March 21, 2019

Researchers find evidence of Fin7 operation despite cybercriminal arrests

By Luke Christou

Despite the arrests of three of its members last year, a cybercrime group by the name of Fin7 continues to target businesses with its highly-effective malware campaign.

Researchers with cyber threat intelligence company Flashpoint have discovered a new attack panel that seemingly points back to the group. The panel’s code references Combi Security, a company previously used as a legitimate front by the cybercriminals behind Fin7.

The panel, named Astra by the researchers, acts as a script-management system, which sends malicious scripts to computers compromised by the group.

According to Flashpoint, the group used highly-targeted spear phishing emails to trick victims into opening malicious attachments. This would infect the victim’s device with a previously unseen strain of malware called SQLRat, which was used to install files and executive malicious scripts on the victim’s system.

The researchers also found a second new malware sample, named DNSbot, which allowed data to be pushed to and from the compromised system.

Despite the arrests of three Ukrainian citizens, suspected of being high-ranking members of the prolific hacking group, in January last year, Flashpoint discovered activity from the campaign as recent as July 2018, showing that the Fin7 group has continued to operate.

In August, US attorney Annette Hayes admitted that “we are under no illusion that we have taken this group down altogether”, but insisted that the arrests had “made a significant impact”.

However, the new discovered showed signs of more sophistication than previous Fin7 campaigns, such as the use of SQL scripts. As these scripts don’t leave behind artefacts like traditional malware would, no traces of malicious activity is left behind on the system, making the malware more difficult to detect. This seems to suggest that enough members of the Fin7 group remain that possess the know-how to continue running the operation.

 Fin7: A billion dollar operation

Fin7’s criminal activities can be traced back to 2015, when the group began targeting point-of-sale systems belonging to major US businesses. Infecting these systems with specially-designed malware, the criminal group was able to steal payment information belonging to those that had completed purchases through an infected company’s system.

According to the United States Department of Justice, the group is alleged to have stolen more than 15 million credit card numbers from over 3,600 businesses in the US alone. Businesses based in the UK, France and Australia also claim to have been targeted by the group.

The group is found to have used four malware strains to have infected systems and steal data from businesses. These are Carabanak, a remote backdoor used for accessing systems remotely and extracting data; HALFBAKED, used to establish persistence in a system; POWERSOURCE, used for accessing systems remotely, and TEXTMATE, which performs a similar function.

In the case of the three men arrested, US prosecutors claim that it took just two weeks for the group to obtain username and password combinations for almost 800 Red Robin restaurants around the US, which were used to infect the burger chain’s PoS systems.

The sensitive information obtained, as well as information from Fin7’s other breaches, were put up for sale on the dark web. According to one cybersecurity expert, the group was making at least $50m each month, having likely generated more than $1bn through their hacking campaigns.

Read more: NotPetya, WannaCry: The privatisation of nation-state capabilities threatens us all


Verdict deals analysis methodology

This analysis considers only announced and completed deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.

GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.

More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.

Topics in this article: