FIN5

FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. [1] [2] [3]

ID: G0053
Contributors: Walker Johnson

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1119Automated CollectionFIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results.[2]
EnterpriseT1003Credential DumpingFIN5 has dumped credentials from victims. Specifically, the group has used the tool GET5 Penetrator to look for remote login and hard-coded credentials.[3][2]
EnterpriseT1074Data StagedFIN5 scripts save memory dump data into a specific directory on hosts in the victim environment.[2]
EnterpriseT1133External Remote ServicesFIN5 has used legitimate VPN, Citrix, or VNC credentials to maintain access to a victim environment.[1][3][2]
EnterpriseT1107File DeletionFIN5 uses SDelete to clean up the environment and attempt to prevent detection.[2]
EnterpriseT1070Indicator Removal on HostFIN5 has cleared event logs from victims.[2]
EnterpriseT1108Redundant AccessFIN5 maintains access to victim environments by using Valid Accounts to access External Remote Services as well as establishing a backup RDP tunnel by using FLIPSIDE.[2]
EnterpriseT1018Remote System DiscoveryFIN5 has used the open source tool Essential NetTools to map the network and build a list of targets.[2]
EnterpriseT1064ScriptingFIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results.[2]
EnterpriseT1078Valid AccountsFIN5 has used legitimate VPN, RDP, Citrix, or VNC credentials to maintain access to a victim environment.[1][3][2]

Software

IDNameReferencesTechniques
S0173FLIPSIDE[2]Connection Proxy, Standard Application Layer Protocol
S0029PsExec

FIN5 uses a customized version of PsExec.

[2]
Service Execution, Windows Admin Shares
S0006pwdump[2]Credential Dumping
S0169RawPOS[3][2]Data Encrypted, Data from Local System, Data Staged, Masquerading, New Service
S0195SDelete[2]Code Signing, Data Destruction, File Deletion
S0005Windows Credential Editor[3][2]Credential Dumping

References