More than six months after U.S. prosecutors announced the arrests of three accused hackers affiliated with a sophisticated criminal hacking group, researchers say they have new evidence the billion-dollar crime ring is still active.
The Department of Justice last year said police apprehended three Ukrainian men involved in the FIN7 hacking group. The financially-motivated group may have stolen as much as one billion dollars, according to one estimate, as well as 15 million credit card numbers from U.S. businesses. Now, there is some evidence to suggest the group’s infrastructure is starting to reappear after months, according to research published Wednesday by Flashpoint.
Researchers uncovered a new strain of malicious software called SQLRat, which is spread via phishing emails. The strain is especially difficult for investigators to detect because it doesn’t leave behind much evidence.
“The use of SQL scripts is ingenious in that [attackers] don’t leave artifacts behind the way traditional malware does,” Flashpoint researchers Joshua Platt and Jason Reaves wrote in a blog post. “Once [artifacts] are deleted by the attackers’ code, there is nothing left to be forensically recovered.”
DNSbot, a second form of malware detected by Flashpoint analysts, is a “multiprotocol backdoor” hackers use to send data over Domain Name Servers to hacked computers. DNSbot also can transmit data via encrypted HTTPS or SSL channels, researchers said.
“The campaigns maintain persistence on machines by creating two daily scheduled task entries,” the blog post states. “The code, meanwhile is still controlled by the FIN7 actors and may be leveraged in future attacks by the group.”
FIN7 also has used tools linked to Carbanak, another cybercriminal gang known for its use of malware of the same nam. That group is also starting to resurface. Carbanak operated in part through a front company called Combi Security which breached more than 6,500 point-of-sale systems in 3,600 business locations, Flashpoint said.
“FIN7 had previously been quiet during late summer and early fall 2018, but they noticeably returned to campaigns again and their infrastructure started to reappear,” Flashpoint said in a statement to CyberScoop. “The “combisecurity[.]net domain was a clear indicator associated with FIN7.”