Researchers have discovered the advanced persistent threat group (APT) FIN7 is using a new attack panel in campaigns that Flashpoint analysts have called Astra.
Despite alleged members of the group being charged with 26 felony counts in August 2018, analysts have found previously unseen malware samples, which are reportedly written in PHP and function as a script-management system. In addition, the new administrative panel, believed to be linked to the group, also has ties to Carbanak.
The group's activity dates back to at least 2015, when FIN7 targeted over 100 companies across the US, Europe and Australia, predominantly those within the hospitality, restaurant, and gaming industries. According to the US Department of Justice (DoJ), suspected members of FIN7 were arrested between January and August 2018.
According to today’s blog post, attackers access targeted machines using phishing emails with malicious attachments. “The emails are often industry-specific and crafted to entice a victim to open the message and execute the attached document,” wrote Joshua Platt and Jason Reaves.
The previously unseen malware that drops files and executes SQL scripts on the host system has been called an SQLRat, which unlike traditional malware leaves no evidence behind, analysts said. The SQLRat campaign is, however, similar to traditional phishing campaigns in that it typically involves a lure document. In the cases analyzed, the documents requested the user “Unlock Protected Content.”
“Once they are deleted by the attackers’ code, there is nothing left to be forensically recovered. This technique has not been observed in previous campaigns associated with Fin7. The second new malware sample discovered is a multi-protocol backdoor called DNSbot, which is used to exchange commands and push data to and from compromised machines.
“The campaigns maintain persistence on machines by creating two daily scheduled task entries. The code, meanwhile, is still controlled by the Fin7 actors and may be leveraged in future attacks by the group.”
In addition to sharing the indicators of compromise (IoCs) and recommending the security teams look for newly added Windows tasks, Flashpoint also advised monitoring for attempts to delete the Microsoft update service.