Pierluigi Paganini March 04, 2019

Security experts at Morphisec observed a wave of attacks against point-of-sale (PoS) thin clients using card data scraping malware and the Cobalt Strike beacon.

Over the past 8-10 weeks, security experts at Morphisec observed multiple sophisticated attacks targeting PoS thin clients worldwide. 

Most of the indicators collected by the experts point to the FIN6 hacking group, even if some of them are also tied to the EmpireMonkey group. 

Threat actors used the FrameworkPOS scraping malware to exfiltrate payment card data, they also used PowerShell/WMI stages to download and load Cobalt Strike with PowerShell extensions directly into memory.

“Based on the initial indicators, we identified FrameworkPOS scraping malware installed on some of the thin clients, after initializing PowerShell/WMI stages that downloaded and reflectively loaded Cobalt-Strike beacon with PowerShell extension directly into the memory.” reads the analysis published by Morphisec.

“We found many indicators linking specifically to the FIN6 group (WMI/PowerShell, FrameworkPOS, lateral movement and privilege escalation), with the difference of moving from Metasploit to Cobalt-Strike). Some indicators are also tied to the EmpireMonkey group. At this point, we don’t have enough data for proper attribution.”

Some of the attacks expressly targeted PoS VMware Horizon thin clients.

Once infected a system, attackers leverage the Cobalt Strike beacon payload to control the system and make lateral movements. The malware was used to harvest user credentials, execute code and evade advanced EDR scanning techniques.

Hackers belong to finance, insurance and healthcare industries, victims of the attacks were identified in the United States, Japan, and India.

The experts are still investigating the attack vector, at the time of writing that discovered that some attacks involved HTA (HTML Application) files that execute PowerShell scripts as part of an embedded VBScript. Morphisec also identified other scripts leading to the same Cobalt Strike beacon.

“Morphisec observed 2 types of beacons during this campaign, the first one is a regular direct reflective loaded Cobalt Strike DLL beacon, usually XOR encoded.” continues the analysis.

“The second type is a shellcode backdoor beacon with PowerShell and Mimikatz functionality.”

Experts highlighted the level of sophistication for these attacks that leverage on fileless malware to evade detection, unfortunately, these techniques are adopted by several threat actors making it hard the attribution of the attacks.

“These types of advanced attacks that utilize memory to evade detection solutions either by reflectively loading libraries, hollowing process memory or injecting code into new processes, are harder and harder to attribute due to the simple fact that more and more criminals are taking advantage of the strength of these evasion techniques and the weakness of runtime detection technologies to cope with such evasion,” Morphisec concludes. 

Pierluigi Paganini

(SecurityAffairs – FIN6, PoS malware)

[adrotate banner=”5″]

[adrotate banner=”13″]