FIN6 Now Deploying Ransomware

In the middle of March 2019, we covered the emergence of a new POS malware, DMSniff. The article further highlighted the threat posed SMBs and retailers posed by malware specifically designed to scrap card details from POS machines when a card is swiped. Central to this threat is one group FIN6 and their use of the Trinity to steal and later sell card details on hacker forums which roped them in millions upon millions of dollars. According to a report published by security firm FireEye, FIN6 are now deploying ransomware in where it cannot infect the target with its created POS malware.

FIN6 has been linked to numerous attacks netting in millions of dollars. Researchers at FireEye describes the group and its tactics as,

“FIN6 is a cybercriminal group intent on stealing payment card data for monetization. In 2015, FireEye Threat Intelligence supported several Mandiant Consulting investigations in the hospitality and retail sectors where FIN6 actors had aggressively targeted and compromised point-of-sale (POS) systems, making off with millions of payment card numbers.”

The group is further regarded as one of the more technically advanced cyber threat groups on the current landscape. This is illustrated by their use of a legitimate penetration testing tool, subverted and changed to fulfill the needs of the cybercriminals. This led to the creation of Trinity, also called FrameworkPOS, an incredible example of POS malware. Such malware would be used in conjunction with other malware families hack into the networks of major retailers, move laterally across their systems, and deploy malware on computers or devices that handled POS data to extract payment card details that they would later upload on their own servers.

FIN6 Now Deploying Ransomware

It would now appear that the group is deploying ransomware on networks that don’t use point of sale systems. According to the research conducted by FireEye, the group is dropping the LockerGoga and Ryuk ransomware strains in an attempt to make even more money. Both of these strains have been used in some high profile ransomware attacks, with the LockerGoga strain suspected of being used in the Norsk Hydro attack which made international headlines. According to reports from major security firms including McAfee, IBM, and Cybereason FIN6 are operating out of Russia where they, not only infect targets with POS malware but they are suspected to rent out their infrastructure to other groups, like Emotet and TrickBot,  to search for large companies that it would later infect with Trinity, Ryuk, or LockerGoga.

Many of these findings are based on analysis done by FireEye to trace the flow of stolen funds. It was found that the group made a substantial amount of funds selling the stolen card details via their “card shop”. On average a card’s data would be sold for 21 USD, when this is combined with a recent FIN6 linked shop advertising that they had 20 million or so cards, the group could theoretically make approximately 400 million USD. The reality is somewhat different, it is estimated that the shop and others affiliated to the group could only make a fraction of that initial total. This is mainly due to laundering a stolen card is harder than the actual stealing of it and buyers want the newest data so that they can exploit that data before users and authorities can stop the data from been used fraudulently. While generating a significant return FIN6 would look to diversify their portfolio, so to speak, to generate more cash flow.

FIN6 Ransomware First?

The report published by FireEye does seem to illustrate a change in tactics but to state, the group is a ransomware first group may be premature. Researchers believe that another option exists in reality, that being that the deployment of ransomware is just a side-activity carried out by some group members “independently of the group's payment card breaches.” For security researchers these details are interesting and used to create a better picture of the threat group, this is not the case for companies and potential victims. What is of more use is understanding how the group goes about targeting potential victims.

To that extent, FireEye published an article detailing their attack methods so that companies can improve their detection techniques. The group will first look to gain access to a target by using stolen credentials to move laterally within the environment using the Windows’ Remote Desktop Protocol (RDP). Once this achieved the group then begins the reconnaissance stage and attempts to move laterally across the network. Once the attackers are convinced they have a presence on the network which can be maintained then they move to complete their mission. With regard to the new tactics of deploying either LockerGoga or Ryuk, FireEye concludes that,

“FIN6 also moved laterally to servers in the environment using RDP and configured them as malware “distribution” servers. The distribution servers were used to stage the LockerGoga ransomware, additional utilities, and deployment scripts to automate the installation of the ransomware. Mandiant identified a utility script named kill.bat that was run on systems in the environment. This script contained a series of anti-forensics and other commands intended to disable antivirus and destabilize the operating system. FIN6 automated the deployment of kill.bat and the LockerGoga ransomware using batch script files. FIN6 created a number of BAT files on the malware distribution servers with the naming convention xaa.bat, xab.bat, xac.bat, etc. These BAT files contained psexec commands to connect to remote systems and deploy kill.bat along with LockerGoga.”

The article also includes a number of indicators of compromise and should be required reading for all those responsible for the cybersecurity of an organization.