FIN8 Group Returns, Targeting POS Devices With MalwareResearchers Say Group Reappears After Two Years of Silence
After a two-year absence, the hacking group known as FIN8 has returned with a new campaign mainly targeting point-of-sale machines in the hotel industry in an effort to steal credit card and other payment data, according to new research.
As with previous hacking attempts, this new attack started with a spear-phishing campaign that would allow the FIN8 group to install the ShellTea malware backdoor into a victim's network in an effort to steal data from POS devices, according to security firm Morphisec.
In a blog post published Monday, Morphisec CTO Michael Gorelik writes that his firm was able to stop the March attack before any data was taken. An analysis of the incident at the unnamed hotel chain led Gorelik to conclude with "high probability" that it was the work of the FIN8 group.
While FIN8 used the same ShellTea backdoor as in previous campaigns, Gorelik notes that the group made several changes to the malware to help it avoid detection and other security protocols. Additionally, the use of the backdoor could mean that the hacking group planned to maintain their presence within the network for purposes beyond stealing credit card and other financial data.
"At least one of the machines wasn't POS at all, so it wasn't clear why the backdoor existed there beside going back to the assumption that this code may be reused to deliver something else," Gorelik tells Information Security Media Group.
"This backdoor implant is very effective in bypassing behavior solutions and whitelisting solutions so someone who has access to the code of this malware, I suppose, may reuse it for different purposes other then what was it used before, such as downloading POS malware."
Return After Absence
The activity detected in March is the first time security researchers have spotted a major campaign by FIN8 in at least two years.
FireEye and several other security firms offered detailed analysis of FIN8's techniques following a string of attacks in 2017. During that time, researchers first saw the group using the ShellTea, or PunchBuggy, backdoor to gain access to networks in the hospitality industry as well as the retail sector.
From there, the group installed another piece of malware called PunchTrack that could scrape credit card and other payment data from POS devices, researchers noted.
One reason why FIN8 is targeting the hotel industry is that many of the POS devices used by these companies run older, embedded versions of Microsoft Windows 7, which are not typically updated or patched, Gorelik notes in his analysis. In addition, POS machines don't typically run anti-virus or other security software, making them susceptible to attacks, Gorelik adds.
With its re-emergence, FIN8 made several improvements to its malware arsenal, fixing bugs and making the malicious tools harder to detect, Gorelik explains.
For instance, the PowerShell script used in part of the attack can now collect a significant amount of data from the network, including snapshots, computer and user names, emails from registry, tasks in task scheduler, system information, anti-virus registered in the system, privileges, domain and workgroup information, according to the Morphisec analysis.
The ShellTea backdoor also connects to a command-and-control server overseen by FIN8 that can write data or shellcode it receives from the server into the registry. It can also reflectively load the delivered executable into the process and then execute it, and it can also create a file and execute it as a process and then delete it after a restart.
Connections to Other Groups
Several security analysts, including Gorelik and the FireEye team, have noted similarities between various "FIN" groups, especially FIN7 and FIN8. Those two hacking gangs use similar techniques, including malicious tools used to bypass network filters and data loss prevention solutions. Other independent researchers have noticed these connections as well.
It’s an uncconfirmed hypothesis of mine (that maybe @ItsReallyNick would give some feedback on?) that some of the activity that has been publicly attributed to FIN7 over the last 12-18mos is actually FIN8. A “weak signal in the noise” of FIN7 doc activity?— PaulM (@pmelson) June 14, 2018
Another similar hacking group, called FIN6, has also increased its activity lately and has branched out from stealing and selling payment data to distributing ransomware, according to a separate analysis by FireEye (see: Report: FIN6 Shifts From Payment Card Theft to Ransomware).
While Gorelik's analysis notes that FIN7 and FIN8 share some similarities and techniques, it's nearly impossible to connect one group to other, especially in a cybercriminal underground where hackers can sell their tools to the highest bidder and some code is reused. Another possibility is that cybercriminals may move from group to group and bring their techniques with them.
"It's really hard to know exactly what is happening, but there is an assumption that there is some consolidation of group members from different teams - but this is hard to prove," Gorelik says.