The hacking group Fin6, who was originally seen in 2016 selling stolen credit cards, has been seen again carrying out attacks on Point of Sale (POS) system across the US and Europe. Previously the group utilized a backdoor they created called Grabnew to harvest account details. The group then map the compromised networks using public tools and uses the malware Trinity or FrameworkPOS, which is malware that has the ability to infiltrate the memory of the POS machine and exfiltrate its data. The stolen information is then compressed to a .zip file to be transferred via SSH tunnel to a command and control server to be sold on the darknet. The group’s tactics this time are virtually the same except for the fact that Fin6 has added the Windows Management Instrumentation Command to automate the remote execution of the PowerShell commands and scripts. The group’s strengths lie in their ability to infiltrate the systems without being caught, rather than their ability to design tools and malware. The group was able to steal over 10 million credit cards during their first campaign in 2016, which allowed them to sell each card for an average of $21. The changes in the techniques used by Fin6 is a characteristic that the group is evolving their standard operating procedures.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased