FIN8
FIN8 is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail, restaurant, and hospitality industries. [1] [2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
FIN8 has used RAR to compress collected data before Exfiltration.[3] |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
FIN8 has used a Batch file to automate frequently executed post compromise cleanup activities.[3] FIN8 executes commands remotely via cmd.exe.[1] |
| .001 | Command and Scripting Interpreter: PowerShell |
FIN8's malicious spearphishing payloads are executed as PowerShell. FIN8 has also used PowerShell during Lateral Movement and Credential Access.[1][3] |
||
| Enterprise | T1074 | .002 | Data Staged: Remote Data Staging |
FIN8 aggregates staged data from a network into a single location.[3] |
| Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
FIN8 has used the Plink utility to tunnel RDP back to C2 infrastructure.[3] |
| Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol | |
| Enterprise | T1068 | Exploitation for Privilege Escalation |
FIN8 has exploited the CVE-2016-0167 local vulnerability.[2][3] |
|
| Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
FIN8 has deleted tmp and prefetch files during post compromise cleanup activities.[3] |
| .001 | Indicator Removal on Host: Clear Windows Event Logs |
FIN8 has cleared logs during post compromise cleanup activities.[3] |
||
| Enterprise | T1105 | Ingress Tool Transfer |
FIN8 has used remote code execution to download subsequent payloads.[2] |
|
| Enterprise | T1112 | Modify Registry |
FIN8 has deleted Registry keys during post compromise cleanup activities.[3] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
FIN8 has used environment variables and standard input (stdin) to obfuscate command-line arguments. FIN8 also obfuscates malicious macros delivered as payloads.[1][3] |
|
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
FIN8 harvests credentials using Invoke-Mimikatz or Windows Credentials Editor (WCE).[3] |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
FIN8 has distributed targeted emails containing Word documents with embedded malicious macros.[1][2][3] |
| .002 | Phishing: Spearphishing Link |
FIN8 has distributed targeted emails containing links to malicious documents with embedded macros.[3] |
||
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
FIN8 has used RDP for Lateral Movement.[3] |
| .002 | Remote Services: SMB/Windows Admin Shares |
FIN8 has attempted to map to C$ on enumerated hosts to test the scope of their current credentials/context.[3] |
||
| Enterprise | T1018 | Remote System Discovery |
FIN8 uses dsquery and other Active Directory utilities to enumerate hosts.[3] |
|
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task | |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
FIN8 has used Registry keys to detect and avoid executing in potential sandboxes.[3] |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
FIN8 has leveraged Spearphishing Attachments attempting to gain User Execution.[1][2][3] |
| .001 | User Execution: Malicious Link |
FIN8 has leveraged Spearphishing Links attempting to gain User Execution.[1][2][3] |
||
| Enterprise | T1078 | Valid Accounts |
FIN8 has utilized Valid Accounts during and Persistence and Lateral Movement.[3] |
|
| Enterprise | T1047 | Windows Management Instrumentation |
FIN8's malicious spearphishing payloads use WMI to launch malware and spawn cmd.exe execution. FIN8 has also used WMIC during and post compromise cleanup activities.[1][3] |
|