Skip to content

G0061 FIN8

FIN8 is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail, restaurant, and hospitality industries. 1 2

Item Value
ID G0061
Associated Names
Version 1.3
Created 18 April 2018
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation -
enterprise T1134.001 Token Impersonation/Theft FIN8 has used a malicious framework designed to impersonate the lsass.exe/vmtoolsd.exe token.4
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols FIN8 has used HTTPS for command and control.4
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility FIN8 has used RAR to compress collected data before exfiltration.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell FIN8‘s malicious spearphishing payloads are executed as PowerShell. FIN8 has also used PowerShell for lateral movement and credential access.143
enterprise T1059.003 Windows Command Shell FIN8 has used a Batch file to automate frequently executed post compromise cleanup activities.3 FIN8 has also executed commands remotely via cmd.14
enterprise T1074 Data Staged -
enterprise T1074.002 Remote Data Staging FIN8 aggregates staged data from a network into a single location.3
enterprise T1482 Domain Trust Discovery FIN8 has retrieved a list of trusted domains by using Nltest.exe /domain_trusts.4
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography FIN8 has used the Plink utility to tunnel RDP back to C2 infrastructure.3
enterprise T1546 Event Triggered Execution -
enterprise T1546.003 Windows Management Instrumentation Event Subscription FIN8 has used WMI event subscriptions for persistence.4
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol FIN8 has used FTP to exfiltrate collected data.3
enterprise T1068 Exploitation for Privilege Escalation FIN8 has exploited the CVE-2016-0167 local vulnerability.23
enterprise T1070 Indicator Removal -
enterprise T1070.001 Clear Windows Event Logs FIN8 has cleared logs during post compromise cleanup activities.3
enterprise T1070.004 File Deletion FIN8 has deleted tmp and prefetch files during post compromise cleanup activities.3
enterprise T1105 Ingress Tool Transfer FIN8 has used remote code execution to download subsequent payloads.24
enterprise T1112 Modify Registry FIN8 has deleted Registry keys during post compromise cleanup activities.3
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.010 Command Obfuscation FIN8 has used environment variables and standard input (stdin) to obfuscate command-line arguments. FIN8 also obfuscates malicious macros delivered as payloads.134
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory FIN8 harvests credentials using Invoke-Mimikatz or Windows Credentials Editor (WCE).3
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment FIN8 has distributed targeted emails containing Word documents with embedded malicious macros.123
enterprise T1566.002 Spearphishing Link FIN8 has distributed targeted emails containing links to malicious documents with embedded macros.3
enterprise T1055 Process Injection -
enterprise T1055.004 Asynchronous Procedure Call FIN8 has injected malicious code into a new svchost.exe process.4
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol FIN8 has used RDP for lateral movement.3
enterprise T1021.002 SMB/Windows Admin Shares FIN8 has attempted to map to C$ on enumerated hosts to test the scope of their current credentials/context.3
enterprise T1018 Remote System Discovery FIN8 has used dsquery and other Active Directory utilities to enumerate hosts; they have also used nltest.exe /dclist to retrieve a list of domain controllers.34
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task FIN8 has used scheduled tasks to maintain RDP backdoors.3
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery FIN8 has used Registry keys to detect and avoid executing in potential sandboxes.3
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link FIN8 has used emails with malicious links to lure victims into installing malware.123
enterprise T1204.002 Malicious File FIN8 has used malicious e-mail attachments to lure victims into executing malware.123
enterprise T1078 Valid Accounts FIN8 has used valid accounts for persistence and lateral movement.3
enterprise T1102 Web Service FIN8 has used sslip.io, a free IP to domain mapping service that also makes SSL certificate generation easier for traffic encryption, as part of their command and control.4
enterprise T1047 Windows Management Instrumentation FIN8‘s malicious spearphishing payloads use WMI to launch malware and spawn cmd.exe execution. FIN8 has also used WMIC for lateral movement as well as during and post compromise cleanup activities.143

Software

ID Name References Techniques
S0105 dsquery 3 Domain Account:Account Discovery Domain Trust Discovery Domain Groups:Permission Groups Discovery System Information Discovery
S0357 Impacket 4 LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Network Sniffing NTDS:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping LSASS Memory:OS Credential Dumping Kerberoasting:Steal or Forge Kerberos Tickets Service Execution:System Services Windows Management Instrumentation
S0039 Net 3 Domain Account:Account Discovery Local Account:Account Discovery Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0359 Nltest 4 Domain Trust Discovery Remote System Discovery System Network Configuration Discovery
S0196 PUNCHBUGGY 2 Local Account:Account Discovery Web Protocols:Application Layer Protocol Archive via Utility:Archive Collected Data Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Python:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Local Data Staging:Data Staged Deobfuscate/Decode Files or Information AppCert DLLs:Event Triggered Execution File Deletion:Indicator Removal Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Obfuscated Files or Information Shared Modules Security Software Discovery:Software Discovery Rundll32:System Binary Proxy Execution System Information Discovery
S0197 PUNCHTRACK 2 Data from Local System Local Data Staging:Data Staged Obfuscated Files or Information

References

  1. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018. 

  2. Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018. 

  3. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. 

  4. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.