FIN8
Associated Group Descriptions |
|
Name | Description |
---|---|
Syssphinx | (Citation: Symantec FIN8 Jul 2023) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1134 | .001 | Access Token Manipulation: Token Impersonation/Theft |
FIN8 has used a malicious framework designed to impersonate the lsass.exe/vmtoolsd.exe token.(Citation: Bitdefender FIN8 July 2021)(Citation: Symantec FIN8 Jul 2023) |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
FIN8 has used HTTPS for command and control.(Citation: Bitdefender FIN8 July 2021) |
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
FIN8 has used RAR to compress collected data before exfiltration.(Citation: FireEye Know Your Enemy FIN8 Aug 2016) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
FIN8's malicious spearphishing payloads are executed as PowerShell. FIN8 has also used PowerShell for lateral movement and credential access.(Citation: FireEye Obfuscation June 2017)(Citation: Bitdefender FIN8 July 2021)(Citation: FireEye Know Your Enemy FIN8 Aug 2016)(Citation: Symantec FIN8 Jul 2023) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
FIN8 has used a Batch file to automate frequently executed post compromise cleanup activities.(Citation: FireEye Know Your Enemy FIN8 Aug 2016) FIN8 has also executed commands remotely via `cmd.exe`.(Citation: FireEye Obfuscation June 2017)(Citation: Bitdefender FIN8 July 2021)(Citation: Symantec FIN8 Jul 2023) |
||
Enterprise | T1074 | .002 | Data Staged: Remote Data Staging |
FIN8 aggregates staged data from a network into a single location.(Citation: FireEye Know Your Enemy FIN8 Aug 2016) |
Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
FIN8 has used the Plink utility to tunnel RDP back to C2 infrastructure.(Citation: FireEye Know Your Enemy FIN8 Aug 2016) |
Enterprise | T1546 | .003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription |
FIN8 has used WMI event subscriptions for persistence.(Citation: Bitdefender FIN8 July 2021) |
Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
FIN8 has used FTP to exfiltrate collected data.(Citation: FireEye Know Your Enemy FIN8 Aug 2016) |
Enterprise | T1070 | .001 | Indicator Removal: Clear Windows Event Logs |
FIN8 has cleared logs during post compromise cleanup activities.(Citation: FireEye Know Your Enemy FIN8 Aug 2016) |
.004 | Indicator Removal: File Deletion |
FIN8 has deleted tmp and prefetch files during post compromise cleanup activities. FIN8 has also deleted PowerShell scripts to evade detection on compromised machines.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)(Citation: Symantec FIN8 Jul 2023) |
||
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
FIN8 harvests credentials using Invoke-Mimikatz or Windows Credentials Editor (WCE).(Citation: FireEye Know Your Enemy FIN8 Aug 2016) |
Enterprise | T1027 | .010 | Obfuscated Files or Information: Command Obfuscation |
FIN8 has used environment variables and standard input (stdin) to obfuscate command-line arguments. FIN8 also obfuscates malicious macros delivered as payloads.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Know Your Enemy FIN8 Aug 2016)(Citation: Bitdefender FIN8 July 2021) |
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
FIN8 has used open-source tools such as Impacket for targeting efforts.(Citation: Bitdefender Sardonic Aug 2021) |
.003 | Obtain Capabilities: Code Signing Certificates |
FIN8 has used an expired open-source X.509 certificate for testing in the OpenSSL repository, to connect to actor-controlled C2 servers.(Citation: Bitdefender Sardonic Aug 2021) |
||
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
FIN8 has distributed targeted emails containing Word documents with embedded malicious macros.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: FireEye Know Your Enemy FIN8 Aug 2016) |
.002 | Phishing: Spearphishing Link |
FIN8 has distributed targeted emails containing links to malicious documents with embedded macros.(Citation: FireEye Know Your Enemy FIN8 Aug 2016) |
||
Enterprise | T1055 | .004 | Process Injection: Asynchronous Procedure Call |
FIN8 has injected malicious code into a new svchost.exe process.(Citation: Bitdefender FIN8 July 2021) |
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
FIN8 has used RDP for lateral movement.(Citation: FireEye Know Your Enemy FIN8 Aug 2016) |
.002 | Remote Services: SMB/Windows Admin Shares |
FIN8 has attempted to map to C$ on enumerated hosts to test the scope of their current credentials/context. FIN8 has also used smbexec from the Impacket suite for lateral movement.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)(Citation: Bitdefender Sardonic Aug 2021) |
||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
FIN8 has used scheduled tasks to maintain RDP backdoors.(Citation: FireEye Know Your Enemy FIN8 Aug 2016) |
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
FIN8 has used Registry keys to detect and avoid executing in potential sandboxes.(Citation: FireEye Know Your Enemy FIN8 Aug 2016) |
Enterprise | T1016 | .001 | System Network Configuration Discovery: Internet Connection Discovery |
FIN8 has used the Ping command to check connectivity to actor-controlled C2 servers.(Citation: Bitdefender Sardonic Aug 2021) |
Enterprise | T1204 | .001 | User Execution: Malicious Link |
FIN8 has used emails with malicious links to lure victims into installing malware.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: FireEye Know Your Enemy FIN8 Aug 2016) |
.002 | User Execution: Malicious File |
FIN8 has used malicious e-mail attachments to lure victims into executing malware.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: FireEye Know Your Enemy FIN8 Aug 2016) |
References
- Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
- Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.
- Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
- Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.
- Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
- Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
- Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.