FIN6 returns to attack retailer point of sale systems in US, Europe

The secretive cyberattackers are known for stealing credit card data to sell on the Dark Web.
Written by Charlie Osborne, Contributing Writer

A new malware campaign has been detected which is targeting point-of-sale (PoS) systems across the United States and Europe.

On Wednesday, researchers from IBM X-Force IRIS said the attacks have been attributed to the FIN6 cybercriminal group.

This is only the second time that a campaign has been documented which appears to be the handiwork of FIN6. According to FireEye (.PDF), the group first emerged in 2016 when it came to light that the threat actors had stolen millions of credit card numbers.

FIN6 made use of credential stealing backdoor malware called Grabnew to harvest account details, before using publicly-available tools to map compromised networks. The group would then find and exploit PoS devices using the Trinity malware, also known as FrameworkPOS, which is able to infiltrate PoS memory components and exfiltrate data.

This information was then compressed into a .ZIP archive, transferred to a command-and-control (C&C) server through an SSH tunnel and ended up for sale in the Web's underbelly.

The former campaign netted the group the details of over 10 million credit cards, of which each was being sold for an average of $21, netting FIN6 millions of dollars in potential profit.

The latest campaign moves along similar tracks. X-Force IRIS researchers say that 90 percent of attacks currently taking place use the same tactics and attack tools identified in the original wave of attacks against PoS systems.

See also: Windows utility used by malware in new information theft campaigns

However, the group is no longer limited to Grabnew and Trinity, as FIN6 now also employs the Windows Management Instrumentation Command (WMIC) to "automate the remote execution of PowerShell commands and scripts," as well as the Metasploit framework.

TechRepublic: Timehop breach illustrates need for multi-factor authentication

Earlier this month, Symantec researchers explored how WMIC and little-known Windows file extensions were being abused by threat actors in data-stealing campaigns in the same manner.

FIN6's tools are generally simple and available online, but the threat group's sophistication lies not in its toolkit, but rather, its ability to bypass security systems through stealth.

IBM says that FIN6 obfuscates PowerShell commands with base64 encoding and gzip compression, generates random service names in Windows event logs to avoid suspicion, and also dynamically generates file names for binaries on disk.

In addition, the group uses specific PowerShell parameters to bypass antivirus protections, creates a winhlp.dat file as a cover file name for a malicious PowerShell script designed to inject FrameworkPOS into "lsass.exe," and will exclude some specific processes for Trinity targeting to prevent causing system disruption -- which is especially important when a campaign is based on covert theft, rather than damage.

CNET: US and intelligence allies take aim at tech companies over encryption

"While some of these tactics, techniques, and procedures (TTPs) may be side-effects of tools FIN6 actors were using, or specific to the environment in which the actors were operating, we believe many represent new TTPs that could become characteristic of evolved FIN6 standard operating procedures," the researchers say.

It is not known how many businesses may have become victims in the latest campaign.

PoS terminals are big business, considering the valuable financial data they collect. A number of serious vulnerabilities were recently found in popular mobile PoS systems offered by vendors including Square, SumUp, iZettle, and PayPal which could allow unscrupulous merchants to steal credit card data from customers.

A basic guide to diving in to the dark web

Previous and related coverage

Editorial standards