Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа FIN6
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
FIN6
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

FIN6

FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)
ID: G0037
Associated Groups: Skeleton Spider, Magecart Group 6, ITG08
Version: 3.2
Created: 31 May 2017
Last Modified: 02 Jun 2022

Associated Group Descriptions
Name Description
Skeleton Spider (Citation: Crowdstrike Global Threat Report Feb 2018)
Magecart Group 6 (Citation: Security Intelligence ITG08 April 2020)
ITG08 (Citation: Security Intelligence More Eggs Aug 2019)

Techniques Used
Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.(Citation: FireEye FIN6 April 2016)
Enterprise T1560 .003 Archive Collected Data: Archive via Custom Method

FIN6 has encoded data gathered from the victim with a simple substitution cipher and single-byte XOR using the 0xAA key, and Base64 with character permutation.(Citation: FireEye FIN6 April 2016)(Citation: Trend Micro FIN6 October 2019)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

FIN6 has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD.(Citation: FireEye FIN6 April 2016)
Enterprise T1110 .002 Brute Force: Password Cracking

FIN6 has extracted password hashes from ntds.dit to crack offline.(Citation: FireEye FIN6 April 2016)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

FIN6 has used PowerShell to gain access to merchant's networks, and a Metasploit PowerShell module to download and execute shellcode and to set up a local listener.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)(Citation: Visa FIN6 Feb 2019)
.003 Command and Scripting Interpreter: Windows Command Shell

FIN6 has used kill.bat script to disable security tools.(Citation: FireEye FIN6 Apr 2019)

.007 Command and Scripting Interpreter: JavaScript

FIN6 has used malicious JavaScript to steal payment card data from e-commerce sites.(Citation: Trend Micro FIN6 October 2019)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

FIN6 has used the Stealer One credential stealer to target web browsers.(Citation: Visa FIN6 Feb 2019)
Enterprise T1074 .002 Data Staged: Remote Data Staging

FIN6 actors have compressed data from remote systems and moved it to another staging system before exfiltration.(Citation: FireEye FIN6 April 2016)
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.(Citation: FireEye FIN6 April 2016)
Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

FIN6 has sent stolen payment card data to remote servers via HTTP POSTs.(Citation: Trend Micro FIN6 October 2019)
Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

FIN6 has deployed a utility script named kill.bat to disable anti-virus.(Citation: FireEye FIN6 Apr 2019)
Enterprise T1070 .004 Indicator Removal: File Deletion

FIN6 has removed files from victim machines.(Citation: FireEye FIN6 April 2016)
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

FIN6 has renamed the "psexec" service name to "mstdc" to masquerade as a legitimate Windows service.(Citation: FireEye FIN6 Apr 2019)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

FIN6 has used Windows Credential Editor for credential dumping.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)

.003 OS Credential Dumping: NTDS

FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)

Enterprise T1588 .002 Obtain Capabilities: Tool

FIN6 has obtained and used tools such as Mimikatz, Cobalt Strike, and AdFind.(Citation: Security Intelligence More Eggs Aug 2019)(Citation: FireEye FIN6 Apr 2019)
Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

FIN6 has used tools like Adfind to query users, groups, organizational units, and trusts.(Citation: FireEye FIN6 Apr 2019)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

FIN6 has targeted victims with e-mails containing malicious attachments.(Citation: Visa FIN6 Feb 2019)
.003 Phishing: Spearphishing via Service

FIN6 has used fake job advertisements sent via LinkedIn to spearphish targets.(Citation: Security Intelligence More Eggs Aug 2019)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

FIN6 used RDP to move laterally in victim networks.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

FIN6 has used scheduled tasks to establish persistence for various malware it uses, including downloaders known as HARDTACK and SHIPBREAD and FrameworkPOS.(Citation: FireEye FIN6 April 2016)
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

FIN6 has used Comodo code-signing certificates.(Citation: Security Intelligence More Eggs Aug 2019)

Enterprise T1569 .002 System Services: Service Execution

FIN6 has created Windows services to execute encoded PowerShell commands.(Citation: FireEye FIN6 Apr 2019)
Enterprise T1204 .002 User Execution: Malicious File

FIN6 has used malicious documents to lure victims into allowing execution of PowerShell scripts.(Citation: Visa FIN6 Feb 2019)

