Two years after the last report on the activities of the FIN8 hacking group, security researchers say they’ve spotted the elusive hackers attempting new attacks against companies in the hospitality sector.

FIN8, as its “FIN” codename indicates, is a group of hackers focused on attacks for their own financial benefit, as opposed to APT (advanced persistent threat) groups that are focused on intelligence gathering and cyber-espionage.

While some FIN groups are focused on breaching bank networks or stealing money via mass ATM cashouts, the FIN8 group has had a long history of targeting companies who run point-of-sale (POS) systems, which they infect with malware to steal payment card data to sell on online hacking forums for a profit.

FIN HAS BEEN QUIET SINCE 2017

The last time someone reported about FIN8 hacks was in 2016 and 2017, when FireEye and root9B published reports about a series of attacks aimed at PoS systems in the retail sector.

Back then, the group used spear-phishing and a Windows zero-day to infect the networks of US retailers with the ShellTea (PunchBuggy) backdoor, which they later used to plant the PoSlurp (PunchTrack) malware — designed to steal payment card data from POS systems.

Ever since then, FIN8 activity has died down, with some sporadic detections of the group’s malware on VirusTotal once every few months.

NEW ATTACKS DISCOVERED IN 2019

But in a report published today, cyber-security firm Morphisec said it detected and stopped new FIN8 attacks aimed at companies in the hospitality industry.

These new attacks leveraged the same malware the group had used in the past but sporting considerably improved evasion and persistence features; showing that the group remained active and worked on their tools in the two-year period since they’ve last been spotted.

“This is the first attack observed during 2019 that can be attributed to FIN8 with high probability, although there are a few indicators that overlap with known FIN7 attacks (URLs and infrastructure),” said Moprihsec CTO Michael Gorelik.

His observations come to confirm previous remarks made by many other malware researchers who previously saw similar intersections between the activities of FIN6, FIN7, and FIN8 in the past.

BarryV@BarryV

There has been a lot of cross-reporting on FIN6, FIN7 and FIN8 for various reasons, such as similar TTPs, targets, and venues for selling stolen card data. Really hard for outside observers to differentiate attacks, especially with the amount of poor reporting out there.

PaulM@pmelson

Replying to @curtw

It’s an uncconfirmed hypothesis of mine (that maybe @ItsReallyNick would give some feedback on?) that some of the activity that has been publicly attributed to FIN7 over the last 12–18mos is actually FIN8. A “weak signal in the noise” of FIN7 doc activity?

Curt Wilson, human@curtw

Replying to @wendynather

What about persistent and skilled cybercrime actors? With some groups improving tradecraft and borrowing from espionage actor toolkits, perhaps they are worthy of mention. Groups like FIN7 and FIN8 come to mind.

While shared server infrastructure and TTPs (Tactics, Techniques, and Procedures) might lead some to believe the three groups are the same, the reality is that they are likely not.

The unseen and mysterious world of cybercrime is littered with rentable services and hackers for hire. The shared resources can be very easily explained by the three groups using a common supply chain for various facets of their operations.

FIN8’s return signals the start of a period of increased attacks against POS systems around the globe.

“In addition to this attack by FIN8, we’ve seen multiple attacks by FIN6, FIN7 and others,” Gorelik said in a report that broke down FIN8’s updated malware into the smallest details.