FIN8 is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail, restaurant, and hospitality industries. [1] [2]

ID: G0061
Version: 1.1
Created: 18 April 2018
Last Modified: 09 February 2021

Techniques Used

Domain ID Name Use
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

FIN8 has used RAR to compress collected data before Exfiltration.[3]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

FIN8's malicious spearphishing payloads are executed as PowerShell. FIN8 has also used PowerShell during Lateral Movement and Credential Access.[1][3]

.003 Command and Scripting Interpreter: Windows Command Shell

FIN8 has used a Batch file to automate frequently executed post compromise cleanup activities.[3] FIN8 executes commands remotely via cmd.exe.[1]

Enterprise T1074 .002 Data Staged: Remote Data Staging

FIN8 aggregates staged data from a network into a single location.[3]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

FIN8 has used the Plink utility to tunnel RDP back to C2 infrastructure.[3]

Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

FIN8 has used FTP to exfiltrate collected data.[3]

Enterprise T1068 Exploitation for Privilege Escalation

FIN8 has exploited the CVE-2016-0167 local vulnerability.[2][3]

Enterprise T1070 .001 Indicator Removal on Host: Clear Windows Event Logs

FIN8 has cleared logs during post compromise cleanup activities.[3]

.004 Indicator Removal on Host: File Deletion

FIN8 has deleted tmp and prefetch files during post compromise cleanup activities.[3]

Enterprise T1105 Ingress Tool Transfer

FIN8 has used remote code execution to download subsequent payloads.[2]

Enterprise T1112 Modify Registry

FIN8 has deleted Registry keys during post compromise cleanup activities.[3]

Enterprise T1027 Obfuscated Files or Information

FIN8 has used environment variables and standard input (stdin) to obfuscate command-line arguments. FIN8 also obfuscates malicious macros delivered as payloads.[1][3]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

FIN8 harvests credentials using Invoke-Mimikatz or Windows Credentials Editor (WCE).[3]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

FIN8 has distributed targeted emails containing Word documents with embedded malicious macros.[1][2][3]

.002 Phishing: Spearphishing Link

FIN8 has distributed targeted emails containing links to malicious documents with embedded macros.[3]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

FIN8 has used RDP for Lateral Movement.[3]

.002 Remote Services: SMB/Windows Admin Shares

FIN8 has attempted to map to C$ on enumerated hosts to test the scope of their current credentials/context.[3]

Enterprise T1018 Remote System Discovery

FIN8 uses dsquery and other Active Directory utilities to enumerate hosts.[3]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

FIN8 has used scheduled tasks to maintain RDP backdoors.[3]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

FIN8 has used Registry keys to detect and avoid executing in potential sandboxes.[3]

Enterprise T1204 .001 User Execution: Malicious Link

FIN8 has leveraged Spearphishing Links attempting to gain User Execution.[1][2][3]

.002 User Execution: Malicious File

FIN8 has leveraged Spearphishing Attachments attempting to gain User Execution.[1][2][3]

Enterprise T1078 Valid Accounts

FIN8 has utilized Valid Accounts during and Persistence and Lateral Movement.[3]

Enterprise T1047 Windows Management Instrumentation

FIN8's malicious spearphishing payloads use WMI to launch malware and spawn cmd.exe execution. FIN8 has also used WMIC during and post compromise cleanup activities.[1][3]


ID Name References Techniques
S0105 dsquery [3] Account Discovery: Domain Account, Domain Trust Discovery, Permission Groups Discovery: Domain Groups
S0039 Net [3] Account Discovery: Local Account, Account Discovery: Domain Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0196 PUNCHBUGGY [2] Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Python, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Event Triggered Execution: AppCert DLLs, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information, Shared Modules, Signed Binary Proxy Execution: Rundll32, Software Discovery: Security Software Discovery, System Information Discovery
S0197 PUNCHTRACK [2] Data from Local System, Data Staged: Local Data Staging, Obfuscated Files or Information