Fin7 Ramps Up Campaigns With Two Fresh Malware Samples

spear phishing

Despite the 2018 crackdown on Fin7, the cybercrime group has been ramping up its efforts with two new malware samples and an attack panel.

Despite the arrest of several Fin7 members in 2018, the cybercrime group has ramped up its efforts in a series of widespread campaigns hitting businesses with two never-before-seen malware samples.

Researchers with Flashpoint said Wednesday that they have discovered a new administrative panel and two previously unseen malware samples, dubbed SQLRat and DNSBot, in a series of Fin7 campaigns. The campaigns, which may have started as early as January 2018, are hitting businesses with malware embedded in documents and sent via phishing emails, in hopes of stealing payment cards.

“Despite the arrests of three prominent members of the ​Fin7 cybercrime gang​ beginning in January 2018, attacks targeting businesses and customer payment-card information did not cease,” Flashpoint Principal Threat Researchers Joshua Platt and Jason Reaves said in a Wednesday analysis.

Since 2015, Fin7 has targeted point-of-sale systems at casual-dining restaurants, casinos and hotels. The group typically uses malware-laced phishing attacks against victims in hopes they will be able to infiltrate systems to steal bank-card data and sell it.

Fin7 phishing campaign

Click to Expand

Fin7 has also used a backdoor linked to Carbanak (another prolific cybercrime outfit responsible for billions in losses in the financial services industry) and has stolen more than 15 million payment-card records from American businesses by infiltrating more than 6,500 individual point-of-sale terminals at more than 3,600 business locations, according to the Department of Justice (DoJ).

In August 2018, the DoJ announced it had arrested three Fin7 members, who were identified as Ukrainian nationals and charged with 26 felony counts of alleged conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft.

However, the group’s new malware samples and an attack panel indicate that Fin7 doesn’t appear to be going anywhere.

“This suggests there are plenty of surviving members with sufficient knowledge to continue the operation with ease,” Platt and Reaves told Threatpost.

The group is using a new attack panel, called Astra, which has its back end installed on a Windows server with Microsoft SQL. The panel was written in PHP and it manages the content in the tables. The attack panel essentially  functions as a script-management system, allowing Fin7 to quickly push attack scripts down to compromised computers, researchers said.

The attack panel was found being used in a series of campaigns, which typically initially infects machines through phishing emails containing malicious attachments. The emails are often industry-specific and crafted to entice a victim to open the message and execute the attached document, researchers said. Within these documents researchers discovered the two new malware samples.

One of these is called SQLRat. Campaigns using this malware typically involve a lure document which once opened displays an image overlaid by a Visual Basic (VB) Form trigger. Once a user has double-clicked the embedded image, the form executes a VB setup script, which executes an obfuscated JavaScript file.

Fin7 phishing emails

The malware then drops files and executes SQL scripts on the host’s system. The SQLRat script is designed to make a direct SQL connection to a Microsoft database controlled by the attackers and execute the contents of various tables, researchers said.

“The use of SQL scripts is ingenious in that they don’t leave artifacts behind the way traditional malware does,” researchers said. “Once they are deleted by the attackers’ code, there is nothing left to be forensically recovered.”

The other malware sample was a multiprotocol backdoor, called DNSBot, used to exchange commands and transmit data to and from victim machines. The malware was embedded in documents sent via emails. While the embedded JavaScript-based backdoor operates over DNS traffic, it can also switch to encrypted channels such as HTTPS or SSL, researchers said.

“The campaigns maintain persistence on machines by creating two daily scheduled task entries,” researchers said. “The code, meanwhile, is still controlled by the Fin7 actors and may be leveraged in future attacks by the group.”

To protect against both malware samples, Flashpoint recommends that businesses watch out for newly added Windows tasks, specifically those with a JScript switch.

“Flashpoint also recommends implementing host-based detections for new files in %appdata%\Roaming\Microsoft\Templates\ with a dot extension, as well as implementing host-based detections for files in %appdata%\local\Storage\,” researchers said.

Suggested articles