1. Home
  2. Groups
  3. FIN13

FIN13

FIN13 is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. FIN13 achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII.[1][2]

ID: G1016
Associated Groups: Elephant Beetle
Contributors: Oren Biderman, Sygnia; Noam Lifshitz, Sygnia
Version: 1.0
Created: 27 July 2023
Last Modified: 29 September 2023

Associated Group Descriptions

Name Description
Elephant Beetle

[2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

FIN13 has utilized WMI to execute commands and move laterally on compromised Windows machines.[1][2]
Enterprise T1005 从本地系统获取数据

FIN13 has gathered stolen credentials, sensitive data such as point-of-sale (POS), and ATM data from a compromised network before exfiltration.[1][2]
Enterprise T1090 .001 代理: Internal Proxy

FIN13 has utilized a proxy tool to communicate between compromised assets.[2]
Enterprise T1036 伪装

FIN13 has masqueraded staged data by using the Windows certutil utility to generate fake Base64 encoded certificates with the input file.[1][2]
.004 Masquerade Task or Service

FIN13 has used scheduled tasks names such as acrotyr and AppServicesr to mimic the same names in a compromised network's C:\Windows directory.[1]
.005 Match Legitimate Name or Location

FIN13 has masqueraded WAR files to look like legitimate packages such as, wsexample.war, wsexamples.com, examples.war, and exampl3s.war.[2]
Enterprise T1550 .002 使用备用认证材料: Pass the Hash

FIN13 has used the PowerShell utility Invoke-SMBExec to execute the pass the hash method for lateral movement within an compromised environment.[1]
Enterprise T1556 修改身份验证过程

FIN13 has replaced legitimate KeePass binaries with trojanized versions to collect passwords from numerous applications.[1]

Enterprise T1136 .001 创建账户: Local Account

FIN13 has created MS-SQL local accounts in a compromised network.[2]
Enterprise T1190 利用公开应用程序漏洞

FIN13 has exploited known vulnerabilities such as CVE-2017-1000486 (Primefaces Application Expression Language Injection), CVE-2015-7450 (WebSphere Application Server SOAP Deserialization Exploit), CVE-2010-5326 (SAP NewWeaver Invoker Servlet Exploit), and EDB-ID-24963 (SAP NetWeaver ConfigServlet Remote Code Execution) to gain initial access.[1][2]
Enterprise T1574 .002 劫持执行流: DLL Side-Loading

FIN13 has used IISCrack.dll as a side-loading technique to load a malicious version of httpodbc.dll on old IIS Servers (CVE-2001-0507).[2]
Enterprise T1572 协议隧道

FIN13 has utilized web shells and Java tools for tunneling capabilities to and from compromised assets.[2]
Enterprise T1140 反混淆/解码文件或信息

FIN13 has utilized certutil to decode base64 encoded versions of custom malware.[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

FIN13 has used Windows Registry run keys such as, HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hosts to maintain persistence.[1]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

FIN13 has used PowerShell commands to obtain DNS data from a compromised network.[1]
.003 命令与脚本解释器: Windows Command Shell

FIN13 has leveraged xp_cmdshell and Windows Command Shell to execute commands on a compromised machine. FIN13 has also attempted to leverage the ‘xp_cmdshell’ SQL procedure to execute remote commands on internal MS-SQL servers.[1][2]
.005 命令与脚本解释器: Visual Basic

FIN13 has used VBS scripts for code execution on comrpomised machines.[2]
Enterprise T1133 外部远程服务

FIN13 has gained access to compromised environments via remote access services such as the corporate virtual private network (VPN).[1]
Enterprise T1071 .001 应用层协议: Web Protocols

FIN13 has used HTTP requests to chain multiple web shells and to contact actor-controlled C2 servers prior to exfiltrating stolen data.[1][2]
Enterprise T1587 .001 开发能力: Malware

FIN13 has utilized custom malware to maintain persistence in a compromised environment.[1][2]
Enterprise T1560 .001 归档收集数据: Archive via Utility

FIN13 has compressed the dump output of compromised credentials with a 7zip binary.[2]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

