Introduction
FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. FireEye Respond Webinar July 2017 Mandiant FIN5 GrrCON Oct 2016 DarkReading FireEye FIN5 Oct 2015
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
- T1090.002 External Proxy
- T1070.004 File Deletion
- T1074.001 Local Data Staging
- T1059 Command and Scripting Interpreter
- T1018 Remote System Discovery
- T1119 Automated Collection
- T1110 Brute Force
- T1685.005 Clear Windows Event Logs
- T1588.002 Tool
- T1133 External Remote Services
- T1078 Valid Accounts
ATT&CK technique IDs (denormalized)
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- CyberGate:
- DarkRat:
- Cyber Eye RAT:
MITRE ATT&CK Software
- Windows Credential Editor (S0005) — tool
- PsExec (S0029) — tool
- FLIPSIDE (S0173) — malware
- pwdump (S0006) — tool
- SDelete (S0195) — tool
- RawPOS (S0169) — malware
Attribution and Evidence
Information pending cataloguing.
References
[1] mitre-attack [3] FireEye Respond Webinar July 2017 Scavella, T. and Rifki, A. (2017, July 20). Are you Ready to Respond? (Webinar). Retrieved October 4, 2017. [4] Mandiant FIN5 GrrCON Oct 2016 Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017. [5] DarkReading FireEye FIN5 Oct 2015 Higgins, K. (2015, October 13). Prolific Cybercrime Gang Favors Legit Login Credentials. Retrieved October 4, 2017.