Pierluigi Paganini March 22, 2019

The financially-motivated hacking group FIN7 is back and used a new piece of malware in a recent hacking campaign.

Security experts at Flashpoint revealed that the financially-motivated cybercrime group FIN7 (aka Anunak and Carbanak) used new malware in a recent hacking campaign.

The group that has been active since late 2015 targeted businesses worldwide to steal payment card information. Fin7 is suspected to have hit more than 100 US companies, most of them in the restaurant, hospitality, and industries.

On August 2018, three members of the notorious cybercrime gang have been indicted and charged with 26 felony counts of conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft.

Despite law enforcement activity against the group, Flashpoint experts have discovered a new administrative panel associated previously undetected malware samples. The new malicious code was used in a hacking campaign tracked as Astra that was carried out from May to July 2018, but experts did not exclude the attack may have started on January 2018.

“Flashpoint analysts recently uncovered a new attack panel used by this group in campaigns they have called Astra. The panel, written in PHP, functions as a script-management system, pushing attack scripts down to compromised computers.” reads the analysis published by Flashpoint.

“Analysts discovered references to the FIN7 front company Combi Security in the Astra panel’s backend PHP code, connecting the group to these campaigns.”

The administrative panel discovered by the researchers is written in PHP and is used by attackers to send attack scripts to compromised computers.

Experts discovered references to the FIN7 front company Combi Security in the Astra panel’s backend PHP code.

According to the US DoJ, the security services company Combi Security was based in Russia and Israel and was used by FIN7 to recruit other hackers.

The attack chain starts with spear-phishing messages containing malicious attachments, the messages are specially crafted to trick victims into opening the message and execute the attached document.

The messages would deliver a previously unseen malware tracked as SQLRat that drops files and executes SQL scripts on the host. The emails would also drop the backdoor DNSbot that primarily operates over DNS traffic.

“One of the documents spreads what analysts are calling SQLRat, previously unseen malware that drops files and executes SQL scripts on the host system. The use of SQL scripts is ingenious in that they don’t leave artifacts behind the way traditional malware does.” continues the analysis. “Once they are deleted by the attackers’ code, there is nothing left to be forensically recovered. This technique has not been observed in previous campaigns associated with FIN7.”

The SQLRat directly connects a Microsoft database under the control of the attackers and execute the contents of various tables.

The script retrieves a version of TinyMet (an open source Meterpreter stager), the attackers can also deliver other binaries loaded into the tables.

“The Astra backend was installed on a Windows server with Microsoft SQL. The panel was written in PHP and managed the content in the tables. It functioned as a script management system,” Flashpoint said. 

Pierluigi Paganini

(SecurityAffairs – FIN7, Astra)

[adrotate banner=”5″]

[adrotate banner=”13″]