Introduction
FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors. FireEye FIN6 April 2016 FireEye FIN6 Apr 2019
Activities and Tactics
Country of Origin: 🇷🇺 Russia
First Seen: 2018
Last Activity: 2018
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
- T1560.003 Archive via Custom Method
- T1566.001 Spearphishing Attachment
- T1685 Disable or Modify Tools
- T1087.002 Domain Account
- T1059 Command and Scripting Interpreter
- T1572 Protocol Tunneling
- T1213.006 Databases
- T1027.010 Command Obfuscation
- T1059.007 JavaScript
- T1102 Web Service
- T1005 Data from Local System
- T1547.001 Registry Run Keys / Startup Folder
- T1059.003 Windows Command Shell
- T1588.002 Tool
- T1070.004 File Deletion
- T1003.003 NTDS
- T1134 Access Token Manipulation
- T1068 Exploitation for Privilege Escalation
- T1204.002 Malicious File
- T1036.004 Masquerade Task or Service
- T1566.003 Spearphishing via Service
- T1059.001 PowerShell
- T1560 Archive Collected Data
- T1553.002 Code Signing
- T1021.001 Remote Desktop Protocol
- T1119 Automated Collection
- T1018 Remote System Discovery
- T1053.005 Scheduled Task
- T1569.002 Service Execution
- T1046 Network Service Discovery
- T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol
- T1047 Windows Management Instrumentation
- T1110.002 Password Cracking
- T1555 Credentials from Password Stores
- T1095 Non-Application Layer Protocol
- T1078 Valid Accounts
- T1573.002 Asymmetric Cryptography
- T1003.001 LSASS Memory
- T1555.003 Credentials from Web Browsers
- T1074.002 Remote Data Staging
ATT&CK technique IDs (denormalized)
- T1003.001
- T1003.003
- T1005
- T1018
- T1021.001
- T1027.010
- T1036.004
- T1046
- T1047
- T1048.003
- T1053.005
- T1059
- T1059.001
- T1059.003
- T1059.007
- T1068
- T1070.004
- T1074.002
- T1078
- T1087.002
- T1095
- T1102
- T1110.002
- T1119
- T1134
- T1204.002
- T1213.006
- T1547.001
- T1553.002
- T1555
- T1555.003
- T1560
- T1560.003
- T1566.001
- T1566.003
- T1569.002
- T1572
- T1573.002
- T1588.002
- T1685
Notable Indicators of Compromise (IOCs)
No atomic indicators are listed in this profile. The APTnotes snapshot indexes 1 public reports that may contain IOCs; see Source Attribution for dataset links.
Malware and Tools
- FrameworkPoS:
- Vawtrak/Neverquest:
- Ransomware:
MITRE ATT&CK Software
- FlawedAmmyy (S0381) — malware
- GrimAgent (S0632) — malware
- FrameworkPOS (S0503) — malware
- More_eggs (S0284) — malware
- Cobalt Strike (S0154) — malware
- Windows Credential Editor (S0005) — tool
- AdFind (S0552) — tool
- PsExec (S0029) — tool
- Maze (S0449) — malware
- LockerGoga (S0372) — malware
- Ryuk (S0446) — malware
- Mimikatz (S0002) — tool
Attribution and Evidence
Country of Origin: Russia Additional attribution information pending cataloguing.
References
[1] mitre-attack [8] Crowdstrike Global Threat Report Feb 2018 CrowdStrike. (2018, February 26). CrowdStrike 2018 Global Threat Report. Retrieved October 10, 2018. [9] FireEye FIN6 April 2016 FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved November 17, 2024. [10] FireEye FIN6 Apr 2019 McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019. [11] Microsoft Threat Actor Naming July 2023 Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. [12] Security Intelligence ITG08 April 2020 Villadsen, O. (2020, April 7). ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework. Retrieved October 8, 2020. [13] Security Intelligence More Eggs Aug 2019 Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.