FIN6

FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.[1][2]

ID: G0037
Version: 1.1

Techniques Used

DomainIDNameUse
EnterpriseT1087Account DiscoveryFIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.[1]
EnterpriseT1119Automated CollectionFIN6 has used a script to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files.[1]
EnterpriseT1003Credential DumpingFIN6 has used Windows Credential Editor for credential dumping, as well as Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database. [1][2]
EnterpriseT1002Data CompressedFollowing data collection, FIN6 has compressed log files into a ZIP archive prior to staging and exfiltration.[1]
EnterpriseT1022Data EncryptedTRINITY malware used by FIN6 encodes data gathered from the victim with a simple substitution cipher and single-byte XOR using the OxAA key.[1]
EnterpriseT1074Data StagedTRINITY malware used by FIN6 identifies payment card track data on the victim and then copies it to a local file in a subdirectory of C:\Windows\. Once the malware collects the data, FIN6 actors compressed data and moved it to another staging system before exfiltration.[1]
EnterpriseT1068Exploitation for Privilege EscalationFIN6 has used tools to exploit Windows vulnerabilities in order to escalate privileges. The tools targeted CVE-2013-3660, CVE-2011-2005, and CVE-2010-4398, all of which could allow local users to access kernel-level privileges.[1]
EnterpriseT1036MasqueradingFIN6 has renamed the "psexec" service name to "mstdc" to masquerade as a legitimate Windows executable. [2]
EnterpriseT1046Network Service ScanningFIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.[1]
EnterpriseT1069Permission Groups DiscoveryFIN6 has used tools like Adfind to query users, groups, organizational units, and trusts. [2]
EnterpriseT1086PowerShellFIN6 has used a Metasploit PowerShell module to download and execute shellcode and to set up a local listener.[1][2]
EnterpriseT1060Registry Run Keys / Startup FolderFIN6 has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD.[1]
EnterpriseT1076Remote Desktop ProtocolFIN6 used RDP to move laterally in victim networks.[1][2]
EnterpriseT1018Remote System DiscoveryFIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.[1]
EnterpriseT1053Scheduled TaskFIN6 has used scheduled tasks to establish persistence for various malware it uses, including downloaders known as HARDTACK and SHIPBREAD and PoS malware known as TRINITY.[1]
EnterpriseT1064ScriptingFIN6 has used a Metasploit PowerShell module to download and execute shellcode and to set up a local listener. FIN6 has also used scripting to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files.[1][2]
EnterpriseT1035Service ExecutionFIN6 has created Windows services to execute encoded PowerShell commands.[2]
EnterpriseT1071Standard Application Layer ProtocolFIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.[1]
EnterpriseT1032Standard Cryptographic ProtocolFIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.[1]
EnterpriseT1078Valid AccountsTo move laterally on a victim network, FIN6 has used credentials stolen from various systems on which it gathered usernames and password hashes.[1][2]
EnterpriseT1102Web ServiceFIN6 has used Pastebin to host content for the operation. [2]

Software

IDNameReferencesTechniques
S0154Cobalt Strike[2]Access Token Manipulation, BITS Jobs, Bypass User Account Control, Command-Line Interface, Commonly Used Port, Connection Proxy, Credential Dumping, Custom Command and Control Protocol, Data from Local System, Distributed Component Object Model, Execution through API, Exploitation for Privilege Escalation, Indicator Removal from Tools, Input Capture, Man in the Browser, Multiband Communication, Network Service Scanning, Network Share Discovery, New Service, Pass the Hash, PowerShell, Process Discovery, Process Hollowing, Process Injection, Remote Desktop Protocol, Remote Services, Remote System Discovery, Scheduled Transfer, Screen Capture, Scripting, Service Execution, Standard Application Layer Protocol, Timestomp, Valid Accounts, Windows Admin Shares, Windows Management Instrumentation, Windows Remote Management
S0372LockerGoga [2]Data Encrypted for Impact, File Deletion, Remote File Copy
S0029PsExec[1][2]Service Execution, Windows Admin Shares
S0005Windows Credential Editor[1]Credential Dumping

References