FIN4

FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013.[1][2] FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.[1][3]

ID: G0085
Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1114Email CollectionFIN4 has accessed and hijacked email communications using stolen credentials.[1][3]
EnterpriseT1056Input CaptureFIN4 has captured credentials via fake Outlook Web App (OWA) login pages and has also used a .NET based keylogger.[1][3]
EnterpriseT1141Input PromptFIN4 has presented victims with spoofed Windows Authentication prompts to collect their credentials.[1][3]
EnterpriseT1188Multi-hop ProxyFIN4 has used Tor to log in to victims' email accounts.[1]
EnterpriseT1064ScriptingFIN4 has used VBA macros to display a dialog box and collect victim credentials.[1][3]
EnterpriseT1193Spearphishing AttachmentFIN4 has used spearphishing emails containing attachments (which are often stolen, legitimate documents sent from compromised accounts) with embedded malicious macros.[1][3]
EnterpriseT1192Spearphishing LinkFIN4 has used spearphishing emails (often sent from compromised accounts) containing malicious links.[1][3]
EnterpriseT1071Standard Application Layer ProtocolFIN4 has used HTTP POST requests to transmit data.[1][3]
EnterpriseT1492Stored Data ManipulationFIN4 has created rules in victims' Microsoft Outlook accounts to automatically delete emails containing words such as “hacked," "phish," and “malware" in a likely attempt to prevent organizations from communicating about their activities.[1]
EnterpriseT1204User ExecutionFIN4 has lured victims to launch malicious attachments and click malicious links delivered via spearphishing emails (often sent from compromised accounts).[1][3]
EnterpriseT1078Valid AccountsFIN4 has used legitimate credentials to hijack email communications.[1][3]

References