Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа FIN8
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
FIN8
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

FIN8

FIN8 is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail, restaurant, and hospitality industries. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Fin8 May 2016)
ID: G0061
Associated Groups: 
Version: 1.2
Created: 18 Apr 2018
Last Modified: 12 Oct 2021

Associated Group Descriptions
Name Description

Techniques Used
Domain ID Name Use
Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

FIN8 has used a malicious framework designed to impersonate the lsass.exe/vmtoolsd.exe token.(Citation: Bitdefender FIN8 July 2021)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

FIN8 has used HTTPS for command and control.(Citation: Bitdefender FIN8 July 2021)
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

FIN8 has used RAR to compress collected data before exfiltration.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

FIN8's malicious spearphishing payloads are executed as PowerShell. FIN8 has also used PowerShell for lateral movement and credential access.(Citation: FireEye Obfuscation June 2017)(Citation: Bitdefender FIN8 July 2021)(Citation: FireEye Know Your Enemy FIN8 Aug 2016)
.003 Command and Scripting Interpreter: Windows Command Shell

FIN8 has used a Batch file to automate frequently executed post compromise cleanup activities.(Citation: FireEye Know Your Enemy FIN8 Aug 2016) FIN8 has also executed commands remotely via cmd.(Citation: FireEye Obfuscation June 2017)(Citation: Bitdefender FIN8 July 2021)

Enterprise T1074 .002 Data Staged: Remote Data Staging

FIN8 aggregates staged data from a network into a single location.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

FIN8 has used the Plink utility to tunnel RDP back to C2 infrastructure.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)
Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

FIN8 has used WMI event subscriptions for persistence.(Citation: Bitdefender FIN8 July 2021)
Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

FIN8 has used FTP to exfiltrate collected data.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)
Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

FIN8 has cleared logs during post compromise cleanup activities.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)
.004 Indicator Removal: File Deletion

FIN8 has deleted tmp and prefetch files during post compromise cleanup activities.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

FIN8 harvests credentials using Invoke-Mimikatz or Windows Credentials Editor (WCE).(Citation: FireEye Know Your Enemy FIN8 Aug 2016)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

FIN8 has distributed targeted emails containing Word documents with embedded malicious macros.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: FireEye Know Your Enemy FIN8 Aug 2016)
.002 Phishing: Spearphishing Link

FIN8 has distributed targeted emails containing links to malicious documents with embedded macros.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)

Enterprise T1055 .004 Process Injection: Asynchronous Procedure Call

FIN8 has injected malicious code into a new svchost.exe process.(Citation: Bitdefender FIN8 July 2021)
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

FIN8 has used RDP for lateral movement.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)
.002 Remote Services: SMB/Windows Admin Shares

FIN8 has attempted to map to C$ on enumerated hosts to test the scope of their current credentials/context.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

FIN8 has used scheduled tasks to maintain RDP backdoors.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)
Enterprise T1518 .001 Software Discovery: Security Software Discovery

FIN8 has used Registry keys to detect and avoid executing in potential sandboxes.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)
Enterprise T1204 .001 User Execution: Malicious Link

FIN8 has used emails with malicious links to lure victims into installing malware.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: FireEye Know Your Enemy FIN8 Aug 2016)
.002 User Execution: Malicious File

FIN8 has used malicious e-mail attachments to lure victims into executing malware.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: FireEye Know Your Enemy FIN8 Aug 2016)

Software
ID Name References Techniques
S0039 Net (Citation: FireEye Know Your Enemy FIN8 Aug 2016) (Citation: Microsoft Net Utility) (Citation: Savill 1999) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Local Groups, SMB/Windows Admin Shares, Domain Account
S0357 Impacket (Citation: Bitdefender FIN8 July 2021) (Citation: Impacket Tools) LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, Kerberoasting, NTDS, Service Execution, LSASS Memory, Windows Management Instrumentation, Security Account Manager, LSA Secrets
S0105 dsquery (Citation: FireEye Know Your Enemy FIN8 Aug 2016) (Citation: TechNet Dsquery) Domain Account, Domain Trust Discovery, Domain Groups
S0196 PUNCHBUGGY (Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016) (Citation: Morphisec ShellTea June 2019) (Citation: ShellTea) Python, Rundll32, AppCert DLLs, Shared Modules, Local Account, Security Software Discovery, Registry Run Keys / Startup Folder, Match Legitimate Name or Location, Archive via Utility, PowerShell, Ingress Tool Transfer, Local Data Staging, Web Protocols, Deobfuscate/Decode Files or Information, File Deletion, Obfuscated Files or Information, System Information Discovery
S0359 Nltest (Citation: Bitdefender FIN8 July 2021) (Citation: Nltest Manual) Domain Trust Discovery, Remote System Discovery, System Network Configuration Discovery
S0197 PUNCHTRACK (Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016) (Citation: PSVC) Data from Local System, Obfuscated Files or Information, Local Data Staging

References

  1. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  2. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
  3. Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
  4. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.