{
	"id": "46e4df0e-65cc-44af-981a-2f1ef0ae7533",
	"created_at": "2026-04-06T00:10:16.630683Z",
	"updated_at": "2026-04-10T03:36:16.827312Z",
	"deleted_at": null,
	"sha1_hash": "fdaed5df98d641761fea25bf8a8ac83aaf257a7c",
	"title": "Prolific Cybercrime Gang Favors Legit Login Credentials",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 121055,
	"plain_text": "Prolific Cybercrime Gang Favors Legit Login Credentials\r\nBy Kelly Jackson Higgins\r\nPublished: 2015-10-13 · Archived: 2026-04-05 13:18:25 UTC\r\nFIREEYE CYBER DEFENSE SUMMIT -- Washington, D.C. -- No 0days. No spearphishing, either: The\r\ncybercriminal group tied to numerous payment card breaches including Goodwill and best known by its so-called\r\n\"RawPOS\" malware employed legitimate user credentials to access its targets' networks.\r\nResearchers at FireEye here today shared their recent findings on this prolific and long-running cybercrime gang\r\nthat has been the subject of multiple Visa security alerts to merchants. The RawPOS memory scraper malware has\r\nbeen infecting the lodging industry in epidemic proportions over the past year, and is considered one of the first\r\nmemory scrapers to target point-of-sale systems.\r\nFireEye has dubbed the cybercrime gang FIN5. \"One of the most unique things about FIN5 is that in every\r\nintrusion we responded to where FIN5 has been active, legitimate access was identified. They had valid user\r\ncredentials to remotely log into the network,\" said Barry Vengerik, principal threat analyst at FireEye. \"No sexy\r\nzero-days, no remote exploits -- not even spearphishing. They had credentials from somewhere.\"\r\nFIN5, which earlier this year was profiled by researchers at Trend Micro and has been in action since at least\r\n2008, uses real credentials from the victim organization's virtual private network, Remote Desktop Protocol,\r\nCitrix, or VNC. Vengerik says the attackers got those credentials via third parties associated with the victims' POS\r\nsystems.\r\n\"Most of the maintenance and administration of POS systems are done by a third party -- the maintenance,\r\npatching, troubleshooting\" is done remotely via those credentials, he said.  \r\n\"FIN5 maintained access to two or more payment processor networks primarily for the goal of logging into and\r\naccessing their customers' environments,\" he said. \"It's a textbook case of a lateral compromise between\r\ncompanies based on trust.\"\r\nFireEye last year investigated a massive breach at a casino hotel with 1,200 endpoints that suffered losses to more\r\nthan 150,000 payment cards. Vengerik declined to name the hotel.\r\nThe casino attackers used a stolen VPN account to gain access, said Emmanuel Jean-Georges, senior consultant\r\nwith FireEye's Mandiant.\r\nFIN5 uses a tool called GET2 Penetrator, a brute force scanning tool that looks for remote login and hard-coded\r\ncredentials, as well as a free tool called EssentialNet that scans the victim's network to give the attackers \"the lay\r\nof the land,\" Vengerik said.\r\nRawPOS pulls information from a POS system's memory. The malware includes several components, FireEye\r\nfound: Duebrew, which ensures the malware remains on the infected Windows machine, even when it gets\r\nhttps://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645\r\nPage 1 of 3\n\nrebooted; Fiendcry, a memory scraper that grabs the payment card data; Driftwood, which encodes the stolen\r\npayment card information to hide it from analysis tools.\r\nAnother unusual feature of FIN5's operation is that the malware code is \"well-commented,\" Vengerik said. \"That's\r\nincredibly rare in malware, the author taking time to comment on the code and to show what section of code is\r\ndoing what,\" he said. It's like a secure development lifecycle approach, he noted.\r\nThe release notes for the Driftwood code are written in an older Russian language character set, the researchers\r\nshowed.