Software
ID Name References Techniques
S0503 FrameworkPOS (Citation: Crowdstrike Global Threat Report Feb 2018) (Citation: SentinelOne FrameworkPOS September 2019) (Citation: Trinity) (Citation: Visa FIN6 Feb 2019) Data from Local System, Exfiltration Over Alternative Protocol, Local Data Staging, Process Discovery, Archive via Custom Method
S0005 Windows Credential Editor (Citation: Amplia WCE) (Citation: FireEye FIN6 April 2016) LSASS Memory
S0381 FlawedAmmyy (Citation: Proofpoint TA505 Mar 2018) (Citation: Visa FIN6 Feb 2019) Windows Command Shell, System Information Discovery, Keylogging, Commonly Used Port, System Owner/User Discovery, Windows Management Instrumentation, Registry Run Keys / Startup Folder, PowerShell, Security Software Discovery, Rundll32, Peripheral Device Discovery, Web Protocols, Exfiltration Over C2 Channel, Screen Capture, Ingress Tool Transfer, Input Capture, Symmetric Cryptography, Data from Local System, Clipboard Data, Data Obfuscation, Msiexec, File Deletion, Local Groups
S0372 LockerGoga (Citation: CarbonBlack LockerGoga 2019) (Citation: FireEye FIN6 Apr 2019) (Citation: Unit42 LockerGoga 2019) File Deletion, Disable or Modify Tools, Data Encrypted for Impact, System Shutdown/Reboot, Account Access Removal, Code Signing, Lateral Tool Transfer
S0446 Ryuk (Citation: Bleeping Computer - Ryuk WoL) (Citation: CrowdStrike Ryuk January 2019) (Citation: FireEye FIN6 Apr 2019) (Citation: FireEye Ryuk and Trickbot January 2019) Obfuscated Files or Information, Disable or Modify Tools, Native API, Process Discovery, SMB/Windows Admin Shares, File and Directory Discovery, Inhibit System Recovery, System Language Discovery, Domain Accounts, Windows Command Shell, Match Legitimate Name or Location, Service Stop, Windows File and Directory Permissions Modification, Scheduled Task, System Information Discovery, Traffic Signaling, Data Encrypted for Impact, Process Injection, Masquerading, Registry Run Keys / Startup Folder, System Network Configuration Discovery, Access Token Manipulation
S0154 Cobalt Strike (Citation: cobaltstrike manual) (Citation: FireEye FIN6 Apr 2019) Domain Fronting, Sudo and Sudo Caching, Code Signing, Scheduled Transfer, JavaScript, Remote Desktop Protocol, Native API, Pass the Hash, Domain Accounts, Indicator Removal from Tools, Bypass User Account Control, System Network Configuration Discovery, Service Execution, PowerShell, Web Protocols, Application Layer Protocol, Data from Local System, Disable or Modify Tools, Dynamic-link Library Injection, Local Accounts, Multiband Communication, Keylogging, Distributed Component Object Model, Process Discovery, BITS Jobs, Process Hollowing, Software Discovery, Local Accounts, BITS Jobs, Remote Desktop Protocol, Internal Proxy, Exploitation for Privilege Escalation, Screen Capture, Process Argument Spoofing, Modify Registry, Domain Groups, System Network Connections Discovery, Protocol Impersonation, Parent PID Spoofing, Token Impersonation/Theft, Protocol Tunneling, Windows Service, Visual Basic, Native API, Parent PID Spoofing, Process Injection, System Service Discovery, Timestomp, System Network Configuration Discovery, SSH, File and Directory Discovery, DNS, Token Impersonation/Theft, DNS, Bypass User Account Control, Process Hollowing, Scheduled Transfer, Security Account Manager, Local Groups, PowerShell, SSH, Python, Reflective Code Loading, Remote System Discovery, LSASS Memory, Screen Capture, Commonly Used Port, Query Registry, Domain Account, Data Transfer Size Limits, Network Service Discovery, Pass the Hash, Domain Accounts, Network Share Discovery, Web Protocols, Asymmetric Cryptography, Windows Command Shell, Process Injection, Browser Session Hijacking, Deobfuscate/Decode Files or Information, Remote System Discovery, Visual Basic, Protocol Tunneling, Exploitation for Privilege Escalation, Windows Management Instrumentation, Keylogging, Browser Session Hijacking, Windows Remote Management, Symmetric Cryptography, Non-Application Layer Protocol, Standard Encoding, Ingress Tool Transfer, Indicator Removal from Tools, Domain Account, Internal Proxy, Service Execution, Windows Remote Management, SMB/Windows Admin Shares, Rundll32, Windows Service, Application Layer Protocol, Python, SMB/Windows Admin Shares, Windows Management Instrumentation, Security Account Manager, Make and Impersonate Token, Exploitation for Client Execution, Network Service Discovery, Timestomp, Distributed Component Object Model, Multiband Communication, Commonly Used Port, Network Share Discovery, Custom Command and Control Protocol, Process Discovery, Make and Impersonate Token, Data from Local System, Office Template Macros, Windows Command Shell, Obfuscated Files or Information
