JUST RELEASED: ATT&CK for Industrial Control Systems


FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013.[1][2] FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.[1][3]

ID: G0085
Version: 1.0
Created: 31 January 2019
Last Modified: 18 April 2019

Techniques Used

Domain ID Name Use
Enterprise T1114 Email Collection

FIN4 has accessed and hijacked email communications using stolen credentials.[1][3]

Enterprise T1056 Input Capture

FIN4 has captured credentials via fake Outlook Web App (OWA) login pages and has also used a .NET based keylogger.[1][3]

Enterprise T1141 Input Prompt

FIN4 has presented victims with spoofed Windows Authentication prompts to collect their credentials.[1][3]

Enterprise T1188 Multi-hop Proxy

FIN4 has used Tor to log in to victims' email accounts.[1]

Enterprise T1064 Scripting

FIN4 has used VBA macros to display a dialog box and collect victim credentials.[1][3]

Enterprise T1193 Spearphishing Attachment

FIN4 has used spearphishing emails containing attachments (which are often stolen, legitimate documents sent from compromised accounts) with embedded malicious macros.[1][3]

Enterprise T1192 Spearphishing Link

FIN4 has used spearphishing emails (often sent from compromised accounts) containing malicious links.[1][3]

Enterprise T1071 Standard Application Layer Protocol

FIN4 has used HTTP POST requests to transmit data.[1][3]

Enterprise T1492 Stored Data Manipulation

FIN4 has created rules in victims' Microsoft Outlook accounts to automatically delete emails containing words such as "hacked," "phish," and "malware" in a likely attempt to prevent organizations from communicating about their activities.[1]

Enterprise T1204 User Execution

FIN4 has lured victims to launch malicious attachments and click malicious links delivered via spearphishing emails (often sent from compromised accounts).[1][3]

Enterprise T1078 Valid Accounts

FIN4 has used legitimate credentials to hijack email communications.[1][3]