Skip to content

G0061 FIN8

FIN8 is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected FIN8 switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.1324

Item Value
ID G0061
Associated Names Syssphinx
Version 2.0
Created 18 April 2018
Last Modified 16 April 2025
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Syssphinx 4

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation -
enterprise T1134.001 Token Impersonation/Theft FIN8 has used a malicious framework designed to impersonate the lsass.exe/vmtoolsd.exe token.64
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols FIN8 has used HTTPS for command and control.6
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility FIN8 has used RAR to compress collected data before exfiltration.5
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell FIN8’s malicious spearphishing payloads are executed as PowerShell. FIN8 has also used PowerShell for lateral movement and credential access.1654
enterprise T1059.003 Windows Command Shell FIN8 has used a Batch file to automate frequently executed post compromise cleanup activities.5 FIN8 has also executed commands remotely via cmd.exe.164
enterprise T1486 Data Encrypted for Impact FIN8 has deployed ransomware such as Ragnar Locker, White Rabbit, and attempted to execute Noberus on compromised networks.4
enterprise T1074 Data Staged -
enterprise T1074.002 Remote Data Staging FIN8 aggregates staged data from a network into a single location.5
enterprise T1482 Domain Trust Discovery FIN8 has retrieved a list of trusted domains by using nltest.exe /domain_trusts.6
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography FIN8 has used the Plink utility to tunnel RDP back to C2 infrastructure.5
enterprise T1546 Event Triggered Execution -
enterprise T1546.003 Windows Management Instrumentation Event Subscription FIN8 has used WMI event subscriptions for persistence.6
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol FIN8 has used FTP to exfiltrate collected data.5
enterprise T1068 Exploitation for Privilege Escalation FIN8 has exploited the CVE-2016-0167 local vulnerability.35
enterprise T1070 Indicator Removal -
enterprise T1070.001 Clear Windows Event Logs FIN8 has cleared logs during post compromise cleanup activities.5
enterprise T1070.004 File Deletion FIN8 has deleted tmp and prefetch files during post compromise cleanup activities. FIN8 has also deleted PowerShell scripts to evade detection on compromised machines.54
enterprise T1105 Ingress Tool Transfer FIN8 has used remote code execution to download subsequent payloads.36
enterprise T1112 Modify Registry FIN8 has deleted Registry keys during post compromise cleanup activities.5
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.010 Command Obfuscation FIN8 has used environment variables and standard input (stdin) to obfuscate command-line arguments. FIN8 also obfuscates malicious macros delivered as payloads.156
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool FIN8 has used open-source tools such as Impacket for targeting efforts.2
enterprise T1588.003 Code Signing Certificates FIN8 has used an expired open-source X.509 certificate for testing in the OpenSSL repository, to connect to actor-controlled C2 servers.2
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory FIN8 harvests credentials using Invoke-Mimikatz or Windows Credentials Editor (WCE).5
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment FIN8 has distributed targeted emails containing Word documents with embedded malicious macros.135
enterprise T1566.002 Spearphishing Link FIN8 has distributed targeted emails containing links to malicious documents with embedded macros.5
enterprise T1055 Process Injection -
enterprise T1055.004 Asynchronous Procedure Call FIN8 has injected malicious code into a new svchost.exe process.6
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol FIN8 has used RDP for lateral movement.5
enterprise T1021.002 SMB/Windows Admin Shares FIN8 has attempted to map to C$ on enumerated hosts to test the scope of their current credentials/context. FIN8 has also used smbexec from the Impacket suite for lateral movement.52
enterprise T1018 Remote System Discovery FIN8 has used dsquery and other Active Directory utilities to enumerate hosts; they have also used nltest.exe /dclist to retrieve a list of domain controllers.56
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task FIN8 has used scheduled tasks to maintain RDP backdoors.5
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery FIN8 has used Registry keys to detect and avoid executing in potential sandboxes.5
enterprise T1082 System Information Discovery FIN8 has used PowerShell Scripts to check the architecture of a compromised machine before the selection of a 32-bit or 64-bit version of a malicious .NET loader.4
enterprise T1016 System Network Configuration Discovery -
enterprise T1016.001 Internet Connection Discovery FIN8 has used the Ping command to check connectivity to actor-controlled C2 servers.2
enterprise T1033 System Owner/User Discovery FIN8 has executed the command quser to display the session details of a compromised machine.4
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link FIN8 has used emails with malicious links to lure victims into installing malware.135
enterprise T1204.002 Malicious File FIN8 has used malicious e-mail attachments to lure victims into executing malware.135
enterprise T1078 Valid Accounts FIN8 has used valid accounts for persistence and lateral movement.5
enterprise T1102 Web Service FIN8 has used sslip.io, a free IP to domain mapping service that also makes SSL certificate generation easier for traffic encryption, as part of their command and control.6
enterprise T1047 Windows Management Instrumentation FIN8’s malicious spearphishing payloads use WMI to launch malware and spawn cmd.exe execution. FIN8 has also used WMIC and the Impacket suite for lateral movement, as well as during and post compromise cleanup activities.1654

Software

ID Name References Techniques
S1081 BADHATCH 7 Bypass User Account Control:Abuse Elevation Control Mechanism Token Impersonation/Theft:Access Token Manipulation Web Protocols:Application Layer Protocol File Transfer Protocols:Application Layer Protocol PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Domain Trust Discovery Asymmetric Cryptography:Encrypted Channel Windows Management Instrumentation Event Subscription:Event Triggered Execution Exfiltration Over C2 Channel File Deletion:Indicator Removal Ingress Tool Transfer Native API Network Service Discovery Network Share Discovery Embedded Payloads:Obfuscated Files or Information Command Obfuscation:Obfuscated Files or Information Compression:Obfuscated Files or Information Domain Groups:Permission Groups Discovery Process Discovery Process Injection Dynamic-link Library Injection:Process Injection Asynchronous Procedure Call:Process Injection Proxy Reflective Code Loading Remote System Discovery Scheduled Task:Scheduled Task/Job Screen Capture System Information Discovery System Network Connections Discovery System Owner/User Discovery System Time Discovery Pass the Hash:Use Alternate Authentication Material Web Service Windows Management Instrumentation
S0105 dsquery 5 Domain Account:Account Discovery Domain Trust Discovery Domain Groups:Permission Groups Discovery System Information Discovery
S0357 Impacket 62 LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Lateral Tool Transfer Network Sniffing NTDS:OS Credential Dumping LSASS Memory:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Kerberoasting:Steal or Forge Kerberos Tickets Ccache Files:Steal or Forge Kerberos Tickets Service Execution:System Services Windows Management Instrumentation
S0039 Net 5 Domain Account:Account Discovery Local Account:Account Discovery Additional Local or Domain Groups:Account Manipulation Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0359 Nltest 6 Domain Trust Discovery Remote System Discovery System Network Configuration Discovery
S0097 Ping 2 Remote System Discovery
S0029 PsExec 4 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0196 PUNCHBUGGY 3 Local Account:Account Discovery Web Protocols:Application Layer Protocol Archive via Utility:Archive Collected Data Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Python:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Local Data Staging:Data Staged Deobfuscate/Decode Files or Information AppCert DLLs:Event Triggered Execution File Deletion:Indicator Removal Ingress Tool Transfer Match Legitimate Resource Name or Location:Masquerading Obfuscated Files or Information Shared Modules Security Software Discovery:Software Discovery Rundll32:System Binary Proxy Execution System Information Discovery
S0197 PUNCHTRACK 3 Data from Local System Local Data Staging:Data Staged Obfuscated Files or Information
S0481 Ragnar Locker 4 Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Data Encrypted for Impact Run Virtual Instance:Hide Artifacts Disable or Modify Tools:Impair Defenses Inhibit System Recovery Peripheral Device Discovery Service Stop Regsvr32:System Binary Proxy Execution Msiexec:System Binary Proxy Execution Rundll32:System Binary Proxy Execution System Location Discovery Service Execution:System Services
S1085 Sardonic 24 Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Standard Encoding:Data Encoding Data from Local System Deobfuscate/Decode Files or Information Symmetric Cryptography:Encrypted Channel Asymmetric Cryptography:Encrypted Channel Windows Management Instrumentation Event Subscription:Event Triggered Execution Indicator Removal Ingress Tool Transfer Local Storage Discovery Native API Network Share Discovery Non-Application Layer Protocol Non-Standard Port Command Obfuscation:Obfuscated Files or Information Obfuscated Files or Information Process Discovery Asynchronous Procedure Call:Process Injection Reflective Code Loading System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Service Discovery Windows Management Instrumentation

References

  1. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018. 

  2. Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023. 

  3. Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018. 

  4. Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023. 

  5. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. 

  6. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021. 

  7. Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.