1. Home
  2. Groups
  3. FIN8

FIN8

FIN8 is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected FIN8 switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.[1][2][3][4]

ID: G0061
Associated Groups: Syssphinx
Contributors: Daniyal Naeem, BT Security; Serhii Melnyk, Trustwave SpiderLabs
Version: 2.0
Created: 18 April 2018
Last Modified: 19 September 2023

Associated Group Descriptions

Name Description
Syssphinx

[4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

FIN8's malicious spearphishing payloads use WMI to launch malware and spawn cmd.exe execution. FIN8 has also used WMIC and the Impacket suite for lateral movement, as well as during and post compromise cleanup activities.[1][5][6][4]
Enterprise T1546 .003 事件触发执行: Windows Management Instrumentation Event Subscription

FIN8 has used WMI event subscriptions for persistence.[5]
Enterprise T1112 修改注册表

FIN8 has deleted Registry keys during post compromise cleanup activities.[6]
Enterprise T1573 .002 加密通道: Asymmetric Cryptography

FIN8 has used the Plink utility to tunnel RDP back to C2 infrastructure.[6]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

FIN8's malicious spearphishing payloads are executed as PowerShell. FIN8 has also used PowerShell for lateral movement and credential access.[1][5][6][4]
.003 命令与脚本解释器: Windows Command Shell

FIN8 has used a Batch file to automate frequently executed post compromise cleanup activities.[6] FIN8 has also executed commands remotely via cmd.exe.[1][5][4]
Enterprise T1482 域信任发现

FIN8 has retrieved a list of trusted domains by using nltest.exe /domain_trusts.[5]
Enterprise T1071 .001 应用层协议: Web Protocols

FIN8 has used HTTPS for command and control.[5]
Enterprise T1560 .001 归档收集数据: Archive via Utility

FIN8 has used RAR to compress collected data before exfiltration.[6]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

FIN8 harvests credentials using Invoke-Mimikatz or Windows Credentials Editor (WCE).[6]
Enterprise T1074 .002 数据分段: Remote Data Staging

FIN8 aggregates staged data from a network into a single location.[6]
Enterprise T1486 数据加密以实现影响

FIN8 has deployed ransomware such as Ragnar Locker, White Rabbit, and attempted to execute Noberus on compromised networks.[4]
Enterprise T1048 .003 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol

FIN8 has used FTP to exfiltrate collected data.[6]
Enterprise T1078 有效账户

FIN8 has used valid accounts for persistence and lateral movement.[6]
Enterprise T1068 权限提升漏洞利用

FIN8 has exploited the CVE-2016-0167 local vulnerability.[2][6]
Enterprise T1027 .010 混淆文件或信息: Command Obfuscation

FIN8 has used environment variables and standard input (stdin) to obfuscate command-line arguments. FIN8 also obfuscates malicious macros delivered as payloads.[1][6][5]
Enterprise T1204 .001 用户执行: Malicious Link

FIN8 has used emails with malicious links to lure victims into installing malware.[1][2][6]
.002 用户执行: Malicious File

FIN8 has used malicious e-mail attachments to lure victims into executing malware.[1][2][6]
Enterprise T1070 .001 移除指标: Clear Windows Event Logs

FIN8 has cleared logs during post compromise cleanup activities.[6]
.004 移除指标: File Deletion

FIN8 has deleted tmp and prefetch files during post compromise cleanup activities. FIN8 has also deleted PowerShell scripts to evade detection on compromised machines.[6][4]
Enterprise T1082 系统信息发现

FIN8 has used PowerShell Scripts to check the architecture of a compromised machine before the selection of a 32-bit or 64-bit version of a malicious .NET loader.[4]
Enterprise T1033 系统所有者/用户发现

FIN8 has executed the command quser to display the session details of a compromised machine.[4]

Enterprise T1016 .001 系统网络配置发现: Internet Connection Discovery

FIN8 has used the Ping command to check connectivity to actor-controlled C2 servers.[3]

Enterprise T1102 网络服务

FIN8 has used sslip.io, a free IP to domain mapping service that also makes SSL certificate generation easier for traffic encryption, as part of their command and control.[5]
Enterprise T1588 .002 获取能力: Tool

FIN8 has used open-source tools such as Impacket for targeting efforts.[3]
.003 获取能力: Code Signing Certificates

FIN8 has used an expired open-source X.509 certificate for testing in the OpenSSL repository, to connect to actor-controlled C2 servers.[3]
Enterprise T1134 .001 访问令牌操控: Token Impersonation/Theft

FIN8 has used a malicious framework designed to impersonate the lsass.exe/vmtoolsd.exe token.[5][4]
Enterprise T1518 .001 软件发现: Security Software Discovery

FIN8 has used Registry keys to detect and avoid executing in potential sandboxes.[6]
Enterprise T1105 输入工具传输

