Despite the arrest of the members of the Fin7 threat actor group, the group continues to attack targets. Now, researchers observed the come back of Fin7 threat group with a new administrative panel and previously unseen malware samples.
What’s new - In the new campaigns, researchers observed two new malware samples ‘SQLRat’ and ‘DNSbot’.
Researchers from Flashpoint also observed the threat group’s new attack administrative panel ‘Astra’. Astra which is written in PHP, acts as a script management system, pushing malicious scripts to compromised computers.
How is SQLRat delivered?
“The use of SQL scripts is ingenious in that they don’t leave artifacts behind the way traditional malware does. Once they are deleted by the attackers’ code, there is nothing left to be forensically recovered. This technique has not been observed in previous campaigns associated with FIN7,” Researchers described in a blog.
How is DNSbot delivered?
DNSbot is a multiprotocol backdoor which is used to exchange commands and push data to and from the compromised system.
“Primarily, it operates over DNS traffic, but can also switch to encrypted channels such as HTTPS or SSL,” researchers said.