Fin7 threat actor group makes a come back with SQLRat and DNSbot

• In the new campaigns, researchers observed two new malware samples ‘SQLRat’ and ‘DNSbot’.
• Researchers from Flashpoint also observed the threat group’s new attack administrative panel ‘Astra’.

Despite the arrest of the members of the Fin7 threat actor group, the group continues to attack targets. Now, researchers observed the come back of Fin7 threat group with a new administrative panel and previously unseen malware samples.

What’s new - In the new campaigns, researchers observed two new malware samples ‘SQLRat’ and ‘DNSbot’.

Researchers from Flashpoint also observed the threat group’s new attack administrative panel ‘Astra’. Astra which is written in PHP, acts as a script management system, pushing malicious scripts to compromised computers.

How is SQLRat delivered?

• Attackers use phishing emails as a common attack vector.
• The phishing emails disguised as industry-specific emails include malicious file attachments.
• The malicious documents include a image that urges victims to ‘Unlock Protected Contents’.
• Once the victims double-click the image to unlock document service, the doc executes a VB setup script.
• The script deobfuscates and executes the main JavaScript file.
• This file drops the SQLRat malware onto victims’ systems. The malware then executes the SQL scripts on the host system.
• SQL scripts are responsible for making a direct connection to the Microsoft database controlled by the threat group.

“The use of SQL scripts is ingenious in that they don’t leave artifacts behind the way traditional malware does. Once they are deleted by the attackers’ code, there is nothing left to be forensically recovered. This technique has not been observed in previous campaigns associated with FIN7,” Researchers described in a blog.

How is DNSbot delivered?

• Attackers send phishing emails that include malicious documents to targets.
• The malicious documents include a MsgBox display that asks targets to update Microsoft service.
• Once the victims have double-clicked the image in order to unlock document service, the obfuscated JS file gets dropped on to the victims’ systems.
• This file executes the JavaScript-based DNSbot.

DNSbot is a multiprotocol backdoor which is used to exchange commands and push data to and from the compromised system.

“Primarily, it operates over DNS traffic, but can also switch to encrypted channels such as HTTPS or SSL,” researchers said.