Researchers from cybersecurity firm Anomali say with “moderate confidence” the attacks were carried out by a hacker known as FIN7, an Eastern European financially motivated threat actor.
FIN7, which has been active since 2015, specializes in financial exploitation, has a history of targeting restaurant, gambling, and hospitality establishments in the US to steal and later sell sensitive information, such as credit and debit card details.
FIN7 has also been associated with Carbanak, which is a group that mainly focuses on banking institutions.
Besides trying to prevent detection by populating the code with junk data, this script also tries to terminate itself if it detects virtualized environments. It can also terminate itself upon detecting Russian, Ukrainian, or several other Eastern European languages on the system.
The attribution to FIN7 is based on the overlaps in techniques and victimology used by the attackers.
“FIN7 is one of the most notorious financially motivated groups due to the large amounts of sensitive data they have stolen through numerous techniques and attack surfaces,” the researchers said. “Things have been turbulent for the threat group over the past few years as with success and notoriety comes the ever-watchful eye of the authorities. Despite high-profile arrests and sentencing, including alleged higher-ranking members, the group continues to be as active as ever.”