Use of Astra tools signals FIN7 still active despite arrests

News by Bradley Barth

Despite several arrests last year, FIN7 continues to show signs of life, as evidenced by the recent discovery of an administration panel tool called "Astra" and two new malware samples used in 2018.

Even after several alleged members were arrested last year, FIN7 continues to show signs of life, as evidenced by the recent discovery of an administration panel tool called "Astra" and two new malware samples used in campaigns by the cybercriminal group in 2018.

Researchers from Flashpoint who uncovered the threat observed Astra-related activity from May through July 2018. However, Astra campaigns may date as far back as January of that year, and could still be active today, albeit invisible to the security community.

It was last August that the US Department of Justice announced the arrests of three Ukrainian men who allegedly are all key players in FIN7, aka the Carbanak gang. Two of these arrests came in January 2018, while the third took place in June. Officials say the men allegedly disguised their illegal actions through a front company called Combi Security.

The fact that researchers detected Astra threat activity following these arrests suggests that FIN7 remains steadfast in its quest to steal payment card and financial data from hacked businesses around the world, despite interference from law enforcement authorities.

"Since the arrests, multiple IP addresses and domains supporting FIN7 campaigns have been observed in campaigns. FIN7 activity does not appear to have been impacted much by the arrests," said Flashpoint Principal Threat Researchers Joshua Platt and Jason Reaves in a joint email interview with SC Media.

A March 20 blog post authored by the two researchers describes Astra as a script management stem, written in PHP, used to push attack scripts to infected computers. The PHP code made multiple references to Combi Security, helping Flashpoint connect the tool to FIN7.

Flashpoint identified the two previously unseen malware families associated with the Astra campaign activity as SQLRat and DNSbot.

SQLRat drops files and executes SQL scripts on infected host systems. "The use of SQL scripts is ingenious in that they don’t leave artifacts behind the way traditional malware does," the blog post states. "Once they are deleted by the attackers’ code, there is nothing left to be forensically recovered. This technique has not been observed in previous campaigns associated with FIN7."

DNSbot, meanwhile, is a multi-protocol backdoor through which attackers can push data between compromised machines via either DNS traffic or encrypted channels like HTTPS or SSL.

"Given [its] rather covert usage and unique methods, it is likely the Astra tool was of greater importance and only utilised in sensitive situations," Platt and Reaves told SC. "This could explain the lack of exposure. Additionally, it is likely multiple instances were utilised at the same time and this was only one instance we identified."

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop