G0085 FIN4
FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013.31 FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.32
| Item | Value |
|---|---|
| ID | G0085 |
| Associated Names | |
| Version | 1.2 |
| Created | 31 January 2019 |
| Last Modified | 01 February 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | FIN4 has used HTTP POST requests to transmit data.32 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.005 | Visual Basic | FIN4 has used VBA macros to display a dialog box and collect victim credentials.32 |
| enterprise | T1114 | Email Collection | - |
| enterprise | T1114.002 | Remote Email Collection | FIN4 has accessed and hijacked online email communications using stolen credentials.32 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.008 | Email Hiding Rules | FIN4 has created rules in victims’ Microsoft Outlook accounts to automatically delete emails containing words such as “hacked,” “phish,” and “malware” in a likely attempt to prevent organizations from communicating about their activities.3 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | FIN4 has captured credentials via fake Outlook Web App (OWA) login pages and has also used a .NET based keylogger.32 |
| enterprise | T1056.002 | GUI Input Capture | FIN4 has presented victims with spoofed Windows Authentication prompts to collect their credentials.32 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | FIN4 has used spearphishing emails containing attachments (which are often stolen, legitimate documents sent from compromised accounts) with embedded malicious macros.32 |
| enterprise | T1566.002 | Spearphishing Link | FIN4 has used spearphishing emails (often sent from compromised accounts) containing malicious links.32 |
| enterprise | T1090 | Proxy | - |
| enterprise | T1090.003 | Multi-hop Proxy | FIN4 has used Tor to log in to victims’ email accounts.3 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | FIN4 has lured victims to click malicious links delivered via spearphishing emails (often sent from compromised accounts).32 |
| enterprise | T1204.002 | Malicious File | FIN4 has lured victims to launch malicious attachments delivered via spearphishing emails (often sent from compromised accounts).32 |
| enterprise | T1078 | Valid Accounts | FIN4 has used legitimate credentials to hijack email communications.32 |
References
-
Dennesen, K. et al.. (2014, November 30). FIN4: Stealing Insider Information for an Advantage in Stock Trading?. Retrieved December 17, 2018. ↩
-
Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019. ↩↩↩↩↩↩↩↩↩↩↩
-
Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