The notoriously well-known threat group Fin7, also known as Carbanak, is back with a new set of administrator tools and never-before-seen forms of malware.
Fin7 has been active since at least 2015 and since the group’s inception has been connected to attacks against hundreds of companies worldwide.
Over 100 companies have been impacted in the United States alone, with many victims in the catering, gaming, and hospitality industries. The hackers are believed to have stolen at least 15 million US credit card records from over 6,500 point-of-sale (PoS) terminals in thousands of locations to date.
Organizations in the UK, France, and Australia are also commonly targeted.
In August, the US Department of Justice (DoJ) arrested three Ukrainian nationals suspected to be high-ranking members of Fin7, which operated behind a seemingly-legitimate front company called Combi Security. The suspects were tracked down and arrested in Germany, Poland, and Spain.
Despite the arrests, it seems the group remains active and dedicated to their criminal cause, now highlighted by the evolution of the tools Fin7 use to compromise their victims.
On Wednesday, researchers from Flashpoint published new research relating to the recent activities of Fin7.
Fin7 often uses a very common attack vector, phishing, in attempts to dupe would-be victims into downloading and executing malware. Phishing emails are sent which are loaded with malicious attachments, and one, in particular, has revealed the existence of a new form of malware.
Flashpoint calls the new sample SQLRat. The malware is capable of dropping and executing SQL scripts on a compromised system, which the cybersecurity firm calls “ingenious” as “they don’t leave artifacts behind the way traditional malware does.” This, in turn, makes hacker tracking, forensics, and reverse-engineering extremely difficult.
The script forges a connection to a Microsoft database controlled by Fin7 and then executes various tables, including the write to disk of a custom version of TinyMe, an open-source Meterpreter stager — but the threat actors are not limited in what they can choose to download or execute onto a compromised machine.
SQLRat is spread through an image overlaid with a vb Form Trigger which asks recipients of a phishing email to “Unlock Protected Contents.” If double-clicked, the form executes a VB script to begin the infection process and also creates two task scheduled entries to maintain persistence.
This technique has not been seen before in Fin7 tactics.
Another new malware sample, dubbed DNSbot, is a multiprotocol backdoor which operates over DNS traffic to exchange commands and push data to and from infected systems. The malware is also capable of switching to encrypted channels including HTTPS and SSL.
Also of particular note is a new attack panel called Astra. Written in PHP, Astra functions as a script management system which pushes attack scripts down to compromised PCs.
Cobalt Strike, a legitimate penetration testing tool which has also, unfortunately, become a favorite of hacking groups including Fin7, contained a vulnerability — patched as of this year — which unwittingly revealed not only genuine Cobalt Strike instances, but also a plethora of command-and-control (C2) servers belonging to hackers making use of the tool.