The attacks, which are believed to have taken place between late June to late July 2021, have been attributed with "moderate confidence" to a financially motivated threat actor dubbed FIN7, according to researchers from cybersecurity firm Anomali.
An Eastern European group active since at least mid-2015, FIN7 has a checkered history of targeting restaurant, gambling, and hospitality industries in the U.S. to plunder financial information such as credit and debit card numbers that were then used or sold for profit on underground marketplaces.
Although multiple members of the collective have been imprisoned for their roles in different campaigns since the start of the year, FIN7's activities have also been tied to another group called Carbanak, given its similar TTPs, with the main distinction being that while FIN7 focuses on hospitality and retail sectors, Carbanak has singled out banking institutions.
Besides taking several steps to try to impede analysis by populating the code with junk data, the VB script also checks if it is running under a virtualized environment such as VirtualBox and VMWare, and if so, terminates itself, in addition to stopping the infection chain upon detecting Russian, Ukrainian, or several other Eastern European languages.
"FIN7 is one of the most notorious financially motivated groups due to the large amounts of sensitive data they have stolen through numerous techniques and attack surfaces," the researchers said. "Things have been turbulent for the threat group over the past few years as with success and notoriety comes the ever-watchful eye of the authorities. Despite high-profile arrests and sentencing, including alleged higher-ranking members, the group continues to be as active as ever."