The group is using the More_eggs JScript backdoor to anchor its attack.
https://threatpost.com/fin6-target-ecommerce/147847/