Group: FIN6

From enterprise
Jump to: navigation, search
FIN6
Group
ID G0037
Aliases FIN6

FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.1

Techniques Used

  • Scripting - FIN6 has used a Metasploit PowerShell module to download and execute shellcode and to set up a local listener. FIN6 has also used scripting to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files.1
  • PowerShell - FIN6 has used a Metasploit PowerShell module to download and execute shellcode and to set up a local listener.1
  • Scheduled Task - FIN6 has used scheduled tasks to establish persistence for various malware it uses, including downloaders known as HARDTACK and SHIPBREAD and PoS malware known as TRINITY.1
  • Exploitation of Vulnerability - FIN6 has used tools to exploit Windows vulnerabilities in order to escalate privileges. The tools targeted CVE-2013-3660, CVE-2011-2005, and CVE-2010-4398, all of which could allow local users to access kernel-level privileges.1
  • Account Discovery - FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.1
  • Network Service Scanning - FIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.1
  • Remote System Discovery - FIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.1
  • Valid Accounts - To move laterally on a victim network, FIN6 has used credentials stolen from various systems on which it gathered usernames and password hashes.1
  • Data Staged - TRINITY malware used by FIN6 identifies payment card track data on the victim and then copies it to a local file in a subdirectory of C:\Windows\. Once the malware collects the data, FIN6 actors compressed data and moved it to another staging system before exfiltration.1
  • Data Encrypted - TRINITY malware used by FIN6 encodes data gathered from the victim with a simple substitution cipher and single-byte XOR using the OxAA key.1
  • Automated Collection - FIN6 has used a script to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files.1
  • Data Compressed - Following data collection, FIN6 has compressed log files into a ZIP archive prior to staging and exfiltration.1

Software