Security firm FireEye has released new research around a financially motivated threat group targeting credit card data by using sophisticated malware executed before an operating system boots.
First identified by Mandiant Consulting in September, the technique infects lower-level system components, making detection difficult, while the malware’s installation location also means it will persist beyond the most common method for eradicating malware. That is re-installing the operating system.
FireEye has pinpointed FIN1 as the financially motivated threat group. Suspected of having ties to Russia, FIN1 has been responsible for compromising and stealing data at organizations specializing in financial services such as banks, credit unions, ATM operations, financial transaction processing, and financial business services. This group compromises organizations with the purpose of quickly obtaining information that is easily monetized, including payment card numbers, track data, ATM PIN numbers, and cardholder names and addresses.
FireEye identified the group’s activity during a recent investigation at an organization in the financial industry. We identified the presence of a financially motivated threat group that we track as FIN1, whose activity at the organization dated back several years.
The threat group deployed numerous malicious files and utilities, all of which were part of a malware ecosystem referred to as ‘Nemesis’ by the malware developers and used this malware to access the victim environment and steal cardholder data.