Introduction
FIN13 is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. FIN13 achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII. Mandiant FIN13 Aug 2022 Sygnia Elephant Beetle Jan 2022
Activities and Tactics
Country of Origin: 🇷🇺 Russia
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
- T1587.001 Malware
- T1078.001 Default Accounts
- T1572 Protocol Tunneling
- T1021.006 Windows Remote Management
- T1133 External Remote Services
- T1087.002 Domain Account
- T1046 Network Service Discovery
- T1505.003 Web Shell
- T1082 System Information Discovery
- T1016 System Network Configuration Discovery
- T1090.001 Internal Proxy
- T1565 Data Manipulation
- T1059.001 PowerShell
- T1053.005 Scheduled Task
- T1136.001 Local Account
- T1003.002 Security Account Manager
- T1003.003 NTDS
- T1190 Exploit Public-Facing Application
- T1589 Gather Victim Identity Information
- T1036.004 Masquerade Task or Service
- T1021.002 SMB/Windows Admin Shares
- T1003.001 LSASS Memory
- T1564.001 Hidden Files and Directories
- T1552.001 Credentials In Files
- T1657 Financial Theft
- T1588.002 Tool
- T1134.003 Make and Impersonate Token
- T1105 Ingress Tool Transfer
- T1071.001 Web Protocols
- T1550.002 Pass the Hash
- T1059.003 Windows Command Shell
- T1547.001 Registry Run Keys / Startup Folder
- T1016.001 Internet Connection Discovery
- T1036 Masquerading
- T1059.005 Visual Basic
- T1098.007 Additional Local or Domain Groups
- T1574.001 DLL
- T1021.001 Remote Desktop Protocol
- T1590.004 Network Topology
- T1135 Network Share Discovery
- T1560.001 Archive via Utility
- T1140 Deobfuscate/Decode Files or Information
- T1556 Modify Authentication Process
- T1047 Windows Management Instrumentation
- T1021.004 SSH
- T1074.001 Local Data Staging
- T1056.001 Keylogging
- T1036.005 Match Legitimate Resource Name or Location
- T1049 System Network Connections Discovery
- T1083 File and Directory Discovery
- T1005 Data from Local System
- T1069 Permission Groups Discovery
- T1087 Account Discovery
ATT&CK technique IDs (denormalized)
- T1003.001
- T1003.002
- T1003.003
- T1005
- T1016
- T1016.001
- T1021.001
- T1021.002
- T1021.004
- T1021.006
- T1036
- T1036.004
- T1036.005
- T1046
- T1047
- T1049
- T1053.005
- T1056.001
- T1059.001
- T1059.003
- T1059.005
- T1069
- T1071.001
- T1074.001
- T1078.001
- T1082
- T1083
- T1087
- T1087.002
- T1090.001
- T1098.007
- T1105
- T1133
- T1134.003
- T1135
- T1136.001
- T1140
- T1190
- T1505.003
- T1547.001
- T1550.002
- T1552.001
- T1556
- T1560.001
- T1564.001
- T1565
- T1572
- T1574.001
- T1587.001
- T1588.002
- T1589
- T1590.004
- T1657
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- Backdoor.Oldrea
- Back Orifice
- Back Orifice 2000
- CyberGate
- Cyber Eye RAT
- Cobalt Strike
MITRE ATT&CK Software
Attribution and Evidence
Country of Origin: Russia Additional attribution information pending cataloguing.
References
[1] mitre-attack [3] Sygnia Elephant Beetle Jan 2022 Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023. [4] Mandiant FIN13 Aug 2022 Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.