FIN5

FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. [1] [2] [3]

ID: G0053
Contributors: Walker Johnson
Version: 1.2
Created: 16 January 2018
Last Modified: 16 October 2021

Techniques Used

Domain ID Name Use
Enterprise T1119 Automated Collection

FIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results.[2]

Enterprise T1110 Brute Force

FIN5 has has used the tool GET2 Penetrator to look for remote login and hard-coded credentials.[3][2]

Enterprise T1059 Command and Scripting Interpreter

FIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results.[2]

Enterprise T1074 .001 Data Staged: Local Data Staging

FIN5 scripts save memory dump data into a specific directory on hosts in the victim environment.[2]

Enterprise T1133 External Remote Services

FIN5 has used legitimate VPN, Citrix, or VNC credentials to maintain access to a victim environment.[1][3][2]

Enterprise T1070 .001 Indicator Removal on Host: Clear Windows Event Logs

FIN5 has cleared event logs from victims.[2]

.004 Indicator Removal on Host: File Deletion

FIN5 uses SDelete to clean up the environment and attempt to prevent detection.[2]

Enterprise T1588 .002 Obtain Capabilities: Tool

FIN5 has obtained and used a customized version of PsExec, as well as use other tools such as pwdump, SDelete, and Windows Credential Editor.[2]

Enterprise T1090 .002 Proxy: External Proxy

FIN5 maintains access to victim environments by using FLIPSIDE to create a proxy for a backup RDP tunnel.[2]

Enterprise T1018 Remote System Discovery

FIN5 has used the open source tool Essential NetTools to map the network and build a list of targets.[2]

Enterprise T1078 Valid Accounts

FIN5 has used legitimate VPN, RDP, Citrix, or VNC credentials to maintain access to a victim environment.[1][3][2]

Software

ID Name References Techniques
S0173 FLIPSIDE [2] Protocol Tunneling
S0029 PsExec FIN5 uses a customized version of PsExec.[2] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0006 pwdump [2] OS Credential Dumping: Security Account Manager
S0169 RawPOS [3][2] Archive Collected Data: Archive via Custom Method, Create or Modify System Process: Windows Service, Data from Local System, Data Staged: Local Data Staging, Masquerading: Masquerade Task or Service
S0195 SDelete [2] Data Destruction, Indicator Removal on Host: File Deletion
S0005 Windows Credential Editor [3][2] OS Credential Dumping: LSASS Memory

References