FIN6 Hackers Deployed Malware on Thousands of Retail and Hospitality Point-of-Sale Systems
Researchers have been monitoring the activities of a cybercriminal group that appears to have made a significant amount of money by stealing millions of payment card records and selling them on an underground marketplace.
The financial threat actor, dubbed “FIN6,” has been observed by FireEye since 2015, when it was spotted compromising the point-of-sale (PoS) systems of organizations in the retail and hospitality sectors. By combining its efforts with iSIGHT Partners, which it acquired in January, FireEye managed to track the group’s activities from the initial intrusion up to the point where they sold the stolen data.
Investigations conducted by FireEye-owned Mandiant revealed (PDF) that the attackers possessed valid credentials for each of the targeted companies’ networks. However, experts have not been able to determine the initial method of compromise due to the lack of forensic evidence.
In one attack, researchers found Grabnew malware (also known as Neverquest, Snifula and Vawtrak) on the victim’s systems. Experts assumed that a different threat group planted Grabnew and used it to capture credentials. Grabnew and the credentials it harvested were later used by the FIN6 group in its operations.
Grabnew has been known to be used to download other malware onto infected systems. In November 2015, Proofpoint reported seeing the AbaddonPOS malware on systems infected with Grabnew.
Once it gained access to the targeted organization’s systems using compromised credentials, FIN6 leveraged various Metasploit components to download and execute shellcode, and gain backdoor access to the victim’s network. Various tools and previously known exploits were used by the attackers to escalate their privileges and harvest credentials that would allow them to move laterally in the network.
The cybercriminals deployed a piece of malware dubbed FrameworkPOS (named TRINITY by FireEye) on PoS systems. The threat is designed to capture payment card data from the memory of running processes and save it to a file on the system. The stolen data is copied to an intermediary system, then to a staging system, and ultimately it’s sent to external servers via FTP and public file sharing services.
In one case, investigators determined that FIN6 actors deployed the PoS malware on roughly 2,000 systems, allowing them to compromise millions of cards.
iSIGHT Partners discovered that the data stolen by FIN6 has been offered for sale on an underground card shop. Experts found evidence that the cybercrime group had been selling payment card numbers on this website since as far back as 2014.
The card shop in question sold millions of payment cards, including ones stolen by other threat actors, but FIN6 appears to be an important supplier and some of the group’s members could even be running the underground website. Researchers identified cases where over 10 million cards associated with attacks conducted by FIN6 had been offered for sale.
The shop also advertised nearly 20 million cards associated with a FIN6-linked breach. The credit card records, mostly from the United States, were sold for an average of $21, which would result in a profit of up to $400 million. It’s unlikely that all the records were sold at full price, but even a fraction of $400 million means a significant profit for the cybercriminals.
“The story of FIN6 shows how real-world threat actors operate,” the report concludes, “providing a glimpse not only into the technical details of the compromise, but also into the human factor as well; namely, the interactions between di erent criminals or criminal groups, and how it is not just data being bartered or sold in the underground, but also tools, credentials and access.”
Related: “Multigrain” PoS Malware Exfiltrates Card Data Over DNS

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Recently Patched TeamCity Vulnerability Exploited to Hack Servers
- CISA Warns of Old JBoss RichFaces Vulnerability Being Exploited in Attacks
- NIST Publishes Final Version of 800-82r3 OT Security Guide
- Johnson Controls Hit by Ransomware
- Verisoul Raises $3.25 Million in Seed Funding to Detect Fake Users
- Government Shutdown Could Bench 80% of CISA Staff
- Google Rushes to Patch New Zero-Day Exploited by Spyware Vendor
- macOS 14 Sonoma Patches 60 Vulnerabilities
Latest News
- CISA Kicks Off Cybersecurity Awareness Month With New Program
- Recently Patched TeamCity Vulnerability Exploited to Hack Servers
- Silverfort Open Sources Lateral Movement Detection Tool
- Bankrupt IronNet Shuts Down Operations
- AWS Using MadPot Decoy System to Disrupt APTs, Botnets
- Generative AI Startup Nexusflow Raises $10.6 Million
- In Other News: RSA Encryption Attack, Meta AI Privacy, ShinyHunters Hacker Guilty Plea
- Researchers Extract Sounds From Still Images on Smartphone Cameras
