Delaware, USA – March 21, 2019 – Carabank group returned to attacks on financial organizations using new tools. The Carabank group (also known as FIN7) has been active for 4 years already; last year U.S. Department of Justice announced the arrest of three group members, who hid their illegal activities under the flag of Combi Security company, but this did not lead to the collapse of the group – cybercriminals created new tools and rushed to the attack again. Researchers at Proofpoint analyzed group’s recent campaigns and documented the use of the SQLRat trojan, the DNSbot backdoor, and the new campaign administration panel, which serves to send scripts to infected machines. Researchers have discovered clues indicating a connection between the panel and Combi Security. SQLRat is a Trojan that executes SQL scripts and installs additional tools on infected systems downloading them from the command and control server. The trojan leaves almost no traces, and it is challenging to detect its activity by standard security solutions. DNSbot is used to receive commands and exfiltrate sensitive data. One of the backdoor’s features is the capability of switching from DNS traffic to SSL or HTTPS.
Cybercriminals traditionally use phishing emails with malicious attachments, but, unlike past campaigns, they use VB script to achieve persistence on an infected system by creating two scheduled tasks. Despite the losses, Carabank is ready for new operations. To detect suspicious DNS related activity, you can use the DNS Security Check rule pack that helps your SIEM spot tunneling and data leaks: https://my.socprime.com/en/integrations/dns-security-check-kibana