FIN8 has used remote code execution to download subsequent payloads.[2][5]
Enterprise T1055 .004 进程注入: Asynchronous Procedure Call

FIN8 has injected malicious code into a new svchost.exe process.[5]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

FIN8 has used RDP for lateral movement.[6]
.002 远程服务: SMB/Windows Admin Shares

FIN8 has attempted to map to C$ on enumerated hosts to test the scope of their current credentials/context. FIN8 has also used smbexec from the Impacket suite for lateral movement.[6][3]
Enterprise T1018 远程系统发现

FIN8 has used dsquery and other Active Directory utilities to enumerate hosts; they have also used nltest.exe /dclist to retrieve a list of domain controllers.[6][5]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

FIN8 has distributed targeted emails containing Word documents with embedded malicious macros.[1][2][6]
.002 钓鱼: Spearphishing Link

FIN8 has distributed targeted emails containing links to malicious documents with embedded macros.[6]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

FIN8 has used scheduled tasks to maintain RDP backdoors.[6]

Software

ID Name References Techniques
S1081 BADHATCH [7] Windows管理规范, 事件触发执行: Windows Management Instrumentation Event Subscription, 代理, 使用备用认证材料: Pass the Hash, 加密通道: Asymmetric Cryptography, 反射性代码加载, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 域信任发现, 屏幕捕获, 应用层协议: Web Protocols, 应用层协议: File Transfer Protocols, 本机API, 权限组发现: Domain Groups, 混淆文件或信息: Embedded Payloads, 混淆文件或信息: Command Obfuscation, 混淆文件或信息: Encrypted/Encoded File, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: File Deletion, 系统信息发现, 系统所有者/用户发现, 系统时间发现, 系统网络连接发现, 网络共享发现, 网络服务, 网络服务发现, 访问令牌操控: Token Impersonation/Theft, 输入工具传输, 进程发现, 进程注入, 进程注入: Dynamic-link Library Injection, 进程注入: Asynchronous Procedure Call, 远程系统发现, 通过C2信道渗出, 预定任务/作业: Scheduled Task
S0105 dsquery [6] 域信任发现, 权限组发现: Domain Groups, 系统信息发现, 账号发现: Domain Account
S0357 Impacket [5][3] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 操作系统凭证转储: NTDS, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSA Secrets, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Ccache Files, 系统服务: Service Execution, 网络嗅探
S0039 Net [6] 创建账户: Local Account, 创建账户: Domain Account, 密码策略发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 移除指标: Network Share Connection Removal, 系统时间发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 网络共享发现, 账号发现: Domain Account, 账号发现: Local Account, 账号操控: Additional Local or Domain Groups, 远程服务: SMB/Windows Admin Shares, 远程系统发现
S0359 Nltest [5] 域信任发现, 系统网络配置发现, 远程系统发现
S0097 Ping [3] 远程系统发现
S0029 PsExec [4] 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares
S0196 PUNCHBUGGY [2] 事件触发执行: AppCert DLLs, 伪装: Match Legitimate Name or Location, 共享模块, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Python, 命令与脚本解释器: PowerShell, 应用层协议: Web Protocols, 归档收集数据: Archive via Utility, 数据分段: Local Data Staging, 混淆文件或信息, 移除指标: File Deletion, 系统二进制代理执行: Rundll32, 系统信息发现, 账号发现: Local Account, 软件发现: Security Software Discovery, 输入工具传输
S0197 PUNCHTRACK [2] 从本地系统获取数据, 数据分段: Local Data Staging, 混淆文件或信息
S0481 Ragnar Locker [4] 创建或修改系统进程: Windows Service, 命令与脚本解释器: Windows Command Shell, 外围设备发现, 妨碍防御: Disable or Modify Tools, 数据加密以实现影响, 服务停止, 系统二进制代理执行: Regsvr32, 系统二进制代理执行: Msiexec, 系统二进制代理执行: Rundll32, 系统位置发现, 系统恢复抑制, 系统服务: Service Execution, 隐藏伪装: Run Virtual Instance
S1085 Sardonic [3][4] Windows管理规范, 事件触发执行: Windows Management Instrumentation Event Subscription, 从本地系统获取数据, 加密通道: Symmetric Cryptography, 加密通道: Asymmetric Cryptography, 反射性代码加载, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 数据编码: Standard Encoding, 本机API, 混淆文件或信息: Command Obfuscation, 混淆文件或信息, 移除指标, 系统信息发现, 系统服务发现, 系统网络连接发现, 系统网络配置发现, 网络共享发现, 输入工具传输, 进程发现, 进程注入: Asynchronous Procedure Call, 非应用层协议, 非标准端口

References

  1. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
  2. Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
  3. Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
  4. Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.
  1. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.
  2. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  3. Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.