August 19, 2024Ravie LakshmananCybercrime / Network Security

Cybersecurity researchers have discovered a new infrastructure associated with a financially motivated threat actor known as FIN7.

The two clusters of possible FIN7 activity “indicate communications being routed to the FIN7 infrastructure from IP addresses assigned to Post Ltd (Russia) and SmartApe (Estonia) respectively,” Team Cymru said in a report published this week as part of a joint investigation with Silent Push and Stark Industries Solutions.

The findings are based on a recent report from Silent Push, which revealed that several Stark Industries IP addresses were dedicated solely to hosting FIN7 infrastructure.

The latest analysis shows that the hosts linked to the e-crime group likely came from one of Stark’s resellers.

“Reseller programs are common in the hosting industry, with many of the largest VPS (virtual private server) providers offering such services,” the cybersecurity firm said. “Customers who purchase infrastructure through resellers are typically subject to terms of service set forth by the ‘parent entity.'”

In addition, Team Cymru said it was able to identify additional infrastructure linked to FIN7 activities, including four IP addresses assigned to Post Ltd, a broadband provider operating in southern Russia, and three IP addresses assigned to SmartApe, a cloud hosting provider operating out of Estonia.

The first cluster was observed making outbound communications with at least 15 Stark-designated hosts previously discovered by Silent Push (e.g., 86.104.72(.)16) over the past 30 days. Similarly, the second cluster from Estonia was identified as communicating with no fewer than 16 Stark-designated hosts.

“In addition, 12 of the hosts identified in the Post Ltd cluster were also observed in the SmartApe cluster,” Team Cymru noted. The services have since been suspended by Stark following responsible disclosure.

“Reviewing metadata for these communications confirmed that they were established connections. This assessment is based on an evaluation of observed TCP flags and sampled data transfer volumes.”