Cyber Incident Victim: NCR Corporation
Date:
Oct 2019
Location:
United States of America
Summary
The FIN7 hacking group deployed new malware tools against an ATM manufacturer, utilizing the BOOSTWRITE loader to inject payloads directly into memory without file system interaction. This loader delivered the Carbanak backdoor and the RDFSNIFFER module, which hijacked the victim's legitimate remote administration software to enable command injection, file manipulation, and man-in-the-middle attacks through compromised authentication sessions. The intrusion facilitated unauthorized remote access, data exfiltration, and system control, demonstrating FIN7's continued adaptation despite prior law enforcement disruptions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 3 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On October 11, 2019, cybersecurity researchers from FireEye’s Mandiant group disclosed that the financially motivated threat group FIN7 had deployed new malware tools targeting NCR Corporation’s remote administration software. The attack involved a multi-stage infection process beginning with BOOSTWRITE, a newly identified in-memory malware loader designed to decrypt and execute payloads without writing files to disk. BOOSTWRITE utilized DLL search order hijacking to load malicious DLLs into system memory, then contacted command-and-control servers to retrieve initialization vectors and decryption keys necessary to unlock embedded payloads. Upon successful decryption and validation, the loader injected payloads directly into memory, evading traditional file-based detection mechanisms. Mandiant observed BOOSTWRITE delivering two payloads: the established Carbanak backdoor, historically linked to FIN7’s banking theft operations, and a newly discovered remote access trojan (RAT) module dubbed RDFSNIFFER.
The RDFSNIFFER payload specifically targeted NCR’s Aloha Command Center Client by injecting itself into the legitimate RDFClient process whenever the application executed on compromised systems. This technique enabled FIN7 operators to hijack authenticated two-factor authentication (2FA) sessions, monitor communications, and alter connections through man-in-the-middle attacks. The malware’s backdoor functionality allowed attackers to upload, download, execute, or delete arbitrary files during active RDFClient sessions. FIN7’s choice of NCR—a major provider of ATM and point-of-sale (PoS) systems—aligned with their historical focus on financial infrastructure, though the exact scope of compromised systems or data exfiltration was not detailed in the disclosure. Despite law enforcement arrests of some FIN7 members in 2018, Mandiant confirmed the group’s continued operations through consistent tactics, tools, and procedures (TTPs), including this campaign. No remediation actions by NCR or affected entities were described in the report. The incident underscored FIN7’s adaptability in refining malware to exploit trusted enterprise software for persistent network access.