Cybersecurity researchers have discovered new infrastructure associated with a financially motivated threat known as FIN7.
Two clusters of potential FIN7 activity “show traffic coming into the FIN7 infrastructure from IP addresses assigned respectively to Post Ltd (Russia) and SmartApe (Estonia),” Team Cymru said in a report released this week as part of a joint investigation with Silent Push and Stark Industries Solutions.
Conclusions are based on a a recent report from Silent Push, which found several Stark Industries IP addresses dedicated exclusively to hosting FIN7 infrastructure.
Recent analysis indicates that the hosts associated with the cybercriminal group were likely purchased from one of Stark’s resellers.
“Reseller programs are commonplace in the hosting industry; many of the largest VPS (virtual private server) providers offer such services,” the cybersecurity company said. “Customers purchasing infrastructure through resellers are generally required to adhere to the terms of service set forth by the ‘parent’ organization.”
Moreover, the Cymru team said it was able to identify additional infrastructure linked to FIN7’s activities, including four IP addresses assigned to Post Ltd, a broadband provider operating in southern Russia, and three IP addresses assigned to SmartApe. to a cloud hosting provider operating from Estonia.
The first cluster was observed to be making outbound communications to at least 15 Stark-designated hosts previously detected by Silent Push (eg 86.104.72(.)16) in the past 30 days. Likewise, a second cluster from Estonia was found to communicate with no fewer than 16 hosts designated by Stark.
“In addition, 12 hosts identified in the Post Ltd cluster were also observed in the SmartApe cluster,” Team Cymru noted. Services have since been suspended by Stark following a responsible disclosure.
“A review of the metadata for these communications confirmed that they were established connections. This estimate is based on an estimate of observed TCP flags and sample data transfer rates.’