A notorious hacking group known as FIN7 is still targeting individuals and businesses, despite the recent arrest of three of its members.
As is common with most organized hackers, the group collects payment card information belonging to customers before they can swindle the unsuspecting victims of their hard-earned money.
Analysts from Flashpoint, a cyber threat intelligence company, discovered that the notorious group has developed a new administrative panel.
From further investigations, they discovered malware samples that had not been known to the company.
Most of FIN7’s latest campaigns largely took place between May and July of 2018 even though the group has been active since at least 2015.
At inception, the group not only targeted companies in the United States but also businesses in Australia and Europe.
According to the U.S. Department of Justice, FIN7’s activities are closely associated with the restaurant, gaming and hospitality industries.
In August 2018, the justice department revealed that the three suspects were of Ukrainian decent, albeit speaking Russian.
Two of them were captured in Poland and Germany in January 2018 while the last suspect—who is claimed to be one of the group’s leaders—was arrested five months later in Spain.
Effects of the Arrests
Even though still notorious, the indictment announcement of the three criminals served a blow to dark web platforms, especially Joker’s Stash—an online card shop that trades payment card information.
Known to others as Cobalt Strike or Carbanak, FIN7 is a key contributor to Joker’s Stash.
Customers of the dark and deep web card shop have consequently expressed fears of business slowing due to the arrests.
Regardless, however, business seems to go on as usual. The output of payment cards in Joker’s Stash is still stable, and the indictment of FIN7 members did very little to curtail the group’s activities.
The looming challenge lies in the fact that the rest of the group’s members are knowledgeable of running the SQL scripts.
FIN7’s victim list includes Red Robin, Hudson’s Bay Company affiliate stores, Omni Hotels and Resorts, Jason’s Deli, Trump Hotels, Chipotle and Whole Foods.
Disguising as a Legal Entity
In its report, Flashpoint reports damages by Carbanak amount to more than $1 billion.
The hacking group is alleged to have stolen at least 15 million debit and credit cards from U.S. businesses.
Hiding under the disguise of a front company called Combi Security, FIN7 managed to compromise more than 6,500 individual point-of-sale terminals from at least 3,600 business locations.
According to the Department of Justice’s indictment [PDF], the group used the front name to masquerade as a security service and penetration-testing company from Israel and Russia.
The main reason for using this approach is to recruit more hackers into their campaigns by appearing as a legitimate business.
Written in PHP, the new administrative panel used by FIN7 is called “Astra,” according to Flashpoint’s report.
It operates as a script-management system that embeds scripts onto breached user devices.
Investigators made the connection between Combi Security and FIN7 after examining the backend PHP code in Astra.
The initial contact with a victim’s computer is made via phishing emails that contain malicious files.
To appeal more to the unsuspecting users, the emails are crafted in a professional manner, prompting the targets to view attached files.
Once opened, the malware from the attachments spread into the host’s system without leaving behind any traces.
No artifacts are traceable because the code is deleted automatically.
Flashpoint analysts are calling the new malware SQLRat and have reiterated that it cannot be forensically recovered.
DNSbot is another newly discovered malware that the group is using. DNSbot exchanges commands and sends information to and from breached devices.
HALFBAKED, POWERSOURCE and TEXTMATE are the other programs applicable by the hackers.
These three strains of malware establish persistence and create remote access points to a system.
FIN7 Appears Well-Funded, Disciplined & Organized
Flashpoint notes that the group is exceptional in its organization.
Unlike most hacking groups that are in it solely for the money, FIN7 is markedly disciplined and professional.
The group’s schedule is formulated very much like a normal business that runs during the weekdays and breaks for the weekend.
Its advanced malware and unique hacking techniques point to well-funded research and testing divisions.
For instance, in last year’s Saks Fifth Avenue breach, the gang used a “point of sale” program that undetectably embedded itself into the cash register transaction systems to obtain financial information.
Gemini Advisory, a threat intelligence company that has produced research on FIN7’s campaigns, reported that the method used in the Saks breach was the group’s signature move.
Dmitry Chorine, Gemini’s CTO, further stated to Wired that FIN7 is a well-organized group that features a mastermind, software developers and testers, money launders and managers.
It’s likely, he added, that they have more than $1 billion in liquidity
The nature of their operations hints to lucrative financial resources.
If reports that they make at least $50 million per month are true, their self-sustaining financial command comes hardly as a surprise.
Ticking Time Bomb
FIN7’s success is attributable to its rigorous and professional approach to cybercrime campaigns.
Whatever the alias it uses, the group has over time demonstrated its dynamism to invent new tools and strategies, and adapt accordingly.
Reports by network technology firm Gigamon further suggest that the group is very resilient.
According to the company, FIN7 thrives on its ability to circumvent antivirus scans.
Several tests are conducted to ensure that the malware programs are completely undetectable.
However, even though they have managed to stay under the radar of law enforcement thus far, it may just be a matter of time before FIN7 is brought down.
Further, going by their large-scale campaigns, it will be interesting to see how much longer they can avoid detection.