FIN6 infrastructure is likely comprised of distributed command and control (C2) servers and exfiltration servers. FIN6 is reported to have conducted C2 over HTTPS. As such, it would be wise to purchase, associate, and categorize a domain for each redirector. Let's Encrypt is a resource for free SSL/TLS certificates.
FIN6 uses separate servers for exfiltration. They appear to purchase domain names that are similar/relevent to their target organization in order to blend in. The group may very well use one server to exfiltrate Discovery data during Phase 1, and separate servers to exfiltrate PoS or payment data during Phase 2. Specific server configuration very much depends on the C2 framework.
Detailing specific infrastructure configuration is beyond the scope of this plan. Please consult the following resources:
- Cloud-based Redirectors for Distributed Hacking
- Infrastructure for Ongoing Red Team Operations
- HTTPS Payload and C2 Redirectors
- Red Team Infrastructure Wiki
- A Deep Dive into Cobalt Strike Malleable C2
The following represents a bare minimum but should be operationally representative of FIN6 infrastructure and toolset:
- C2 Framework
- ADFind
- 7Zip
- Putty/Plink/PSCP
- Windows Credential Editor
- PsExec
- Scraper
- DNSCat Server
- DNSCat PowerShell Client
- PowerSploit
- SimulateRansomware
- PS2EXE
-
- 1 x Kali/Metasploit Machine
-
- 1 x Teamserver
- 1 x Redirector
-
- DNS - FIN6 is reported to have exfiltrated POS data from compromised systems using DNS tunneling.5 7 In order to emulate this use case (Phase2 Scenario 1), you will need to set up an exfiltration server that is capable of receiving DNS requests and issuing DNS responses. We further describe how to emulate this activity using dnscat2 in Phase 2.
-
- HTTP - FIN6 is reported to have exfiltrated payment data resulting from it's Magecart Group 6 activity via HTTP POST.10 In order to emulate this use case (Phase 2 Scenario 2), you will need to set up an exfiltration server capable of receiving HTTP POST requests. Depending on how you intend to evaluate this scenario, a lightweight solution like Python's http.server may be appropriate. This activity is further described in Phase 2.