FIN7 Revisited: Inside Astra Panel and SQLRat Malware (Mar 20, 2019)
The financially-motivated threat group "FIN7" has added new malicious tools to its arsenal since three reported leaders of the group were indicted in August 2018, according to Flashpoint researchers. The group has been attributed to activity that is believed to have begun in January 2018. FIN7 has added a new attack panel called "Astra," that is written in PHP and includes a script-management system that can distribute malicious scripts to compromised machines. The group has also incorporated two new malware families. One of which, dubbed "SQLRat," is distributed via malicious documents, likely through phishing, and is capable of dropping files and executing SQL scripts on an infected host. The second malware, called "DNSbot," is used to "exchange commands and push data to and from compromised machines." In addition, the group was also found to use a customized version of "TinyMet" called "TiniMet," which is a variant of the open source DLL injection stager, "Meterpreter." The threat group uses daily scheduled tasks to maintain persistence with the overall objective to steal financial data.
Recommendation: FIN7 is known to target anything that stores or utilizes financial information, particularly Point-of-Sale (POS) terminals. POS systems need to be carefully maintained and kept up-to-date with the newest software patches because they are frequent targets of threat actors. Especially in the U.S. where chip-and-pin technology has taken longer to become mainstream in comparison to other countries and regions around the world. In the case of POS infection, all systems that process financial data should be taken offline and reformatted to ensure the malware has been properly removed before reconnecting to the network.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.