PoSlurp

FIN8 is a group of financially motivated hackers who have been involved in several high-profile attacks against financial institutions worldwide. Their toolkit consists of state-of-the-art PoS (Point-of-sale) malware, backdoor Trojans, and reconnaissance tools that would enable them to learn all there is to know about their targets. A recent attack campaign has been linked to FIN8, and it involves the use of the brand new BADHATCH backdoor Trojan, which appears to have been used in combination with PoSlurp – a new piece of malware that targets PoS systems and works by scraping the Random Access Memory (RAM) in an attempt to find confidential financial details.

FIN8 Utilize Powerful Memory Scraper to Collect Credit Card Data

The attackers are able to launch the PoSlurp malware remotely, and inject it into a legitimate user-made process (e.g. 'winlogon.exe.') Once the malware has been started, it will check the memory for the presence of credit card data that was stored before the infection occurred. Of course, it will also scan the RAM in real-time to ensure that any newly submitted credit card details will be collected by the attackers. Just like other PoS malware, PoSlurp also validates credit card details by running it through a Luhn algorithm.

In addition to its RAM-scraping abilities, PoSlurp also enables its operators to access, modify, and delete log files on the compromised host, execute remote commands, and browse local files.

Applying Security Updates is One Way to Mitigate Such Attacks

FIN8's activities and toolkit are improved regularly, and companies must take the necessary measures to stay up-to-date with the latest security practices and patches. It is a well-known fact that many PoS devices run on outdated Windows 7 versions that are particularly vulnerable to cyber attacks. In addition to applying security updates, operators of such devices should also consider investing in reputable anti-malware software.