Researchers have uncovered an ongoing campaign against retail VMWare Horizon Point-of-Sale (PoS) thin clients.
The new attack wave, which has taken place over the past eight to ten weeks, is attempting to spread Cobalt Strike, a legitimate penetration testing tool which has also, unfortunately, been adopted in recent years by threat actors.
According to researchers from Morphisec, Cobalt Strike — in tandem with malicious payloads — can be used to hijack systems, execute code, harvest credentials, and is also able to circumvent EDR scanning.
The pen testing tool is being used in attempts to infiltrate PoS systems to deploy FrameworkPOS scraping malware, which can be used to harvest credit card information belonging to customers by compromising system memory components. Data scraped by this malware is compressed into .ZIP formats and transferred to command-and-control (C2) servers.