Description
[FIN4](https://attack.mitre.org/groups/G0085) is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye FIN4 Stealing Insider NOV 2014) [FIN4](https://attack.mitre.org/groups/G0085) is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)
Techniques Used (TTPs)
- T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
- T1059.005 — Visual Basic (execution)
- T1090.003 — Multi-hop Proxy (command-and-control)
- T1204.002 — Malicious File (execution)
- T1564.008 — Email Hiding Rules (defense-evasion)
- T1204.001 — Malicious Link (execution)
- T1056.001 — Keylogging (collection, credential-access)
- T1056.002 — GUI Input Capture (collection, credential-access)
- T1566.002 — Spearphishing Link (initial-access)
- T1566.001 — Spearphishing Attachment (initial-access)
- T1071.001 — Web Protocols (command-and-control)
- T1114.002 — Remote Email Collection (collection)
Total TTPs: 12