According to a blog post by security researchers at IBM X-Force Incident Response and Intelligence Services (IRIS), FIN6 (a.k.a. ITG08) is better known for targeting point of sale (PoS) terminals in Europe and the US but lately has changed tactics.
It a new campaign, hackers have been found injecting malicious code into online checkout pages of compromised websites — a technique known as online skimming — thereby stealing payment card data transmitted to the vendor by unsuspecting customers.
Researchers said that the cyber criminal gang has been actively attacking multinational organisations, targeting specific employees with spear-phishing emails advertising fake job advertisements and repeatedly deploying the More_eggs JScript backdoor malware (aka Terra Loader, SpicyOmelette).
They added that this backdoor has been sold on the dark web by an underground malware as a service (MaaS) provider.
The gang are also used common tactics from earlier campaigns, such as Windows Management Instrumentation (WMI) to automate the remote execution of PowerShell scripts, PowerShell commands with base64 encoding, and Metasploit and PowerShell to move laterally and deploy malware.
They have also used Comodo code-signing certificates several times during the course of the campaign.
To gain entry into an organisation’s infrastructure, the gang targeted employees via LinkedIn messaging and email, advertising fake jobs.
“In one case, we uncovered evidence indicating that the attacker had established communication with a victim via email and convinced them to click on a Google Drive URL purporting to contain an attractive job advert,” researchers said.
“Once clicked, the URL displayed the message, ‘Online preview is not available,’ th ..
Support the originator by clicking the read the rest link below.
