The threat group Fin6 has been connected to a string of point-of-sale attacks against VMWare Horizon thin clients.
The security firm
Morphisec Labs reported the attacks have been taking place for eight to 10 weeks with a particular spike on Feb. 6 that saw numerous attempted downloads of the Cobalt Strike backdoor.
Morphisec has tentatively connected the attacks to
Fin6, although it noted there are some indicators the EmpireMonkey group could also be involved.
“Based on the initial indicators, we identified FrameworkPOS scraping malware installed on some of the thin clients, after initializing PowerShell/WMI stages that downloaded and reflectively loaded Cobalt-Strike beacon with PowerShell extension directly into the memory,” the report said.
Among the targets so far identified are those in the finance, health care and insurance sectors, located primarily in the United States, Japan and India.
Cobalt Strike is a particularly dangerous payload as it can give attackers full control over the targeted computer along with the ability to move laterally within the host system. The malware can harvest user credentials, execute code and evade EDR scanning techniques.
