FIN8 is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail, restaurant, and hospitality industries. [1] [2]

ID: G0061
Contributors: Daniyal Naeem, BT Security
Version: 1.3
Created: 18 April 2018
Last Modified: 22 March 2023

Techniques Used

Domain ID Name Use
Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

FIN8 has used a malicious framework designed to impersonate the lsass.exe/vmtoolsd.exe token.[3]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

FIN8 has used HTTPS for command and control.[3]

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

FIN8 has used RAR to compress collected data before exfiltration.[4]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

FIN8's malicious spearphishing payloads are executed as PowerShell. FIN8 has also used PowerShell for lateral movement and credential access.[1][3][4]

.003 Command and Scripting Interpreter: Windows Command Shell

FIN8 has used a Batch file to automate frequently executed post compromise cleanup activities.[4] FIN8 has also executed commands remotely via cmd.[1][3]

Enterprise T1074 .002 Data Staged: Remote Data Staging

FIN8 aggregates staged data from a network into a single location.[4]

Enterprise T1482 Domain Trust Discovery

FIN8 has retrieved a list of trusted domains by using Nltest.exe /domain_trusts.[3]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

FIN8 has used the Plink utility to tunnel RDP back to C2 infrastructure.[4]

Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

FIN8 has used WMI event subscriptions for persistence.[3]

Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

FIN8 has used FTP to exfiltrate collected data.[4]

Enterprise T1068 Exploitation for Privilege Escalation

FIN8 has exploited the CVE-2016-0167 local vulnerability.[2][4]

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

FIN8 has cleared logs during post compromise cleanup activities.[4]

.004 Indicator Removal: File Deletion

FIN8 has deleted tmp and prefetch files during post compromise cleanup activities.[4]

Enterprise T1105 Ingress Tool Transfer

FIN8 has used remote code execution to download subsequent payloads.[2][3]

Enterprise T1112 Modify Registry

FIN8 has deleted Registry keys during post compromise cleanup activities.[4]

Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

FIN8 has used environment variables and standard input (stdin) to obfuscate command-line arguments. FIN8 also obfuscates malicious macros delivered as payloads.[1][4][3]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

FIN8 harvests credentials using Invoke-Mimikatz or Windows Credentials Editor (WCE).[4]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

FIN8 has distributed targeted emails containing Word documents with embedded malicious macros.[1][2][4]

.002 Phishing: Spearphishing Link

FIN8 has distributed targeted emails containing links to malicious documents with embedded macros.[4]

Enterprise T1055 .004 Process Injection: Asynchronous Procedure Call

FIN8 has injected malicious code into a new svchost.exe process.[3]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

FIN8 has used RDP for lateral movement.[4]

.002 Remote Services: SMB/Windows Admin Shares

FIN8 has attempted to map to C$ on enumerated hosts to test the scope of their current credentials/context.[4]

Enterprise T1018 Remote System Discovery

FIN8 has used dsquery and other Active Directory utilities to enumerate hosts; they have also used nltest.exe /dclist to retrieve a list of domain controllers.[4][3]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

FIN8 has used scheduled tasks to maintain RDP backdoors.[4]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

FIN8 has used Registry keys to detect and avoid executing in potential sandboxes.[4]

Enterprise T1204 .001 User Execution: Malicious Link

FIN8 has used emails with malicious links to lure victims into installing malware.[1][2][4]

.002 User Execution: Malicious File

FIN8 has used malicious e-mail attachments to lure victims into executing malware.[1][2][4]

Enterprise T1078 Valid Accounts

FIN8 has used valid accounts for persistence and lateral movement.[4]

Enterprise T1102 Web Service

FIN8 has used, a free IP to domain mapping service that also makes SSL certificate generation easier for traffic encryption, as part of their command and control.[3]

Enterprise T1047 Windows Management Instrumentation

FIN8's malicious spearphishing payloads use WMI to launch malware and spawn cmd.exe execution. FIN8 has also used WMIC for lateral movement as well as during and post compromise cleanup activities.[1][3][4]


ID Name References Techniques
S0105 dsquery [4] Account Discovery: Domain Account, Domain Trust Discovery, Permission Groups Discovery: Domain Groups, System Information Discovery
S0357 Impacket [3] Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, OS Credential Dumping: NTDS, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, OS Credential Dumping: LSASS Memory, Steal or Forge Kerberos Tickets: Kerberoasting, System Services: Service Execution, Windows Management Instrumentation
S0039 Net [4] Account Discovery: Domain Account, Account Discovery: Local Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0359 Nltest [3] Domain Trust Discovery, Remote System Discovery, System Network Configuration Discovery
S0196 PUNCHBUGGY [2] Account Discovery: Local Account, Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: PowerShell, Data Staged: Local Data Staging, Deobfuscate/Decode Files or Information, Event Triggered Execution: AppCert DLLs, Indicator Removal: File Deletion, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Obfuscated Files or Information, Shared Modules, Software Discovery: Security Software Discovery, System Binary Proxy Execution: Rundll32, System Information Discovery
S0197 PUNCHTRACK [2] Data from Local System, Data Staged: Local Data Staging, Obfuscated Files or Information