How far the FIN8 threat actor group has gone since its inception?

• FIN8 is a financially motivated threat group targeting retail, hospitality and entertainment industries.
• The group uses tailored spearphishing emails to launch attacks against companies in the US.

FIN8 is a financially motivated threat group targeting retail, hospitality and entertainment industries. Although the origin of the group is unknown, it is known to use tailored spearphishing emails to launch attacks against companies in the US.

Some well-known malware

According to ThaiCERT, “This actor has conducted operations on a large scale and at a rapid pace, displaying a level of operational awareness and ability to adapt their operations on the fly. These abilities, combined with targeted usage of an EoP exploit and the reconnaissance required to individually tailor phishing emails to victims, potentially speaks to the threat actors’ operational maturity and sophistication.”

The group has been observed using the downloader PUNCHBUGGY/ShellTea and POS malware PUNCHTRACK in most of its previous attack campaigns.

PUNCHTRACK, designed to scrape both Track 1 and Track 2 payment card data, is loaded and executed by a highly obfuscated launcher and is never saved to disk.

Flashback of the operations performed

• In March 2016, FIN8 was involved in launching several spear-phishing emails against retail, restaurant and hospitality industries. The emails contained variations of Microsoft Word documents with embedded macros, which if enabled, caused the download of a malicious downloader known as PUNCHBUGGY.
• In early 2017, FIN8 began using environment variable paired with PowerShell’s ability to use receive commands via StdIn to evade detection. One of the evasion techniques included a phishing document called “COMPLAINT Homer Glynn.doc”. The group had crafted the macro to use WMI to spawn the cmd.exe execution.
• After two years, FIN8 reemerged with an improved version of the ShellTea backdoor. The industries targeted in this campaign were from the hospitality and entertainment sectors.

In November 2019, the group made the headlines for shifting its target to PoS systems used at fuel pumps at gas stations. The first attack compromised the PoS system of a ‘North American fuel dispenser merchant’ using a phishing email sent to an employee that included a malicious link. The second attack also had a similar target but researchers were unsure of how attackers gained initial access to the merchant’s network environment.