FIN6

APT Group Financial gain Financial crime ETDA ✓

Also Known As 6 names

TAAL Group G0037 Camouflage Tempest Skeleton Spider ITG08 APT81

Target Countries 4

Countries highlighted in red

Argentina Ireland United States South Africa

Sectors Targeted

Manufacturing Computer Systems Design and Related Services 54151 NAICS:31 31 Human Resources Consulting Services 541612 Chemical Manufacturing 325 Food Manufacturing 311 Computer Systems Design and Related Services 5415 Utilities 22 Data Processing, Hosting, and Related Services 51821 Food Services and Drinking Places 722 Energy Hospitality Data Processing, Hosting, and Related Services 518 NAICS:44 44 Chemical Retail Health Care and Social Assistance 62 Finance and Insurance 52 Accommodation and Food Services 72 Employment Placement Agencies and Executive Search Services 56131 Computer Systems Design Services 541512 Construction 23

Details

Last Updated 01 Jun 2022

Malware Families 4

grateful_pos

blackpos

FlawedAmmy

Ammyy Admin

MITRE ATT&CK 92

T1003 T1003.001 T1003.003 T1005 T1012 - Query Registry T1018 T1021 T1021.001 T1027 - Obfuscated Files or Information T1027.002 - Software Packing T1027.004 - Compile After Delivery T1027.010 T1030 - Data Transfer Size Limits T1033 - System Owner/User Discovery T1036 T1036.004 T1040 - Network Sniffing T1041 - Exfiltration Over C2 Channel T1046 T1047 T1048 T1048.003 T1053 - Scheduled Task/Job T1053.005 - Scheduled Task T1055 - Process Injection T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.003 - Windows Command Shell T1059.007 - JavaScript T1068 T1070 T1070.004 T1071 - Application Layer Protocol T1071.001 - Web Protocols T1074 T1074.002 T1078 - Valid Accounts T1078.001 - Default Accounts T1082 - System Information Discovery T1087 T1087.002 T1090 - Proxy T1095 T1102 T1104 - Multi-Stage Channels T1105 - Ingress Tool Transfer T1110 T1110.002 T1113 - Screen Capture T1119 T1124 - System Time Discovery T1132 - Data Encoding T1134 T1140 - Deobfuscate/Decode Files or Information T1190 - Exploit Public-Facing Application T1199 - Trusted Relationship T1204 - User Execution T1204.001 - Malicious Link T1204.002 - Malicious File T1213 T1213.006 T1218 T1220 T1490 T1496 - Resource Hijacking T1497 T1530 T1539 - Steal Web Session Cookie T1547 - Boot or Logon Autostart Execution T1547.001 - Registry Run Keys / Startup Folder T1553 T1553.002 T1555 - Credentials from Password Stores T1555.003 T1560 T1560.003 T1562 - Impair Defenses T1562.001 T1566 - Phishing T1566.001 - Spearphishing Attachment T1566.002 - Spearphishing Link T1566.003 T1569 T1569.002 T1571 - Non-Standard Port T1572 T1573 T1573.002 T1574 - Hijack Execution Flow T1588 T1588.002

Related Zero-Days

No zero-day CVE linked to this actor

Known Names 11 entries

FIN6 FireEye

Skeleton Spider CrowdStrike

Gold Franklin Secureworks

White Giant PWC

ITG08 IBM

ATK 88 Thales

TAG-CR2 Recorded Future

TAAL Microsoft

Storm-0538 Microsoft

Camouflage Tempest Microsoft

G0037 MITRE

Description

FIN6 is a cybercrime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors. (FireEye) FIN6 is a cybercriminal group intent on stealing payment card data for monetization. In 2015, FireEye Threat Intelligence supported several Mandiant Consulting investigations in the hospitality and retail sectors where FIN6 actors had aggressively targeted and compromised point-of-sale (POS) systems, making off with millions of payment card numbers. Through iSIGHT, we learned that the payment card numbers stolen by FIN6 were sold on a “card shop” — an underground criminal marketplace used to sell or exchange payment card data.

Tools Used 19

AbaddonPOS Anchor BlackPOS CmdSQL Cobalt Strike FlawedAmmyy Grateful POS JSPSPY LockerGoga Magecart Meterpreter Mimikatz More_eggs Ryuk SCRAPMINT TerraStealer Vawtrak Windows Credentials Editor Living off the Land

Operations 8

2018 Based on Visa Payment Fraud Disruption’s (PFD) analysis of eCommerce compromises throughout 2018, FIN6’s focus on the CNP environment has only amplified, suggesting that the cybercrime group has fully incorporated targeting CNP environments into their criminal methodology. https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf

2019-01 Over the past 8-10 weeks, Morphisec has been tracking multiple sophisticated attacks targeting Point of Sale thin clients globally. More specifically, on the 6th of February we identified an extremely high number of prevention events stopping Cobalt Strike backdoor execution, with some of the attacks expressly targeting Point of Sale VMWare Horizon thin clients. http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems

2019-01 Hackers have infected the systems of Altran Technologies with malware that spread through the company network, affecting operations in some European countries. To protect client data and their own assets, Altran decided to shut down its network and applications. https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/

2019-03 One of the largest aluminum producers in the world, Norsk Hydro, has been forced to switch to partial manual operations due to a cyber attack that is allegedly pushing LockerGoga ransomware. https://www.bleepingcomputer.com/news/security/lockergoga-ransomware-sends-norsk-hydro-into-manual-mode/

2019-04 The Securonix Threat Research Team has been closely monitoring the LockerGoga targeted cyber sabotage/ransomware (TC/R) attacks impacting Norsk Hydro (one of the largest aluminum companies worldwide), Hexion/Momentive (a chemical manufacturer), and other companies’ IT and operational technology (OT) infrastructure, causing over US$40 million in damages. https://www.securonix.com/securonix-threat-research-detecting-lockergoga-targeted-it-ot-cyber-sabotage-ransomware-attacks/

2019-08 Based on our investigation and analysis of its adversarial tactics, techniques and procedures (TTPs), we believe ITG08 is actively attacking multinational organizations, targeting specific employees with spear phishing emails advertising fake job advertisements and repeatedly deploying the More_eggs Jscript backdoor malware. https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/

2019-09 Hackers have breached the infrastructure of Volusion, a provider of cloud-hosted online stores, and are delivering malicious code that records and steals payment card details entered by users in online forms. https://www.zdnet.com/article/hackers-breach-volusion-and-start-collecting-card-details-from-thousands-of-sites/ https://www.zdnet.com/article/card-data-from-the-volusion-web-skimmer-incident-surfaces-on-the-dark-web/

2020-03 In a new and dangerous twist to this trend, IBM X-Force Incident Response and Intelligence Services (IRIS) research believes that the elite cybercriminal threat actor ITG08, also known as FIN6, has partnered with the malware gang behind one of the most active Trojans — TrickBot — to use TrickBot’s new malware framework dubbed “Anchor” against organizations for financial profit. https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/

Reports & References 3

https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf https://dti.domaintools.com/Skeleton-Spider-Trusted-Cloud-Malware-Delivery/

ETDA Profile

FIN6, Skeleton Spider

Origin

[Unknown]

First Seen 2015

Motivation

Financial crime Financial gain

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0037/

View on ETDA APT Groups ↗