1. Home
  2. Groups
  3. FIN8

FIN8

FIN8 is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected FIN8 switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.[1][2][3][4]

ID: G0061
Associated Groups: Syssphinx
Contributors: Daniyal Naeem, BT Security; Serhii Melnyk, Trustwave SpiderLabs
Version: 2.0
Created: 18 April 2018
Last Modified: 19 September 2023
Version Permalink

Associated Group Descriptions

Name Description
Syssphinx

[4]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

FIN8 has used a malicious framework designed to impersonate the lsass.exe/vmtoolsd.exe token.[5][4]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

FIN8 has used HTTPS for command and control.[5]
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

FIN8 has used RAR to compress collected data before exfiltration.[6]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

FIN8's malicious spearphishing payloads are executed as PowerShell. FIN8 has also used PowerShell for lateral movement and credential access.[1][5][6][4]
.003 Command and Scripting Interpreter: Windows Command Shell

FIN8 has used a Batch file to automate frequently executed post compromise cleanup activities.[6] FIN8 has also executed commands remotely via cmd.exe.[1][5][4]
Enterprise T1486 Data Encrypted for Impact

FIN8 has deployed ransomware such as Ragnar Locker, White Rabbit, and attempted to execute Noberus on compromised networks.[4]
Enterprise T1074 .002 Data Staged: Remote Data Staging

FIN8 aggregates staged data from a network into a single location.[6]
Enterprise T1482 Domain Trust Discovery

FIN8 has retrieved a list of trusted domains by using nltest.exe /domain_trusts.[5]
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

FIN8 has used the Plink utility to tunnel RDP back to C2 infrastructure.[6]
Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

FIN8 has used WMI event subscriptions for persistence.[5]
Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

FIN8 has used FTP to exfiltrate collected data.[6]
Enterprise T1068 Exploitation for Privilege Escalation

FIN8 has exploited the CVE-2016-0167 local vulnerability.[2][6]
Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

FIN8 has cleared logs during post compromise cleanup activities.[6]
.004 Indicator Removal: File Deletion

FIN8 has deleted tmp and prefetch files during post compromise cleanup activities. FIN8 has also deleted PowerShell scripts to evade detection on compromised machines.[6][4]
Enterprise T1105 Ingress Tool Transfer

FIN8 has used remote code execution to download subsequent payloads.[2][5]
Enterprise T1112 Modify Registry

FIN8 has deleted Registry keys during post compromise cleanup activities.[6]
Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

FIN8 has used environment variables and standard input (stdin) to obfuscate command-line arguments. FIN8 also obfuscates malicious macros delivered as payloads.[1][6][5]
Enterprise T1588 .002 Obtain Capabilities: Tool

FIN8 has used open-source tools such as Impacket for targeting efforts.[3]
.003 Obtain Capabilities: Code Signing Certificates

FIN8 has used an expired open-source X.509 certificate for testing in the OpenSSL repository, to connect to actor-controlled C2 servers.[3]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

FIN8 harvests credentials using Invoke-Mimikatz or Windows Credentials Editor (WCE).[6]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

FIN8 has distributed targeted emails containing Word documents with embedded malicious macros.[1][2][6]
.002 Phishing: Spearphishing Link

FIN8 has distributed targeted emails containing links to malicious documents with embedded macros.[6]
Enterprise T1055 .004 Process Injection: Asynchronous Procedure Call

FIN8 has injected malicious code into a new svchost.exe process.[5]
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

FIN8 has used RDP for lateral movement.[6]
.002 Remote Services: SMB/Windows Admin Shares

FIN8 has attempted to map to C$ on enumerated hosts to test the scope of their current credentials/context. FIN8 has also used smbexec from the Impacket suite for lateral movement.[6][3]
Enterprise T1018 Remote System Discovery

FIN8 has used dsquery and other Active Directory utilities to enumerate hosts; they have also used nltest.exe /dclist to retrieve a list of domain controllers.[6][5]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

FIN8 has used scheduled tasks to maintain RDP backdoors.[6]
Enterprise T1518 .001 Software Discovery: Security Software Discovery

FIN8 has used Registry keys to detect and avoid executing in potential sandboxes.[6]
Enterprise T1082 System Information Discovery

FIN8 has used PowerShell Scripts to check the architecture of a compromised machine before the selection of a 32-bit or 64-bit version of a malicious .NET loader.[4]
Enterprise T1016 .001 System Network Configuration Discovery: Internet Connection Discovery

FIN8 has used the Ping command to check connectivity to actor-controlled C2 servers.[3]

Enterprise T1033 System Owner/User Discovery

FIN8 has executed the command quser to display the session details of a compromised machine.[4]

Enterprise T1204 .001 User Execution: Malicious Link

FIN8 has used emails with malicious links to lure victims into installing malware.[1][2][6]
.002 User Execution: Malicious File

FIN8 has used malicious e-mail attachments to lure victims into executing malware.[1][2][6]
Enterprise T1078 Valid Accounts

FIN8 has used valid accounts for persistence and lateral movement.[6]
Enterprise T1102 Web Service

FIN8 has used sslip.io, a free IP to domain mapping service that also makes SSL certificate generation easier for traffic encryption, as part of their command and control.[5]
Enterprise T1047 Windows Management Instrumentation

FIN8's malicious spearphishing payloads use WMI to launch malware and spawn cmd.exe execution. FIN8 has also used WMIC and the Impacket suite for lateral movement, as well as during and post compromise cleanup activities.[1][5][6][4]

Software

ID Name References Techniques
S1081 BADHATCH [7] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Token Impersonation/Theft, Application Layer Protocol: Web Protocols, Application Layer Protocol: File Transfer Protocols, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Domain Trust Discovery, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Windows Management Instrumentation Event Subscription, Exfiltration Over C2 Channel, Indicator Removal: File Deletion, Ingress Tool Transfer, Native API, Network Service Discovery, Network Share Discovery, Obfuscated Files or Information: Embedded Payloads, Obfuscated Files or Information: Command Obfuscation, Obfuscated Files or Information: Encrypted/Encoded File, Permission Groups Discovery: Domain Groups, Process Discovery, Process Injection, Process Injection: Dynamic-link Library Injection, Process Injection: Asynchronous Procedure Call, Proxy, Reflective Code Loading, Remote System Discovery, Scheduled Task/Job: Scheduled Task, Screen Capture, System Information Discovery, System Network Connections Discovery, System Owner/User Discovery, System Time Discovery, Use Alternate Authentication Material: Pass the Hash, Web Service, Windows Management Instrumentation
S0105 dsquery [6] Account Discovery: Domain Account, Domain Trust Discovery, Permission Groups Discovery: Domain Groups, System Information Discovery
S0357 Impacket [5][3] Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, OS Credential Dumping: NTDS, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Steal or Forge Kerberos Tickets: Kerberoasting, System Services: Service Execution, Windows Management Instrumentation
S0039 Net [6] Account Discovery: Domain Account, Account Discovery: Local Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0359 Nltest [5] Domain Trust Discovery, Remote System Discovery, System Network Configuration Discovery
S0097 Ping [3] Remote System Discovery
S0029 PsExec [4] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0196 PUNCHBUGGY [2] Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: PowerShell, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Event Triggered Execution: AppCert DLLs, Indicator Removal: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information, Shared Modules, Software Discovery: Security Software Discovery, System Binary Proxy Execution: Rundll32, System Information Discovery
S0197 PUNCHTRACK [2] Data from Local System, Data Staged: Local Data Staging, Obfuscated Files or Information
S0481 Ragnar Locker [4] Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, Data Encrypted for Impact, Hide Artifacts: Run Virtual Instance, Impair Defenses: Disable or Modify Tools, Inhibit System Recovery, Peripheral Device Discovery, Service Stop, System Binary Proxy Execution: Regsvr32, System Binary Proxy Execution: Msiexec, System Binary Proxy Execution: Rundll32, System Location Discovery, System Services: Service Execution
S1085 Sardonic [3][4] Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Data Encoding: Standard Encoding, Data from Local System, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Windows Management Instrumentation Event Subscription, Indicator Removal, Ingress Tool Transfer, Native API, Network Share Discovery, Non-Application Layer Protocol, Non-Standard Port, Obfuscated Files or Information: Command Obfuscation, Obfuscated Files or Information, Process Discovery, Process Injection: Asynchronous Procedure Call, Reflective Code Loading, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, Windows Management Instrumentation

References

  1. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
  2. Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
  3. Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
  4. Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.
  1. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.
  2. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  3. Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.