ATT&CK Group ID: G0037
Associated Groups: ITG08, SKELETON SPIDER, Magecart Group 6, MAZE Group 3
Objectives and Evolution: FIN6 is thought to be a financially motivated cyber-crime group. As such, they appear to take a pragmatic approach toward targeting and exploitation. Their strategic objective over time and across a diverse target set remains the same, monetizing compromised environments. Early on, FIN6 used social engineering to gain unauthorized access to targets that process high-volume point-of-sale (PoS) transactions. The group had some high-profile success and presumably monetized the compromised credit card information on the dark web. The widespread implementation of point-to-point encryption (P2PE) and Europay, Mastercard, and Visa (EMV) may have been a catalyst for operational adjustment.8
Since 2018, FIN6 has been associated with Magecart Group 6.10 Magecart is cyber-crime activity directed against e-commerce sites. The attackers inject a skimmer script into the website's checkout page to pilfer payment information provided by unsuspecting customers.10 If FIN6 is responsible for this activity, this would demonstrate the group's willingness to modify TTPs to continue to achieve operational success.
In 2019, vendors reported what appeared to be FIN6 TTPs directed against organizations that do not process PoS data.4 The methods by which the aggressors achieved their tactical objectives were consistent with those historically associated with FIN6 however, the group's operational objectives had evolved once more. After gaining access to the environment, conducting reconnaissance, escalating privileges, and moving laterally, the group deployed ransomware.4 Most recently, FIN6 has been associated with MAZE Group 3.12 This continued use of ransomware could confirm a strategic deviation from theft to extortion in order to expand sources of revenue and stay profitable.
Target Industries: The group has aggressively targeted and compromised high-volume POS systems in the hospitality and retail sectors since at least 2015.5 FIN6 has targeted e-commerce sites and multinational organizations. Most of the group’s targets have been located in the United States and Europe, but include companies in Australia, Canada, Spain, India, Kazakhstan, Serbia, and China.5 Most recently, the group is reported to be deploying ransomware. Industry and geography are of little consequence for operations that leverage extortion to monetize compromised environments.
Operations: FIN6 has been known to attain initial access to target organizations by using legitimate but compromised credentials (T1078) coupled with legitimate remote access applications (T1133), and spearphishing (T1566.001), (T1566.002), (T1566.003). Most recently, FIN6 may have been purchasing access to environments previously compromised with TrickBot.8 Once inside the target organization, FIN6 uses a variety of open and closed-source red team tools, custom scripts (T1059), and commodity malware in support of tactical objectives.
FIN6’s tactical objectives are to identify systems for staging, reconnoiter active directory environments (T1046), (T1069), escalate privileges (T1068) (often via credential access (T1078)), and identify systems that align with operational objectives.5 More_eggs (S0284), a lightweight JScript implant has been used during the initial stages of compromise to conduct host enumeration (T1018), establish command and control (C2), and to download and execute additional tools (T1105).9 FIN6 frequently uses Metasploit or Cobalt Strike (S0154) for their primary post-exploitation C2 framework, though sometimes employing a degree of customization to increase difficulty in detection.4 To that end, FIN6 has used code-signing certificates to evade defenses (T1553.002).
Run keys (T1547.001) and scheduled tasks (T1053.005) have been used for adversary persistence.7 FIN6 tends to use tools that are indicative of routine administrative tasks. For instance, FIN6 has moved laterally using valid accounts (T1078) coupled with Remote Desktop Protocol (RDP) (T1021.001), various implementations of PsExec (S0029), PowerShell (T1059.001), (T1059), and Windows Management Instrumentation (WMI) (T1047). The group will dump credentials (T1003) as they move through an environment but have also exfiltrated copies of the Active Directory (AD) database file NTDS.dit utilizing the Metasploit NTDSGRAB module (T1003.003).5 FIN6 has exfiltrated this reconnaissance data to servers it controls using SSH (T1048.002).5 These actions are intended to enable FIN6’s operational objective of monetizing compromised environments.
Depending on the target, FIN6 may identify Point of Sale (POS) systems and use their access to deploy POS malware such as TRINITY. This malware will search process memory, looking for payment card data to harvest (T1005). FIN6 will then obfuscate collected data (T1027) and move it to other compromised systems to be compressed (T1560) and staged for exfiltration (T1074.002).5 FIN6 has also been known to exploit public-facing applications (T1190) and insert malicious code into the checkout pages of compromised sites to steal payment card information.10
In more recent campaigns, FIN6 has used its access to deploy ransomware. FIN6 may stage ransomware and automated deployment scripts (T1072) on victim servers (T1080); these scripts may call utilities like PsExec (S0029) to deploy ransomware such as LockerGoga (S0372) to as many machines as possible at the same time. FIN6 may try to acquire Domain Administrator credentials to achieve maximum success with PsExec (S0029) deployment or so they can use Group Policy Modification (T1484) to distribute the ransomware via AD group policies.4
| Name | Associated Names | Software Type | Availability | Emulation Notes |
|---|---|---|---|---|
| Cobalt Strike (S0154) | Threat Emulation Software | Commercial | FIN6 uses CobaltStrike to realize tactical objectives during the initial phases of an intrusion. | |
| Metasploit | Penetration Testing Software | Openly Available | FIN6 has used Metasploit's Meterpreter and other tools within the framework to achieve tactical objectives. | |
| LockerGoga (S0372) | Ransomware | Malware-as-a-Service (MaaS) | FIN6 deploys POS/Ransomware on systems of interest in support of operational objectives. | |
| Mimikatz (S0002) | Windows Credential Dumper | Openly Available | FIN6 is reported to use the credential dumping capability of Mimikatz. | |
| More_eggs (S0284) | Remote Access Tool (RAT) | MaaS | Used to expand access and persist on a compromised network. | |
| PsExec (S0029) | Remote Execution | Openly Available | FIN6 appears to be using Cobaltstrike’s PsExec_psh module for lateral movement. | |
| Windows Credential Editor (S0005) | Windows Credential Dumper | Openly Available | One of three methods FIN6 uses to compromise credentials. | |
| FrameworkPOS | TRINITY | Point of Sale (POS) Malware | POS malware commonly used by FIN6 to achieve operational objectives. | |
| TerraLoader | SpiceyOmlette | Loader | MaaS | FIN6 uses TerraLoader to download and execute more_eggs and Metasploit stages. |
| PowerTrick | Backdoor | MaaS | FIN6 is believed to have used PowerTrick to download TerraLoader, which subequently installs more_eggs or Metasploit. | |
| MAZE | Ransomware | MaaS | The group is thought to have deployed MAZE ransomware in compromised environments. |
The following behaviors are in scope for an emulation of actions attributed to FIN6 in the referenced reporting.
The following behaviors are in scope for an emulation of actions performed by FIN6 using Cobalt Strike, exclusively based on current intelligence within ATT&CK.
The following behaviors are in scope for an emulation of actions performed by FIN6 using LockerGoga, exclusively based on current intelligence within ATT&CK.
The following behaviors are in scope for an emulation of actions performed by FIN6 using Mimikatz, exclusively based on current intelligence within ATT&CK.
The following behaviors are in scope for an emulation of actions performed by FIN6 using More_eggs, exclusively based on current intelligence within ATT&CK.
The following behaviors are in scope for an emulation of actions performed by FIN6 using PsExec, exclusively based on current intelligence within ATT&CK.
The following behaviors are in scope for an emulation of actions performed by FIN6 using Windows Credential Editor, exclusively based on current intelligence within ATT&CK.
