The group is using the More_eggs JScript backdoor to anchor its attack.
The financial cybergang known as the FIN6 group, known for going after brick-and-mortar point-of-sale (PoS) data in the U.S. and Europe, has changed up its tactics to target e-commerce sites.
According to researchers at IBM X-Force Incident Response and Intelligence Services (IRIS), FIN6 (a.k.a. ITG08) has been spotted injecting malicious card-skimming code into online checkout pages of compromised websites. The code steals payment-card data as it’s entered into shopping-cart forms.
However, that’s only part of the story. To inject the code, FIN6 first gains access to a target environment to install a backdoor – before pivoting and stealing additional information from throughout the victim network.
The backdoor code is the More_eggs JScript backdoor malware (a.k.a. Terra Loader or SpicyOmelette), according to IRIS. It’s sold on the Dark Web as a malware-as-a-service (MaaS) offering.
In a recently observed campaign, FIN6 began the campaign with targeted emails.
“We believe ITG08 is actively attacking multinational organizations, targeting specific employees with spearphishing emails advertising fake job advertisements,” according to a Thursday writeup by IRIS.
In addition, FIN6 was seen using well-worn tactics familiar from earlier campaigns by the group, like using Windows Management Instrumentation (WMI) to automate the remote execution of PowerShell scripts, PowerShell commands with base64 encoding, and Metasploit and PowerShell to move laterally and deploy malware.
“Lastly, the attackers used Comodo code-signing certificates several times during the course of the campaign,” according to IRIS – another tactic known to be used by the group.
Anatomy of an Attack
To gain access to victim environments, FIN6 handpicked employees using LinkedIn messaging and email, advertising fake jobs.
“In one case, we uncovered evidence indicating that the attacker had established communication with a victim via email and convinced them to click on a Google Drive URL purporting to contain an attractive job advert,” according to the research. “Once clicked, the URL displayed the message, ‘Online preview is not available,’ then presented a second URL leading to a compromised or rogue domain, where the victim could download the payload under the guise of a job description.”
That URL, in turn, downloaded a ZIP file containing a malicious Windows Script File (WSF) that initiated the infection routine of the More_eggs backdoor, which then established a reverse shell connection to the attacker’s command-and-control (C2) infrastructure.
The More_eggs malware can also download and execute other files and scripts, and can run commands using cmd.exe. In this case, it downloaded a signed binary shellcode loader and a signed Dynamic Link Library (DLL), to create a reverse shell and connect to a remote host. From there, FIN6 installed the card-skimmer; and, once the attackers established a foothold on the network, they employed WMI and PowerShell techniques to perform network reconnaissance and move laterally within the environment.
“The attackers used this technique to remotely install a Metasploit reverse TCP stager on select systems, subsequently spawning a Meterpreter session and Mimikatz,” according to IBM.
Meterpreter is a payload component in the Metasploit Framework that uses in-memory DLL injection, which can lead to a compromise by malware or any malicious code/commands. Mimikatz is a post-exploitation tool that allows attackers to extract credentials.
“Stolen credentials are usually leveraged to facilitate privilege-escalation and further lateral movement through the compromised environment,” IBM explained.
Once in the network, the attackers also infected selected several additional devices with the More_eggs backdoor, creating multiple ways to connect to the network.
FIN6′ evolution shows that it’s adapting with the times, according to IRIS.
“[This group] has been around for over four years now. Its attacks are financially motivated, sophisticated and persistent,” the firm said.
To read the original article: