The threat group Fin6 has been connected to a string of point-of-sale attacks against VMWare Horizon thin clients.
The security firm Morphisec Labs reported the attacks have been taking place for eight to 10 weeks with a particular spike on Feb. 6 that saw numerous attempted downloads of the Cobalt Strike backdoor.
Morphisec has tentatively connected the attacks to Fin6, although it noted there are some indicators the EmpireMonkey group could also be involved.
“Based on the initial indicators, we identified FrameworkPOS scraping malware installed on some of the thin clients, after initializing PowerShell/WMI stages that downloaded and reflectively loaded Cobalt-Strike beacon with PowerShell extension directly into the memory,” the report said.
Among the targets so far identified are those in the finance, health care and insurance sectors, located primarily in the United States, Japan and India.
Cobalt Strike is a particularly dangerous payload as it can give attackers full control over the targeted computer along with the ability to move laterally within the host system. The malware can harvest user credentials, execute code and evade EDR scanning techniques.
Morphisec has also identified several command-and-control servers connected with the campaign that are delivering the Cobalt Strike package. In an attempt to have the servers seized and shut down, law enforcement agencies in the regions where the servers are located have been notified.
Morphisec researchers are still not entirely sure of the infiltration method being used, but after retro-hunting the malware on VirusTotal and matching it to previously known telemetry events, the company does believe one attack vector is through HTA files that execute PowerShell scripts as part of an embedded VBScript.