FIN5

FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian.^[1]^[2]^[3]

ID: G0053

Contributors: Walker Johnson

Version: 1.2

Created: 16 January 2018

Last Modified: 25 April 2025

Version Permalink

Live Version

Enterprise Layer

download view

Techniques Used

Domain	ID		Name	Use
Enterprise	T1119		Automated Collection	FIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results.^[2]
Enterprise	T1110		Brute Force	FIN5 has has used the tool GET2 Penetrator to look for remote login and hard-coded credentials.^[3]^[2]
Enterprise	T1059		Command and Scripting Interpreter	FIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results.^[2]
Enterprise	T1074	.001	Data Staged:Local Data Staging	FIN5 scripts save memory dump data into a specific directory on hosts in the victim environment.^[2]
Enterprise	T1133		External Remote Services	FIN5 has used legitimate VPN, Citrix, or VNC credentials to maintain access to a victim environment.^[1]^[3]^[2]
Enterprise	T1070	.001	Indicator Removal:Clear Windows Event Logs	FIN5 has cleared event logs from victims.^[2]
		.004	Indicator Removal:File Deletion	FIN5 usesSDelete to clean up the environment and attempt to prevent detection.^[2]
Enterprise	T1588	.002	Obtain Capabilities:Tool	FIN5 has obtained and used a customized version ofPsExec, as well as use other tools such aspwdump,SDelete, andWindows Credential Editor.^[2]
Enterprise	T1090	.002	Proxy:External Proxy	FIN5 maintains access to victim environments by usingFLIPSIDE to create a proxy for a backup RDP tunnel.^[2]
Enterprise	T1018		Remote System Discovery	FIN5 has used the open source tool Essential NetTools to map the network and build a list of targets.^[2]
Enterprise	T1078		Valid Accounts	FIN5 has used legitimate VPN, RDP, Citrix, or VNC credentials to maintain access to a victim environment.^[1]^[3]^[2]

Software

ID	Name	References	Techniques
S0173	FLIPSIDE	^[2]	Protocol Tunneling
S0029	PsExec	FIN5 uses a customized version of PsExec.^[2]	Create Account:Domain Account,Create or Modify System Process:Windows Service,Lateral Tool Transfer,Remote Services:SMB/Windows Admin Shares,System Services:Service Execution
S0006	pwdump	^[2]	OS Credential Dumping:Security Account Manager
S0169	RawPOS	^[3]^[2]	Archive Collected Data:Archive via Custom Method,Create or Modify System Process:Windows Service,Data from Local System,Data Staged:Local Data Staging,Masquerading:Masquerade Task or Service
S0195	SDelete	^[2]	Data Destruction,Indicator Removal:File Deletion
S0005	Windows Credential Editor	^[3]^[2]	OS Credential Dumping:LSASS Memory

References

Higgins, K. (2015, October 13). Prolific Cybercrime Gang Favors Legit Login Credentials. Retrieved October 4, 2017.

Movatterモバイル変換

FIN5

Enterprise Layer

Techniques Used

Software

References