← threatfilter.dev / all groups / FIN13
FIN13
Also known as: Elephant Beetle
Overview
FIN13 is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. FIN13 achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII.
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190
TTPs — 53 techniques across 13 tactics
Reconnaissance
-
T1589Gather Victim Identity Information -
T1590.004Network Topology
Initial Access
Execution
-
T1047Windows Management Instrumentation -
T1053.005Scheduled Task -
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1059.005Visual Basic
Persistence
-
T1098.007Additional Local or Domain Groups -
T1133External Remote Services -
T1136.001Local Account -
T1505.003Web Shell -
T1547.001Registry Run Keys / Startup Folder
Stealth
-
T1036Masquerading -
T1036.004Masquerade Task or Service -
T1036.005Match Legitimate Resource Name or Location -
T1078.001Default Accounts -
T1134.003Make and Impersonate Token -
T1140Deobfuscate/Decode Files or Information -
T1564.001Hidden Files and Directories -
T1574.001DLL
Defense Impairment
Credential Access
-
T1003.001LSASS Memory -
T1003.002Security Account Manager -
T1003.003NTDS -
T1552.001Credentials In Files
Discovery
-
T1016System Network Configuration Discovery -
T1016.001Internet Connection Discovery -
T1046Network Service Discovery -
T1049System Network Connections Discovery -
T1069Permission Groups Discovery -
T1082System Information Discovery -
T1083File and Directory Discovery -
T1087Account Discovery -
T1087.002Domain Account -
T1135Network Share Discovery
Lateral Movement
-
T1021.001Remote Desktop Protocol -
T1021.002SMB/Windows Admin Shares -
T1021.004SSH -
T1021.006Windows Remote Management -
T1550.002Pass the Hash
Collection
-
T1005Data from Local System -
T1056.001Keylogging -
T1074.001Local Data Staging -
T1560.001Archive via Utility
Command and Control
-
T1071.001Web Protocols -
T1090.001Internal Proxy -
T1105Ingress Tool Transfer -
T1572Protocol Tunneling
Impact
-
T1565Data Manipulation -
T1657Financial Theft
Tools & malware (4)
Impacket · Mimikatz · Empire · certutil
Reporting (2)
- FIN13: A Cybercriminal Threat Actor Focused on Mexico — Ta, V., et al
- TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION — Sygnia Incident Response Team