\r\nWhy would the malware author actively comment on the code? \"It points to a possible ecosystem -- for\r\nadvertising or support\" of the malware as a product, Vengerik told Dark Reading.\r\nFireEye says the attackers first target the Active Directory to get to the card data, and use tools such as Windows\r\nCredentials Editor in their quest for legit credentials. They also created several custom tools for covering their\r\ntracks and cleaning up any traces of the malware, as well as proxy tools for accessing segregated network\r\nsegments.\r\n\"They also encoded hard kill-times into most of their malware for a hard end date\" of the attack, he said.\r\nTrend Micro earlier this year noted how RawPOS was able to evolve to target various types of POS software.\r\n\"Aside from being multi-component, RawPOS is notable for its support for multiple PoS software. Since business\r\nestablishments would have different PoS software, attackers have modified RawPOS’ code to support multiple\r\nPoS software over time,\" Trend Micro researchers wrote in a blog post in late April.\r\nMeanwhile, FireEye today also announced that is has partnered with Visa Inc. to power a new threat intelligence\r\nservice for merchants and card issuers. The so-called Visa Threat Intelligence service is the first product under a\r\nnewly forged partnership between Visa and FireEye.\r\n\"We want to offer faster, actionable intelligence to our constituents,\" said Mark Nelson, senior vice president of\r\nrisk products at Visa.\r\nAbout the Author\r\nhttps://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645\r\nPage 2 of 3\n\nEditor-in-Chief, Dark Reading\r\nKelly Jackson Higgins is the Editor-in-Chief of Dark Reading and VP, cybersecurity editorial at Informa\r\nTechTarget, where she leads editorial strategy for the company's three cybersecurity media brands: Dark Reading,\r\nSearchSecurity and Cybersecurity Dive. She is an award-winning veteran technology and business journalist with\r\nthree decades of experience in reporting and editing for various technology and business publications and major\r\nmedia properties. Jackson Higgins was selected three consecutive times as one of the Top 10 Cybersecurity\r\nJournalists in the U.S., and was named as one of Folio's 2019 Top Women in Media. She has been with Dark\r\nReading since its launch in 2006.\r\nSource: https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645\r\nhttps://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645"
	],
	"report_names": [
		"1322645"
	],
	"threat_actors": [
		{
			"id": "fa3bc740-8ffc-4a49-a78f-e1f6d0d85c2b",
			"created_at": "2022-10-25T15:50:23.528058Z",
			"updated_at": "2026-04-10T02:00:05.374772Z",
			"deleted_at": null,
			"main_name": "FIN5",
			"aliases": [
				"FIN5"
			],
			"source_name": "MITRE:FIN5",
			"tools": [
				"Windows Credential Editor",
				"PsExec",
				"FLIPSIDE",
				"pwdump",
				"SDelete",
				"RawPOS"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "7e5e725c-4de5-4e14-a702-d84d23d973e9",
			"created_at": "2023-01-06T13:46:38.965779Z",
			"updated_at": "2026-04-10T02:00:03.165531Z",
			"deleted_at": null,
			"main_name": "FIN5",
			"aliases": [
				"G0053"
			],
			"source_name": "MISPGALAXY:FIN5",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "820ea41f-a798-4eb9-b296-530b784c1adc",
			"created_at": "2022-10-25T16:07:23.613805Z",
			"updated_at": "2026-04-10T02:00:04.688029Z",
			"deleted_at": null,
			"main_name": "FIN5",
			"aliases": [
				"G0053"
			],
			"source_name": "ETDA:FIN5",
			"tools": [
				"DRIFTWOOD",
				"DUEBREW",
				"FIENDCRY",
				"FLIPSIDE",
				"RawPOS",
				"SDelete",
				"WCE",
				"Windows Credential Editor",
				"Windows Credentials Editor",
				"pwdump"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434216,
	"ts_updated_at": 1775792176,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fdaed5df98d641761fea25bf8a8ac83aaf257a7c.pdf",
		"text": "https://archive.orkl.eu/fdaed5df98d641761fea25bf8a8ac83aaf257a7c.txt",
		"img": "https://archive.orkl.eu/fdaed5df98d641761fea25bf8a8ac83aaf257a7c.jpg"
	}
}