FireEye dubbed gang name, FIN5, has been causing headaches by obtaining valid user credentials to exploit their targets. They created their own malware dubbed RawPOS used to target point of sale machines. In existence since 2008, FIN5, used target organizations Remote Desktop Protocols, Virtual Private Networks, Citrix, or VNC to gain access to their targets. All of these things deal with networking computers in some form or another. The interesting thing about this group is that they don’t use spearphishing or remote exploits.
One tool they use is the GET2 Penetrator. This is a tool that searches, using brute force, for credentials. These credentials can be hardcoded or remote access. They also use EssentialNet. EssentialNet is free tool that scans networks for layouts. As for the RawPOS malware it contains several components. Duebrew keeps the malware installed on the machine. FiendCry scrapes memory to steal credit card data. Driftwood hides the stolen data from analysis tools.
This software works on a multitude of POS systems and is coded to evolve with new systems. Something unusual about the RawPOS malware is that it is very well commented. It is coded in an older Russian text. Authorities believe this is to make the malware seem a legitimate program and for support as well. Using Windows Credential Editor and the Active Directory, they access legitimate user credentials. They also sophisticated tools that erase their tracks.
Among those struck by the hacker group are Visa, Goodwill, and an unnamed Casino in Las Vegas. FireEye is partnering with Visa to create a threat intelligence service. It will combat this group and others like it.
to see the full article visit: http://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645