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Security Intelligence More Eggs Aug 2019) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0284 More_eggs (Citation: Crowdstrike GTR2020 Mar 2020) (Citation: ESET EvilNum July 2020) (Citation: Security Intelligence More Eggs Aug 2019) (Citation: SKID) (Citation: SpicyOmelette) (Citation: Talos Cobalt Group July 2018) (Citation: Terra Loader) (Citation: Visa FIN6 Feb 2019) Ingress Tool Transfer, Internet Connection Discovery, Deobfuscate/Decode Files or Information, System Information Discovery, Web Protocols, Symmetric Cryptography, Windows Command Shell, Obfuscated Files or Information, File Deletion, System Network Configuration Discovery, Standard Encoding, Security Software Discovery, Code Signing, Regsvr32, System Owner/User Discovery
S0632 GrimAgent (Citation: Group IB GrimAgent July 2021) Registry Run Keys / Startup Folder, Windows Command Shell, Scheduled Task, Data from Local System, System Owner/User Discovery, Asymmetric Cryptography, File and Directory Discovery, Ingress Tool Transfer, System Network Configuration Discovery, Standard Encoding, Symmetric Cryptography, Native API, System Language Discovery, Time Based Evasion, System Location Discovery, Clear Persistence, Deobfuscate/Decode Files or Information, Junk Data, File Deletion, Obfuscated Files or Information, Web Protocols, System Information Discovery, Exfiltration Over C2 Channel, Binary Padding
S0449 Maze (Citation: FireEye Maze May 2020) (Citation: McAfee Maze March 2020) (Citation: Sophos Maze VM September 2020) Data Encrypted for Impact, Binary Padding, System Information Discovery, Registry Run Keys / Startup Folder, Masquerade Task or Service, System Language Discovery, System Network Connections Discovery, Run Virtual Instance, Dynamic-link Library Injection, System Shutdown/Reboot, Dynamic Resolution, Native API, Web Protocols, Windows Command Shell, Scheduled Task, Windows Management Instrumentation, Process Discovery, Indicator Removal, Disable or Modify Tools, Service Stop, Obfuscated Files or Information, Msiexec, Inhibit System Recovery
S0552 AdFind (Citation: FireEye FIN6 Apr 2019) (Citation: FireEye Ryuk and Trickbot January 2019) (Citation: Red Canary Hospital Thwarted Ryuk October 2020) Domain Trust Discovery, Domain Groups, System Network Configuration Discovery, Remote System Discovery, Domain Account
S0029 PsExec (Citation: FireEye FIN6 Apr 2019) (Citation: FireEye FIN6 April 2016) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

  1. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  2. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  3. Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.
  4. Chen, J. (2019, October 10). Magecart Card Skimmers Injected Into Online Shops. Retrieved September 9, 2020.
  5. Klijnsma, Y. (2018, September 11). Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims. Retrieved September 9, 2020.
  6. Klijnsma, Y. (2018, September 19). Another Victim of the Magecart Assault Emerges: Newegg. Retrieved September 9, 2020.
  7. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
  8. Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.
  9. Kremez, V. (2019, September 19). FIN6 “FrameworkPOS”: Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020.
  10. CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.
  11. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.
  12. Villadsen, O. (2020, April 7). ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework. Retrieved October 8, 2020.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.