FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013. FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.
|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols|
|Enterprise||T1059||.005||Command and Scripting Interpreter: Visual Basic|
|Enterprise||T1565||.001||Data Manipulation: Stored Data Manipulation||
FIN4 has created rules in victims' Microsoft Outlook accounts to automatically delete emails containing words such as "hacked," "phish," and "malware" in a likely attempt to prevent organizations from communicating about their activities.
|Enterprise||T1114||.002||Email Collection: Remote Email Collection|
|Enterprise||T1056||.002||Input Capture: GUI Input Capture|
|.001||Input Capture: Keylogging|
|Enterprise||T1566||.001||Phishing: Spearphishing Attachment|
|.002||Phishing: Spearphishing Link|
|Enterprise||T1090||.003||Proxy: Multi-hop Proxy|
|Enterprise||T1204||.002||User Execution: Malicious File|
|.001||User Execution: Malicious Link|