1. Home
  2. Techniques
  3. Enterprise
  4. 财务窃取

财务窃取

财务窃取是攻击者通过技术手段或社会工程非法转移资金资产的行为,涵盖勒索软件加密勒索、商业邮件欺诈、加密货币盗窃等多种形态。传统防御主要依赖交易异常检测(如大额转账监控)、身份验证强化(多因素认证)以及区块链地址黑名单等手段,通过分析资金流动模式识别可疑活动。

现代财务窃取匿迹技术的核心在于构建多维度的资金流转伪装层:加密货币混币服务利用区块链的匿名特性实现资金流拓扑结构解耦;跨链桥漏洞攻击将非法转移过程转化为协议合规操作;多级空壳公司架构通过国际金融监管差异制造审计断点;邮件域名仿冒则借助身份信任链污染实现欺诈授权。这些技术的共性在于突破传统资金追踪的单维度特征分析,通过将窃取行为分解至不同业务域(加密货币、国际贸易、企业支付),并利用各领域的业务合规性作为天然掩护,使得单一维度的监控系统难以发现跨域攻击链。技术实现中普遍采用"逻辑寄生"策略,即不直接对抗安全机制,而是深度融入目标业务流程,使异常行为获得系统内生合法性。

ID: T1657
Sub-techniques:  No sub-techniques
Tactic: 影响释放
Platforms: Linux, Office Suite, SaaS, Windows, macOS
Impact Type: Availability
Contributors: Blake Strom, Microsoft Threat Intelligence; Menachem Goldstein; Pawel Partyka, Microsoft Threat Intelligence
Version: 1.2
Created: 18 August 2023
Last Modified: 15 October 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过高仿真域名注册、商业文档伪造、协议合规参数注入等手段,使非法金融操作呈现出合法业务特征。例如邮件支付欺诈中完整复刻企业邮件模板与审批流程,加密货币攻击中构造符合DeFi协议规范的智能合约,实现恶意行为与正常业务的特征融合。

行为透明

利用零日漏洞(如跨链桥智能合约缺陷)实施资金转移,规避基于已知攻击特征的检测系统。攻击过程深度耦合业务逻辑,使得非法资金流转在协议层表现为正常业务操作,传统基于行为规则库的防御机制难以识别。

数据遮蔽

通过加密货币混币器、链下交易通道等加密技术,掩盖资金流向关键信息。区块链交易的匿名性特征与混币协议的密码学保护,使得资金流转路径的关键节点信息被数学机制遮蔽。

时空释痕

构建跨国多级资金流转网络,将单次大额窃取分解为长期、低频的小额交易。利用不同司法管辖区的结算时差与监管盲区,通过资金在时空维度上的分散流转稀释异常特征,破坏传统反洗钱系统的时序关联分析能力。

Procedure Examples

ID Name Description
G1024 Akira

Akira engages in double-extortion ransomware, exfiltrating files then encrypting them, in order to prompt victims to pay a ransom.[1]
G1021 Cinnamon Tempest

Cinnamon Tempest has maintained leak sites for exfiltrated data in attempt to extort victims into paying a ransom.[2]
S1111 DarkGate

DarkGate can deploy payloads capable of capturing credentials related to cryptocurrency wallets.[3]
G1016 FIN13

FIN13 has observed the victim's software and infrastructure over several months to understand the technical process of legitimate financial transactions, prior to attempting to conduct fraudulent transactions.[4]
G1032 INC Ransom

INC Ransom has stolen and encrypted victim's data in order to extort payment for keeping it private or decrypting it.[5][6][7][8][9]
G0094 Kimsuky

Kimsuky has stolen and laundered cryptocurrency to self-fund operations including the acquisition of infrastructure.[10]
G1026 Malteiro

Malteiro targets organizations in a wide variety of sectors via the use of Mispadu banking trojan with the goal of financial theft.[11]
G1040 Play

Play demands ransom payments from victims to unencrypt filesystems and to not publish sensitive data exfiltrated from victim networks.[12]
G1015 Scattered Spider

Scattered Spider has deployed ransomware on compromised hosts for financial gain.[13][14]
G0083 SilverTerrier

SilverTerrier targets organizations in high technology, higher education, and manufacturing for business email compromise (BEC) campaigns with the goal of financial theft.[15][16]

Mitigations

ID Mitigation Description
M1018 User Account Management

Limit access/authority to execute sensitive transactions, and switch to systems and procedures designed to authenticate/approve payments and purchase requests outside of insecure communication lines such as email.
M1017 User Training

Train and encourage users to identify social engineering techniques used to enable financial theft. Also consider training users on procedures to prevent and respond to swatting and doxing, acts increasingly deployed by financially motivated groups to further coerce victims into satisfying ransom/extortion demands.[17][18]

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Review and monitor financial application logs for signs of financial theft, such as abnormal monetary transactions or resource balances.

Email logs may also highlight account takeovers, impersonation, or another activity that may enable monetary theft.

References

  1. Will Thomas. (2023, September 15). Tracking Adversaries: Akira, another descendent of Conti. Retrieved February 21, 2024.
  2. Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
  3. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  4. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
  5. Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024.
  6. Toulas, B. (2024, March 27). INC Ransom threatens to leak 3TB of NHS Scotland stolen data. Retrieved June 5, 2024.
  7. Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024.
  8. SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024.
  9. SentinelOne. (n.d.). What Is Inc. Ransomware?. Retrieved June 5, 2024.
  1. Mandiant. (2024, March 14). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved May 3, 2024.
  2. SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024.
  3. CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024.
  4. CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.
  5. Trellix et. al.. (2023, August 17). Scattered Spider: The Modus Operandi. Retrieved March 18, 2024.
  6. Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.
  7. Renals, P., Conant, S. (2016). SILVERTERRIER: The Next Evolution in Nigerian Cybercrime. Retrieved November 13, 2018.
  8. CISA. (2023, August). Cyber Safety Review Board: Lapsus. Retrieved January 5, 2024.
  9. Giles, Bruce. (2024, January 4). Hackers threaten to send SWAT teams to Fred Hutch patients' homes. Retrieved January 5, 2024.