FIN6

FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.[1][2]

ID: G0037
Associated Groups: Magecart Group 6, SKELETON SPIDER, ITG08
Contributors: Center for Threat-Informed Defense (CTID); Drew Church, Splunk
Version: 3.1
Created: 31 May 2017
Last Modified: 28 December 2020

Associated Group Descriptions

Name Description
Magecart Group 6

[3]

SKELETON SPIDER

[4]

ITG08

[5]

Techniques Used

Domain ID Name Use
Enterprise T1134 Access Token Manipulation

FIN6 has used has used Metasploit’s named-pipe impersonation technique to escalate privileges.[2]

Enterprise T1087 .002 Account Discovery: Domain Account

FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.[1]

Enterprise T1560 Archive Collected Data

Following data collection, FIN6 has compressed log files into a ZIP archive prior to staging and exfiltration.[1]

.003 Archive via Custom Method

FIN6 has encoded data gathered from the victim with a simple substitution cipher and single-byte XOR using the 0xAA key, and Base64 with character permutation.[1][6]

Enterprise T1119 Automated Collection

FIN6 has used a script to iterate through a list of compromised PoS systems, copy and remove data to a log file, and to bind to events from the submit payment button.[1][6]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

FIN6 has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD.[1]

Enterprise T1110 .002 Brute Force: Password Cracking

FIN6 has extracted password hashes from ntds.dit to crack offline.[1]

Enterprise T1059 Command and Scripting Interpreter

FIN6 has used scripting to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files.[1][2]

.001 PowerShell

FIN6 has used PowerShell to gain access to merchant's networks, and a Metasploit PowerShell module to download and execute shellcode and to set up a local listener.[1][2][7]

.007 JavaScript

FIN6 has used malicious JavaScript to steal payment card data from e-commerce sites.[6]

.003 Windows Command Shell

FIN6 has used kill.bat script to disable security tools.[2]

Enterprise T1555 Credentials from Password Stores

FIN6 has used the Stealer One credential stealer to target e-mail and file transfer utilities including FTP.[7]

.003 Credentials from Web Browsers

FIN6 has used the Stealer One credential stealer to target web browsers.[7]

Enterprise T1213 Data from Information Repositories

FIN6 has collected schemas and user accounts from systems running SQL Server.[7]

Enterprise T1005 Data from Local System

FIN6 has collected and exfiltrated payment card data from compromised systems.[6][8][9]

Enterprise T1074 .002 Data Staged: Remote Data Staging

FIN6 actors have compressed data from remote systems and moved it to another staging system before exfiltration.[1]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.[1]

Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

FIN6 has sent stolen payment card data to remote servers via HTTP POSTs.[6]

Enterprise T1068 Exploitation for Privilege Escalation

FIN6 has used tools to exploit Windows vulnerabilities in order to escalate privileges. The tools targeted CVE-2013-3660, CVE-2011-2005, and CVE-2010-4398, all of which could allow local users to access kernel-level privileges.[1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

FIN6 has deployed a utility script named kill.bat to disable anti-virus.[2]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

FIN6 has removed files from victim machines.[1]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

FIN6 has renamed the "psexec" service name to "mstdc" to masquerade as a legitimate Windows service.[2]

Enterprise T1046 Network Service Scanning

FIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.[1]

Enterprise T1095 Non-Application Layer Protocol

FIN6 has used Metasploit Bind and Reverse TCP stagers.[6]

Enterprise T1027 Obfuscated Files or Information

FIN6 has used encoded PowerShell commands.[7]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

FIN6 has used Windows Credential Editor for credential dumping.[1][2]

.003 OS Credential Dumping: NTDS

FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.[1][2]

Enterprise T1566 .003 Phishing: Spearphishing via Service

FIN6 has used fake job advertisements sent via LinkedIn to spearphish targets.[5]

.001 Phishing: Spearphishing Attachment

FIN6 has targeted victims with e-mails containing malicious attachments.[7]

Enterprise T1572 Protocol Tunneling

FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.[1]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

FIN6 used RDP to move laterally in victim networks.[1][2]

Enterprise T1018 Remote System Discovery

FIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

FIN6 has used scheduled tasks to establish persistence for various malware it uses, including downloaders known as HARDTACK and SHIPBREAD and FrameworkPOS.[1]

