🇷🇺

MageCart

APT Group Financial gain Financial crime 2 zero-day CVEs ETDA ✓

Also Known As 11 names

ATK88 Camouflage Tempest G0037 GOLD FRANKLIN ITG08 FIN6 SKELETON SPIDER Storm-0538 TA4557 TAAL White Giant

Target Countries 7

Countries highlighted in red

United Arab Emirates Brazil France United Kingdom India Pakistan United States

Sectors Targeted

Computer Systems Design Services 541512 Spectator Sports 7112 Internet Publishing and Broadcasting and Web Search Portals 51913 Medical Equipment and Supplies Manufacturing 33911 Performing Arts Companies 7111 Business Schools and Computer and Management Training 6114 Couriers and Express Delivery Services 492110 Offices of Certified Public Accountants 541211 Advertising Agencies 54181 Promoters of Performing Arts, Sports, and Similar Events 7113 Data Processing, Hosting, and Related Services 51821 Office Supplies and Stationery Stores 45321 Computer Systems Design and Related Services 54151 Finance and Insurance 52

Details

Origin 🇷🇺 RU

Last Updated 01 Jun 2022

Malware Families 5

grateful_pos

blackpos

FlawedAmmy

zhmimikatz

Ammyy Admin

MITRE ATT&CK 108

T1003 T1003.001 T1003.003 T1005 T1012 T1016 T1018 T1021 T1021.001 T1027 - Obfuscated Files or Information T1027.010 T1033 T1036 T1036.004 T1037 T1041 - Exfiltration Over C2 Channel T1046 T1047 T1048 T1048.003 T1049 T1053 T1053.005 T1055 - Process Injection T1056 T1056.002 - GUI Input Capture T1057 T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.003 T1059.007 - JavaScript T1068 T1070 T1070.004 T1071 T1071.001 T1074 T1074.002 T1078 T1082 T1083 T1087 T1087.002 T1090 T1095 T1102 T1102.002 - Bidirectional Communication T1102.003 - One-Way Communication T1104 T1105 - Ingress Tool Transfer T1106 T1110 - Brute Force T1110.002 T1113 T1114 T1119 T1120 T1123 - Audio Capture T1132 T1134 T1134.001 T1136 T1140 - Deobfuscate/Decode Files or Information T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application T1192 T1195 T1195.002 T1204 - User Execution T1204.001 - Malicious Link T1204.002 T1213 T1213.006 T1218 T1496 T1503 T1505 T1505.003 T1546 T1547 - Boot or Logon Autostart Execution T1547.001 T1553 T1553.002 T1555 T1555.003 T1556 T1560 T1560.003 T1562 - Impair Defenses T1564 T1566 T1566.001 T1566.003 T1569 T1569.002 T1572 T1573 T1573.002 T1574 - Hijack Execution Flow T1583.005 T1583.006 - Web Services T1587 T1588 T1588.002 T1592.002 - Software T1685 TA0011 TA0037

Related Zero-Days 2

CVE-2021-34527 CVE-2022-30190

Known Names 11 entries

FIN6 FireEye

Skeleton Spider CrowdStrike

Gold Franklin Secureworks

White Giant PWC

ITG08 IBM

ATK 88 Thales

TAG-CR2 Recorded Future

TAAL Microsoft

Storm-0538 Microsoft

Camouflage Tempest Microsoft

G0037 MITRE

Description

FIN6 is a cybercrime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors. (FireEye) FIN6 is a cybercriminal group intent on stealing payment card data for monetization. In 2015, FireEye Threat Intelligence supported several Mandiant Consulting investigations in the hospitality and retail sectors where FIN6 actors had aggressively targeted and compromised point-of-sale (POS) systems, making off with millions of payment card numbers. Through iSIGHT, we learned that the payment card numbers stolen by FIN6 were sold on a “card shop” — an underground criminal marketplace used to sell or exchange payment card data.

Tools Used 19

AbaddonPOS Anchor BlackPOS CmdSQL Cobalt Strike FlawedAmmyy Grateful POS JSPSPY LockerGoga Magecart Meterpreter Mimikatz More_eggs Ryuk SCRAPMINT TerraStealer Vawtrak Windows Credentials Editor Living off the Land

Operations 8

2018 Based on Visa Payment Fraud Disruption’s (PFD) analysis of eCommerce compromises throughout 2018, FIN6’s focus on the CNP environment has only amplified, suggesting that the cybercrime group has fully incorporated targeting CNP environments into their criminal methodology. https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf

2019-01 Over the past 8-10 weeks, Morphisec has been tracking multiple sophisticated attacks targeting Point of Sale thin clients globally. More specifically, on the 6th of February we identified an extremely high number of prevention events stopping Cobalt Strike backdoor execution, with some of the attacks expressly targeting Point of Sale VMWare Horizon thin clients. http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems

2019-01 Hackers have infected the systems of Altran Technologies with malware that spread through the company network, affecting operations in some European countries. To protect client data and their own assets, Altran decided to shut down its network and applications. https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/

2019-03 One of the largest aluminum producers in the world, Norsk Hydro, has been forced to switch to partial manual operations due to a cyber attack that is allegedly pushing LockerGoga ransomware. https://www.bleepingcomputer.com/news/security/lockergoga-ransomware-sends-norsk-hydro-into-manual-mode/

2019-04 The Securonix Threat Research Team has been closely monitoring the LockerGoga targeted cyber sabotage/ransomware (TC/R) attacks impacting Norsk Hydro (one of the largest aluminum companies worldwide), Hexion/Momentive (a chemical manufacturer), and other companies’ IT and operational technology (OT) infrastructure, causing over US$40 million in damages. https://www.securonix.com/securonix-threat-research-detecting-lockergoga-targeted-it-ot-cyber-sabotage-ransomware-attacks/

2019-08 Based on our investigation and analysis of its adversarial tactics, techniques and procedures (TTPs), we believe ITG08 is actively attacking multinational organizations, targeting specific employees with spear phishing emails advertising fake job advertisements and repeatedly deploying the More_eggs Jscript backdoor malware. https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/

2019-09 Hackers have breached the infrastructure of Volusion, a provider of cloud-hosted online stores, and are delivering malicious code that records and steals payment card details entered by users in online forms. https://www.zdnet.com/article/hackers-breach-volusion-and-start-collecting-card-details-from-thousands-of-sites/ https://www.zdnet.com/article/card-data-from-the-volusion-web-skimmer-incident-surfaces-on-the-dark-web/

2020-03 In a new and dangerous twist to this trend, IBM X-Force Incident Response and Intelligence Services (IRIS) research believes that the elite cybercriminal threat actor ITG08, also known as FIN6, has partnered with the malware gang behind one of the most active Trojans — TrickBot — to use TrickBot’s new malware framework dubbed “Anchor” against organizations for financial profit. https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/

Reports & References 3

https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf https://dti.domaintools.com/Skeleton-Spider-Trusted-Cloud-Malware-Delivery/

ETDA Profile

FIN6, Skeleton Spider

Origin

[Unknown]

First Seen 2015

Motivation

Financial crime Financial gain

MITRE ATT&CK Groups

https://attack.mitre.org/groups/G0037/

View on ETDA APT Groups ↗