Threat Actor FIN6 Targeting E-Commerce Using More_eggs Backdoor


Threat Actor FIN6 Targeting E-Commerce Using More_eggs Backdoor (Aug 29, 2019)

Researchers at IBM have identified a series of attacks targeting e-commerce websites as being perpetrated by the threat group dubbed ”ITG08,” or more commonly known as FIN6. The group has been observed injecting malicious code into online checkout pages of compromised websites, thereby stealing payment card data of customers attempting to make a purchase. This new FIN6 activity demonstrates many of the same established tactics, techniques and procedures (TTPs) of the group, but in this new e-commerce environment. FIN6 is targeting multinational organizations via spearphising emails, advertising fake job advertisements to targeted employees. The emails contain a link that leads the targeted individual to download a ZIP file containing a malicious Windows Script File (WSF) that initiates the infection routine of the “More_eggs” JScript backdoor malware. Threat actors can then use the More_eggs backdoor to gain a foothold and infect additional devices.

Recommendation: Defense-in-depth (layering of security mechanisms, redundancy, fail-safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spearphishing and how to identify such attempts.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.