only utilized in sensitive situations,” Platt and Reaves told SC. “This could explain the lack of exposure. Additionally, it is likely multiple instances were utilized at the same time and this was only one instance we identified.”