FIN13 has obtained memory dumps with ProcDump to parse and extract credentials from a victim's LSASS process memory with Mimikatz.[1][2]
.002 操作系统凭证转储: Security Account Manager

FIN13 has extracted the SAM and SYSTEM registry hives using the reg.exe binary for obtaining password hashes from a compromised machine.[2]
.003 操作系统凭证转储: NTDS

FIN13 has harvested the NTDS.DIT file and leveraged the Impacket tool on the compromised domain controller to locally decrypt it.[2]
Enterprise T1590 .004 收集受害者网络信息: Network Topology

FIN13 has searched for infrastructure that can provide remote access to an environment for targeting efforts.[1]
Enterprise T1589 收集受害者身份信息

FIN13 has researched employees to target for social engineering attacks.[1]
Enterprise T1074 .001 数据分段: Local Data Staging

FIN13 has utilized the following temporary folders on compromised Windows and Linux systems for their operations prior to exfiltration: C:\Windows\Temp and /tmp.[1][2]
Enterprise T1565 数据操控

FIN13 has injected fraudulent transactions into compromised networks that mimic legitimate behavior to siphon off incremental amounts of money.[2]
Enterprise T1083 文件和目录发现

FIN13 has used the Windows dir command to enumerate files and directories in a victim's network.[1]
Enterprise T1078 .001 有效账户: Default Accounts

FIN13 has leveraged default credentials for authenticating myWebMethods (WMS) and QLogic web management interface to gain initial access.[2]
Enterprise T1505 .003 服务器软件组件: Web Shell

FIN13 has utilized obfuscated and open-source web shells such as JspSpy, reGeorg, MiniWebCmdShell, and Vonloesch Jsp File Browser 1.2 to enable remote code execution and to execute commands on compromised web server.[2]
Enterprise T1552 .001 未加密凭证: Credentials In Files

FIN13 has obtained administrative credentials by browsing through local files on a compromised machine.[2]
Enterprise T1069 权限组发现

FIN13 has enumerated all users and roles from a victim's main treasury system.[1]
Enterprise T1082 系统信息发现

FIN13 has collected local host information by utilizing Windows commands systeminfo, fsutil, and fsinfo. FIN13 has also utilized a compromised Symantex Altiris console and LanDesk account to retrieve host information.[1][2]
Enterprise T1049 系统网络连接发现

FIN13 has used netstat and other net commands for network reconnaissance efforts.[1]
Enterprise T1016 系统网络配置发现

FIN13 has used nslookup and ipconfig for network reconnaissance efforts. FIN13 has also utilized a compromised Symantec Altiris console and LanDesk account to retrieve network information.[1][2]
.001 Internet Connection Discovery

FIN13 has used Ping and tracert for network reconnaissance efforts.[1]
Enterprise T1135 网络共享发现

FIN13 has executed net view commands for enumeration of open shares on compromised machines.[1][2]
Enterprise T1046 网络服务发现

FIN13 has utilized nmap for reconnaissance efforts. FIN13 has also scanned for internal MS-SQL servers in a compromised network.[1][2]
Enterprise T1588 .002 获取能力: Tool

FIN13 has utilized publicly available tools such as Mimikatz, Impacket, PWdump7, ProcDump, Nmap, and Incognito V2 for targeting efforts.[2]
Enterprise T1134 .003 访问令牌操控: Make and Impersonate Token

FIN13 has utilized tools such as Incognito V2 for token manipulation and impersonation.[2]
Enterprise T1657 财务窃取

FIN13 has observed the victim's software and infrastructure over several months to understand the technical process of legitimate financial transactions, prior to attempting to conduct fraudulent transactions.[2]
Enterprise T1087 账号发现

FIN13 has enumerated all users and their roles from a victim's main treasury system.[1]
.002 Domain Account

FIN13 can identify user accounts associated with a Service Principal Name and query Service Principal Names within the domain by utilizing the following scripts: GetUserSPNs.vbs and querySpn.vbs.[1][2]
Enterprise T1098 .007 账号操控: Additional Local or Domain Groups

