Group: FIN5

From enterprise
Jump to: navigation, search
FIN5
Group
ID G0053
Aliases FIN5
Contributors Walker Johnson

FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian.123

Alias Descriptions

Techniques Used

  • Valid Accounts - FIN5 has used legitimate VPN, RDP, Citrix, or VNC credentials to maintain access to a victim environment.132
  • Remote System Discovery - FIN5 has used the open source tool Essential NetTools to map the network and build a list of targets.2
  • Scripting - FIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results.2
  • Automated Collection - FIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results.2
  • Data Staged - FIN5 scripts save memory dump data into a specific directory on hosts in the victim environment.2
  • External Remote Services - FIN5 has used legitimate VPN, RDP, Citrix, or VNC credentials to maintain access to a victim environment.132
  • Credential Dumping - FIN5 has dumped credentials from victims.2 Specifically, the group has used the tool GET5 Penetrator to look for remote login and hard-coded credentials.3

Software

  • PsExec - FIN5 uses a customized version of PsExec.2