← threatfilter.dev / all groups / FIN6
FIN6
Also known as: Magecart Group 6 · ITG08 · Skeleton Spider · TAAL · Camouflage Tempest
Overview
FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.
Capabilities
- Custom malware/implant development — ATT&CK: 8 attributed custom malware families
TTPs — 40 techniques across 13 tactics
Resource Development
-
T1588.002Tool
Initial Access
-
T1566.001Spearphishing Attachment -
T1566.003Spearphishing via Service
Execution
-
T1047Windows Management Instrumentation -
T1053.005Scheduled Task -
T1059Command and Scripting Interpreter -
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1059.007JavaScript -
T1204.002Malicious File -
T1569.002Service Execution
Persistence
-
T1547.001Registry Run Keys / Startup Folder
Privilege Escalation
Stealth
-
T1027.010Command Obfuscation -
T1036.004Masquerade Task or Service -
T1070.004File Deletion -
T1078Valid Accounts -
T1134Access Token Manipulation
Defense Impairment
-
T1553.002Code Signing -
T1685Disable or Modify Tools
Credential Access
-
T1003.001LSASS Memory -
T1003.003NTDS -
T1110.002Password Cracking -
T1555Credentials from Password Stores -
T1555.003Credentials from Web Browsers
Discovery
-
T1018Remote System Discovery -
T1046Network Service Discovery -
T1087.002Domain Account
Lateral Movement
-
T1021.001Remote Desktop Protocol
Collection
-
T1005Data from Local System -
T1074.002Remote Data Staging -
T1119Automated Collection -
T1213.006Databases -
T1560Archive Collected Data -
T1560.003Archive via Custom Method
Command and Control
-
T1095Non-Application Layer Protocol -
T1102Web Service -
T1572Protocol Tunneling -
T1573.002Asymmetric Cryptography
Exfiltration
Tools & malware (12)
FlawedAmmyy · GrimAgent · FrameworkPOS · More_eggs · Cobalt Strike · Windows Credential Editor · AdFind · PsExec · Maze · LockerGoga · Ryuk · Mimikatz
Reporting (3)
- How Microsoft names threat actors — Microsoft
- ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework — Villadsen, O
- More_eggs, Anyone? Threat Actor ITG08 Strikes Again — Villadsen, O.