Group: FIN8

From enterprise
Jump to: navigation, search
ID G0061
Aliases FIN8

FIN8 is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail, restaurant, and hospitality industries.12

Alias Descriptions

  • FIN8 - 1

Techniques Used

  • Obfuscated Files or Information - FIN8 has used environment variables and standard input (stdin) to obfuscate command-line arguments.1 FIN8 also obfuscates malicious macros delivered as payloads.3
  • Spearphishing Link - FIN8 has distributed targeted emails containing links to malicious documents with embedded macros.3
  • Remote File Copy - FIN8 has used remote code execution to download subsequent payloads.2
  • Credential Dumping - FIN8 harvests credentials using Invoke-Mimikatz or Windows Credentials Editor (WCE).3
  • Windows Admin Shares - FIN8 has attempted to map to C$ on enumerated hosts to test the scope of their current credentials/context.3
  • Scheduled Task - FIN8 has used scheduled tasks to maintain RDP backdoors.3
  • Data Staged - FIN8 aggregates staged data from a network into a single location.3
  • Scripting - FIN8 has used a Batch file to automate frequently executed post compromise cleanup activities.3
  • File Deletion - FIN8 has deleted tmp and prefetch files during post compromise cleanup activities.3
  • Modify Registry - FIN8 has deleted Registry keys during post compromise cleanup activities.3
  • User Execution - FIN8 has leveraged both Spearphishing Link and Spearphishing Attachment attempting to gain User Execution.123