FIN7 still to be found via Astra tools even after arrests

A recent discovery by the researchers has brought to light the fact that FIN7, despite several arrests last year, still continues to show signs of life, continues to show signs of life.

It was found out to be a new attack panel (Astra) in campaigns that Flashpoint analysts have called Astra. Also, it was found to be in two new malware samples that were used in 2018.

The members of the group (Carbanak gang) behind FIN7 were arrested last year, January and August 2018. They started the attacks from 2015 targeting over 100 companies across the US, Europe, and Australia. Hospitality, restaurant, and gaming industries were mostly the victims of their attacks.

The fact that Astra is detected by the researchers suggests the fact that FIN7 is resilient in its quest to steal payment card and financial data from hacked devices from around the world. Researchers describe Astra as a script management stem, written in PHP, used to push attack scripts to infected computers.

Flashpoint identified the two previously unseen malware families associated with the Astra campaign activity as SQLat and DNSbot. SQLRat drops files and executes SQL scripts on infected host systems by not leaving behind any artifacts like a malware usually does, a trait that was not observed in the previous FIN7 attacks. DNSbot, on the other heand, is a multi-protocol backdoor through which attackers can push data between compromised machines via either DNS traffic or encrypted channels like HTTPS or SSL.

The Astra was found to be used in sensitive situations, thus avoiding its exposure in the previous months.