Currently viewing ATT&CK v7.2 which was live between July 8, 2020 and October 26, 2020. Learn more about the versioning system or see the live site.
Register to stream the next session of ATT&CKcon Power Hour November 12
GROUPS
GROUPS
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
No groups
W-X
Y-Z
No groups
  1. Home
  2. Groups
  3. FIN6

FIN6

FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.[1][2]

ID: G0037
Associated Groups: ITG08
Contributors: Drew Church, Splunk
Version: 2.1
Created: 31 May 2017
Last Modified: 15 May 2020

Associated Group Descriptions

Name Description
ITG08 [3]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.[1]
Enterprise T1560 Archive Collected Data

Following data collection, FIN6 has compressed log files into a ZIP archive prior to staging and exfiltration.[1]
.003 Archive via Custom Method

TRINITY malware used by FIN6 encodes data gathered from the victim with a simple substitution cipher and single-byte XOR using the 0xAA key.[1]
Enterprise T1119 Automated Collection

FIN6 has used a script to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files.[1]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

FIN6 has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD.[1]
Enterprise T1059 Command and Scripting Interpreter

FIN6 has also used scripting to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files.[1][2]
.001 PowerShell

FIN6 has used a Metasploit PowerShell module to download and execute shellcode and to set up a local listener.[1][2]

Enterprise T1074 .001 Data Staged: Local Data Staging

TRINITY malware used by FIN6 identifies payment card track data on the victim and then copies it to a local file in a subdirectory of C:\Windows\.[1]
.002 Data Staged: Remote Data Staging

FIN6 actors have compressed data from remote systems and moved it to another staging system before exfiltration.[1]
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.[1]
Enterprise T1068 Exploitation for Privilege Escalation

FIN6 has used tools to exploit Windows vulnerabilities in order to escalate privileges. The tools targeted CVE-2013-3660, CVE-2011-2005, and CVE-2010-4398, all of which could allow local users to access kernel-level privileges.[1]
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

FIN6 has renamed the "psexec" service name to "mstdc" to masquerade as a legitimate Windows service.[2]

Enterprise T1046 Network Service Scanning

FIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.[1]
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

FIN6 has used Windows Credential Editor for credential dumping.[1][2]

.003 OS Credential Dumping: NTDS

FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim's Active Directory database.[1][2]

Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

FIN6 has used tools like Adfind to query users, groups, organizational units, and trusts.[2]

Enterprise T1566 .003 Phishing: Spearphishing via Service

FIN6 has used fake job advertisements sent via LinkedIn to spearphish targets.[3]
Enterprise T1572 Protocol Tunneling

FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.[1]
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

FIN6 used RDP to move laterally in victim networks.[1][2]
Enterprise T1018 Remote System Discovery

FIN6 used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.[1]
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

FIN6 has used scheduled tasks to establish persistence for various malware it uses, including downloaders known as HARDTACK and SHIPBREAD and PoS malware known as TRINITY.[1]
Enterprise T1553 .002 Subvert Trust Controls: Code Signing

FIN6 has used Comodo code-signing certificates.[3]

Enterprise T1569 .002 System Services: Service Execution

FIN6 has created Windows services to execute encoded PowerShell commands.[2]
Enterprise T1078 Valid Accounts

To move laterally on a victim network, FIN6 has used credentials stolen from various systems on which it gathered usernames and password hashes.[1][2]
Enterprise T1102 Web Service

FIN6 has used Pastebin to host content for the operation.[2]

Enterprise T1047 Windows Management Instrumentation

FIN6 has used WMI to automate the remote execution of PowerShell scripts.[3]

Software

ID Name References Techniques
S0154 Cobalt Strike

[2]

 Abuse Elevation Control Mechanism: Bypass User Access Control, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Make and Impersonate Token, Application Layer Protocol, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, BITS Jobs, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Python, Commonly Used Port, Create or Modify System Process: Windows Service, Data from Local System, Exploitation for Privilege Escalation, Indicator Removal on Host: Timestomp, Input Capture: Keylogging, Man in the Browser, Multiband Communication, Native API, Network Service Scanning, Network Share Discovery, Obfuscated Files or Information: Indicator Removal from Tools, OS Credential Dumping: Security Account Manager, Process Discovery, Process Injection, Process Injection: Process Hollowing, Protocol Tunneling, Proxy: Internal Proxy, Remote Services: SMB/Windows Admin Shares, Remote Services: Windows Remote Management, Remote Services: SSH, Remote Services: Remote Desktop Protocol, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Local Accounts, Valid Accounts: Domain Accounts, Windows Management Instrumentation
S0372 LockerGoga

[2]

 Account Access Removal, Data Encrypted for Impact, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: File Deletion, Lateral Tool Transfer, Subvert Trust Controls: Code Signing, System Shutdown/Reboot
S0002 Mimikatz

[3]

 Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0284 More_eggs

[3]

 Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Signed Binary Proxy Execution: Regsvr32, Software Discovery: Security Software Discovery, Subvert Trust Controls: Code Signing, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0029 PsExec

[1][2]

 Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0446 Ryuk

[2]

 Access Token Manipulation, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Data Encrypted for Impact, File and Directory Discovery, Impair Defenses: Disable or Modify Tools, Inhibit System Recovery, Masquerading: Match Legitimate Name or Location, Native API, Process Discovery, Process Injection, Service Stop, System Network Configuration Discovery
S0005 Windows Credential Editor

[1]

 OS Credential Dumping: LSASS Memory

References

  1. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  2. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  1. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.