FIN7’s New Malware Targets NCR-made ATMs
The financially-motivated FIN7 group (aka Carbanak, Anunak and Cobalt) has added new tools that can hack into NCR-made ATMs. In recent campaigns, FIN7 deploys Boostwrite, an in-memory dropper that decrypts embedded payloads after retrieving an encryption key from a remote server. Boostwrite then drops the RDFsniffer module, which loads itself into NCR’s RDFClient process. This allows the malware to monitor or alter connections made with the RDF Client as well as enables command injection into an active RDFClient session. Boostwrite also loads the multi-functional Carbanak backdoor, which has received minor alterations to evade traditional detection solutions.
References:Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques
More Weekly Cyber Newsanalysis and insights
Enhancing your security posture, developing your cyber strategy, and designing your incident response plans.
Ensign Systems Integration
Architecting and implementing cybersecurity solutions that bolster defences
Ensign Managed Security Services
Managing your security operations for advanced threat detection, continuous monitoring, and triage services