14 DAY TRIAL // Yesterday, security researchers from FireEye and iSight Partner revealed a report detailing the previously unknown mode of operation of a criminal group named FIN6.
FireEye says the group surfaced in 2015 and focused only on the theft of financial information, mainly credit card data from organizations in the retail and hospitality sectors.
Researchers explain the group only targeted PoS (Point of Sale) systems and used two well-known malware families that aided their criminal efforts.
All FIN6 attacks started with email spam campaigns that distributed the Grabnew malware, also known as Vawtrack and Neverquest.
Grabnew is a credential-stealing backdoor with form-grabbing capabilities and the ability to inject code into specific Web pages. Grabnew collected login credentials for infected computers and PoS systems and then transmitted this information to the FIN6 group.
FIN6 used Grabnew and Trinity malware
The crooks then used this information, together with Grabnew's ability to download and install other malware, to deliver their second threat called Trinity (also known as FrameworkPoS), a malware family for PoS terminals.
Trinity collected vast amounts of data from infected systems, and at regular intervals, it would compress all data as a ZIP file, send it to an intermediary host, from where it was relayed to FIN6's C&C (command and control) servers.
The group would then take all this information and upload it to "card shops" hosted on the Dark Web, where other criminal groups would buy the information and carry out financial fraud operations.
Security researchers added that, in one singular card breach, FIN6 managed to steal data on over 20 million credit cards, which, when sold through its card shops, pocketed the group over $400 million (€355 million).
A visual presentation of FIN6's activities can be viewed in the YouTube video below, and for more details, Softpedia readers can download FireEye and iSight Partner's Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6 report.
