Contact Contact Us

POS Malware Targets Finance, Insurance Companies

An ongoing point-of-sales (POS) malware campaign has been targeting finance, and insurance organisations in the US, Japan and India since February 2019. The initial infection vector is unknown, but the attacks use HTA files embedded with VBScripts to execute PowerShell commands through the Windows Management Instrumentation (WMI) interface. When successful, the scripts install the publicly available Cobalt Strike penetration testing tool, which allows lateral movement, credential harvesting and code execution. The affected POS systems are observed to be hosted on VMWare Horizon platform running a thin client. Some of the indicators suggest that the threat actors may be connected to FIN6, a group that specialises in stealing payment card data for monetisation in underground marketplace.

[1] New Global Attack on Point-of-Sale Systems

Ensign InfoSecurity Singapore
30A Kallang Place
Singapore 339213

Tel: +65 6788 2882
Fax: +65 6788 3883