FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013.[1][2] FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.[1][3]

ID: G0085
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1114 Email Collection FIN4 has accessed and hijacked email communications using stolen credentials.[1][3]
Enterprise T1056 Input Capture FIN4 has captured credentials via fake Outlook Web App (OWA) login pages and has also used a .NET based keylogger.[1][3]
Enterprise T1141 Input Prompt FIN4 has presented victims with spoofed Windows Authentication prompts to collect their credentials.[1][3]
Enterprise T1188 Multi-hop Proxy FIN4 has used Tor to log in to victims' email accounts.[1]
Enterprise T1064 Scripting FIN4 has used VBA macros to display a dialog box and collect victim credentials.[1][3]
Enterprise T1193 Spearphishing Attachment FIN4 has used spearphishing emails containing attachments (which are often stolen, legitimate documents sent from compromised accounts) with embedded malicious macros.[1][3]
Enterprise T1192 Spearphishing Link FIN4 has used spearphishing emails (often sent from compromised accounts) containing malicious links.[1][3]
Enterprise T1071 Standard Application Layer Protocol FIN4 has used HTTP POST requests to transmit data.[1][3]
Enterprise T1492 Stored Data Manipulation FIN4 has created rules in victims' Microsoft Outlook accounts to automatically delete emails containing words such as “hacked," "phish," and “malware" in a likely attempt to prevent organizations from communicating about their activities.[1]
Enterprise T1204 User Execution FIN4 has lured victims to launch malicious attachments and click malicious links delivered via spearphishing emails (often sent from compromised accounts).[1][3]
Enterprise T1078 Valid Accounts FIN4 has used legitimate credentials to hijack email communications.[1][3]