FIN6
Associated Group Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1134 | Access Token Manipulation | FIN6 has used has used Metasploit’s named-pipe impersonation technique to escalate privileges.[2] | |
| Enterprise | T1087 | .002 | Account Discovery:Domain Account | FIN6 has used Metasploit’sPsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.[1] |
| Enterprise | T1560 | Archive Collected Data | Following data collection,FIN6 has compressed log files into a ZIP archive prior to staging and exfiltration.[1] | |
| .003 | Archive via Custom Method | FIN6 has encoded data gathered from the victim with a simple substitution cipher and single-byte XOR using the 0xAA key, and Base64 with character permutation.[1][7] | ||
| Enterprise | T1119 | Automated Collection | FIN6 has used a script to iterate through a list of compromised PoS systems, copy and remove data to a log file, and to bind to events from the submit payment button.[1][7] | |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder | FIN6 has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD.[1] |
| Enterprise | T1110 | .002 | Brute Force:Password Cracking | FIN6 has extracted password hashes from ntds.dit to crack offline.[1] |
| Enterprise | T1059 | Command and Scripting Interpreter | FIN6 has used scripting to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files.[1][2] | |
| .001 | PowerShell | FIN6 has used PowerShell to gain access to merchant's networks, and a Metasploit PowerShell module to download and execute shellcode and to set up a local listener.[1][2][8] | ||
| .003 | Windows Command Shell | |||
| .007 | JavaScript | FIN6 has used malicious JavaScript to steal payment card data from e-commerce sites.[7] | ||
| Enterprise | T1555 | Credentials from Password Stores | FIN6 has used the Stealer One credential stealer to target e-mail and file transfer utilities including FTP.[8] | |
| .003 | Credentials from Web Browsers | FIN6 has used the Stealer One credential stealer to target web browsers.[8] | ||
| Enterprise | T1213 | .006 | Data from Information Repositories:Databases | FIN6 has collected schemas and user accounts from systems running SQL Server.[8] |
| Enterprise | T1005 | Data from Local System | FIN6 has collected and exfiltrated payment card data from compromised systems.[7][9][10] | |
| Enterprise | T1074 | .002 | Data Staged:Remote Data Staging | FIN6 actors have compressed data from remote systems and moved it to another staging system before exfiltration.[1] |
| Enterprise | T1573 | .002 | Encrypted Channel:Asymmetric Cryptography | FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.[1] |
| Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol:Exfiltration Over Unencrypted Non-C2 Protocol | FIN6 has sent stolen payment card data to remote servers via HTTP POSTs.[7] |
| Enterprise | T1068 | Exploitation for Privilege Escalation | FIN6 has used tools to exploit Windows vulnerabilities in order to escalate privileges. The tools targeted CVE-2013-3660, CVE-2011-2005, and CVE-2010-4398, all of which could allow local users to access kernel-level privileges.[1] | |
| Enterprise | T1562 | .001 | Impair Defenses:Disable or Modify Tools | FIN6 has deployed a utility script named |
| Enterprise | T1070 | .004 | Indicator Removal:File Deletion | |
| Enterprise | T1036 | .004 | Masquerading:Masquerade Task or Service | FIN6 has renamed the "psexec" service name to "mstdc" to masquerade as a legitimate Windows service.[2] |
| Enterprise | T1046 | Network Service Discovery | FIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.[1] | |
| Enterprise | T1095 | Non-Application Layer Protocol | ||
| Enterprise | T1027 | .010 | Obfuscated Files or Information:Command Obfuscation | |
| Enterprise | T1588 | .002 | Obtain Capabilities:Tool | FIN6 has obtained and used tools such asMimikatz,Cobalt Strike, andAdFind.[4][2] |
| Enterprise | T1003 | .001 | OS Credential Dumping:LSASS Memory | FIN6 has usedWindows Credential Editor for credential dumping.[1][2] |
| .003 | OS Credential Dumping:NTDS | FIN6 has used Metasploit’sPsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.[1][2] | ||
| Enterprise | T1566 | .001 | Phishing:Spearphishing Attachment | FIN6 has targeted victims with e-mails containing malicious attachments.[8] |
| .003 | Phishing:Spearphishing via Service | FIN6 has used fake job advertisements sent via LinkedIn to spearphish targets.[4] | ||
| Enterprise | T1572 | Protocol Tunneling | FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.[1] | |
| Enterprise | T1021 | .001 | Remote Services:Remote Desktop Protocol | |
| Enterprise | T1018 | Remote System Discovery | FIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.[1] | |
| Enterprise | T1053 | .005 | Scheduled Task/Job:Scheduled Task | FIN6 has used scheduled tasks to establish persistence for various malware it uses, including downloaders known as HARDTACK and SHIPBREAD andFrameworkPOS.[1] |
| Enterprise | T1553 | .002 | Subvert Trust Controls:Code Signing | |
| Enterprise | T1569 | .002 | System Services:Service Execution | FIN6 has created Windows services to execute encoded PowerShell commands.[2] |
| Enterprise | T1204 | .002 | User Execution:Malicious File | FIN6 has used malicious documents to lure victims into allowing execution of PowerShell scripts.[8] |
| Enterprise | T1078 | Valid Accounts | To move laterally on a victim network,FIN6 has used credentials stolen from various systems on which it gathered usernames and password hashes.[1][2][8] | |
| Enterprise | T1102 | Web Service | FIN6 has used Pastebin and Google Storage to host content for their operations.[2] | |
| Enterprise | T1047 | Windows Management Instrumentation | FIN6 has used WMI to automate the remote execution of PowerShell scripts.[4] | |
Software
References
- FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved November 17, 2024.
- McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
- Villadsen, O. (2020, April 7). ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework. Retrieved October 8, 2020.
- Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
- CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
- Chen, J. (2019, October 10). Magecart Card Skimmers Injected Into Online Shops. Retrieved September 9, 2020.
- Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.
- Klijnsma, Y. (2018, September 11). Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims. Retrieved September 9, 2020.
- Klijnsma, Y. (2018, September 19). Another Victim of the Magecart Assault Emerges: Newegg. Retrieved September 9, 2020.
- Kremez, V. (2019, September 19). FIN6 “FrameworkPOS”: Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020.
- Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
- Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.