FIN13 has assigned newly created accounts the sysadmin role to maintain persistence.[2]
Enterprise T1105 输入工具传输

FIN13 has downloaded additional tools and malware to compromised systems.[1][2]
Enterprise T1056 .001 输入捕获: Keylogging

FIN13 has logged the keystrokes of victims to escalate privileges.[1]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

FIN13 has remotely accessed compromised environments via Remote Desktop Services (RDS) for lateral movement.[1]
.002 远程服务: SMB/Windows Admin Shares

FIN13 has leveraged SMB to move laterally within a compromised network via application servers and SQL servers.[2]
.004 远程服务: SSH

FIN13 has remotely accessed compromised environments via secure shell (SSH) for lateral movement.[1]
.006 远程服务: Windows Remote Management

FIN13 has leveraged WMI to move laterally within a compromised network via application servers and SQL servers.[2]
Enterprise T1564 .001 隐藏伪装: Hidden Files and Directories

FIN13 has created hidden files and folders within a compromised Linux system /tmp directory. FIN13 also has used attrib.exe to hide gathered local host information.[1][2]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

FIN13 has created scheduled tasks in the C:\Windows directory of the compromised network.[1]

Software

ID Name References Techniques
S0160 certutil [2] 反混淆/解码文件或信息, 归档收集数据: Archive via Utility, 输入工具传输, 颠覆信任控制: Install Root Certificate
S0363 Empire [2] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 事件触发执行: Accessibility Features, 从密码存储中获取凭证: Credentials from Web Browsers, 使用备用认证材料: Pass the Hash, 创建或修改系统进程: Windows Service, 创建账户: Local Account, 创建账户: Domain Account, 剪贴板数据, 加密通道: Asymmetric Cryptography, 劫持执行流: Path Interception by Unquoted Path, 劫持执行流: Path Interception by Search Order Hijacking, 劫持执行流: Path Interception by PATH Environment Variable, 劫持执行流: Dylib Hijacking, 劫持执行流: DLL Search Order Hijacking, 可信开发者工具代理执行: MSBuild, 启动或登录自动启动执行: Security Support Provider, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: Shortcut Modification, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器, 域信任发现, 域或租户策略修改: Group Policy Modification, 屏幕捕获, 应用层协议: Web Protocols, 归档收集数据, 操作系统凭证转储: LSASS Memory, 文件和目录发现, 未加密凭证: Credentials In Files, 未加密凭证: Private Keys, 本机API, 权限提升漏洞利用, 浏览器信息发现, 混淆文件或信息: Command Obfuscation, 滥用权限提升控制机制: Bypass User Account Control, 电子邮件收集: Local Email Collection, 移除指标: Timestomp, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 系统信息发现, 系统所有者/用户发现, 系统服务: Service Execution, 系统网络连接发现, 系统网络配置发现, 组策略发现, 网络共享发现, 网络嗅探, 网络服务: Bidirectional Communication, 网络服务发现, 自动化收集, 自动化渗出, 视频捕获, 访问令牌操控: SID-History Injection, 访问令牌操控, 访问令牌操控: Create Process with Token, 账号发现: Domain Account, 账号发现: Local Account, 软件发现: Security Software Discovery, 输入工具传输, 输入捕获: Keylogging, 输入捕获: Credential API Hooking, 进程发现, 进程注入, 远程服务: Distributed Component Object Model, 远程服务: SSH, 远程服务漏洞利用, 通过C2信道渗出, 通过网络服务渗出: Exfiltration to Code Repository, 通过网络服务渗出: Exfiltration to Cloud Storage, 预定任务/作业: Scheduled Task
S0357 Impacket [2] Windows管理规范, 中间人攻击: LLMNR/NBT-NS Poisoning and SMB Relay, 操作系统凭证转储: NTDS, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSA Secrets, 窃取或伪造Kerberos票据: Kerberoasting, 窃取或伪造Kerberos票据: Ccache Files, 系统服务: Service Execution, 网络嗅探
S0002 Mimikatz [1] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控

References

  1. Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.
  1. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.