FIN8 | APT Profile

Description

[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected [FIN8](https://attack.mitre.org/groups/G0061) switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: Bitdefender Sardonic Aug 2021)(Citation: Symantec FIN8 Jul 2023)

Techniques Used (TTPs)

T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1070.001 — Clear Windows Event Logs (defense-evasion)
T1048.003 — Exfiltration Over Unencrypted Non-C2 Protocol (exfiltration)
T1033 — System Owner/User Discovery (discovery)
T1518.001 — Security Software Discovery (discovery)
T1021.001 — Remote Desktop Protocol (lateral-movement)
T1003.001 — LSASS Memory (credential-access)
T1588.002 — Tool (resource-development)
T1204.002 — Malicious File (execution)
T1588.003 — Code Signing Certificates (resource-development)
T1068 — Exploitation for Privilege Escalation (privilege-escalation)
T1546.003 — Windows Management Instrumentation Event Subscription (privilege-escalation, persistence)
T1566.002 — Spearphishing Link (initial-access)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1204.001 — Malicious Link (execution)
T1102 — Web Service (command-and-control)
T1027.010 — Command Obfuscation (defense-evasion)
T1070.004 — File Deletion (defense-evasion)
T1566.001 — Spearphishing Attachment (initial-access)
T1071.001 — Web Protocols (command-and-control)
T1021.002 — SMB/Windows Admin Shares (lateral-movement)
T1560.001 — Archive via Utility (collection)
T1074.002 — Remote Data Staging (collection)
T1105 — Ingress Tool Transfer (command-and-control)
T1082 — System Information Discovery (discovery)
T1059.001 — PowerShell (execution)
T1059.003 — Windows Command Shell (execution)
T1573.002 — Asymmetric Cryptography (command-and-control)
T1055.004 — Asynchronous Procedure Call (defense-evasion, privilege-escalation)
T1018 — Remote System Discovery (discovery)
T1486 — Data Encrypted for Impact (impact)
T1482 — Domain Trust Discovery (discovery)
T1112 — Modify Registry (defense-evasion, persistence)
T1134.001 — Token Impersonation/Theft (defense-evasion, privilege-escalation)
T1016.001 — Internet Connection Discovery (discovery)
T1047 — Windows Management Instrumentation (execution)

Total TTPs: 36

Malware & Tools

Malware: BADHATCH, PUNCHBUGGY, PUNCHTRACK, Ragnar Locker, Sardonic

Tools: Impacket, Net, Nltest, Ping, PsExec, dsquery

← Return to Home ← Back to APT Search