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

FIN6 has used Comodo code-signing certificates.[5]

Enterprise T1569 .002 System Services: Service Execution

FIN6 has created Windows services to execute encoded PowerShell commands.[2]

Enterprise T1204 .002 User Execution: Malicious File

FIN6 has used malicious documents to lure victims into allowing execution of PowerShell scripts.[7]

Enterprise T1078 Valid Accounts

To move laterally on a victim network, FIN6 has used credentials stolen from various systems on which it gathered usernames and password hashes.[1][2][7]

Enterprise T1102 Web Service

FIN6 has used Pastebin and Google Storage to host content for their operations.[2]

Enterprise T1047 Windows Management Instrumentation

FIN6 has used WMI to automate the remote execution of PowerShell scripts.[5]

Software

ID Name References Techniques
S0552 AdFind [2] Account Discovery: Domain Account, Domain Trust Discovery, Permission Groups Discovery: Domain Groups, Remote System Discovery, System Network Configuration Discovery
S0154 Cobalt Strike [2] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, BITS Jobs, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: JavaScript, Commonly Used Port, Create or Modify System Process: Windows Service, Data from Local System, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Man in the Browser, Modify Registry, Multiband Communication, Native API, Network Service Scanning, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: Security Account Manager, Process Discovery, Process Injection, Process Injection: Process Hollowing, Process Injection: Dynamic-link Library Injection, Protocol Tunneling, Proxy: Internal Proxy, Query Registry, Remote Services: SMB/Windows Admin Shares, Remote Services: Windows Remote Management, Remote Services: SSH, Remote Services: Remote Desktop Protocol, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Subvert Trust Controls: Code Signing, System Network Configuration Discovery, System Network Connections Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Local Accounts, Valid Accounts: Domain Accounts, Windows Management Instrumentation
S0381 FlawedAmmyy [7] Application Layer Protocol: Web Protocols, Commonly Used Port, Data Obfuscation, Encrypted Channel: Symmetric Cryptography, Peripheral Device Discovery, Permission Groups Discovery: Local Groups, Software Discovery: Security Software Discovery, System Information Discovery, System Owner/User Discovery, Windows Management Instrumentation
S0503 FrameworkPOS [10][4][7] Archive Collected Data: Archive via Custom Method, Data from Local System, Data Staged: Local Data Staging, Exfiltration Over Alternative Protocol, Process Discovery
S0372 LockerGoga [2] Account Access Removal, Data Encrypted for Impact, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: File Deletion, Lateral Tool Transfer, Subvert Trust Controls: Code Signing, System Shutdown/Reboot
S0449 Maze [11] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data Encrypted for Impact, Dynamic Resolution, Hide Artifacts: Run Virtual Instance, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host, Inhibit System Recovery, Masquerading: Masquerade Task or Service, Native API, Obfuscated Files or Information, Obfuscated Files or Information: Binary Padding, Process Discovery, Process Injection: Dynamic-link Library Injection, Scheduled Task/Job: Scheduled Task, Service Stop, Signed Binary Proxy Execution: Msiexec, System Information Discovery, System Network Connections Discovery, System Shutdown/Reboot, Windows Management Instrumentation
S0002 Mimikatz [5] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0284 More_eggs [5][7] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information, Signed Binary Proxy Execution: Regsvr32, Software Discovery: Security Software Discovery, Subvert Trust Controls: Code Signing, System Information Discovery, System Network Configuration Discovery, System Network Configuration Discovery: Internet Connection Discovery, System Owner/User Discovery
S0029 PsExec [1][2] Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0446 Ryuk [2] Access Token Manipulation, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data Encrypted for Impact, File and Directory Discovery, File and Directory Permissions Modification: Windows File and Directory Permissions Modification, Impair Defenses: Disable or Modify Tools, Inhibit System Recovery, Masquerading: Match Legitimate Name or Location, Masquerading, Native API, Process Discovery, Process Injection, Remote Services: SMB/Windows Admin Shares, Scheduled Task/Job: Scheduled Task, Service Stop, System Network Configuration Discovery, Traffic Signaling, Valid Accounts: Domain Accounts
S0005 Windows Credential Editor [1] OS Credential Dumping: LSASS Memory

References