ATK113

Presumed Origin: < Back

Alias: FIN8

ATK113 (aka: FIN8) is a financially motivated group targeting the retail, hospitality and entertainment industries. The actor had previously conducted several tailored spearphishing campaigns using the downloader PUNCHBUGGY and POS malware PUNCHTRACK.

REFERENCES

- 11/05/2016, FireEye, Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks
- 20/06/2017, Root9B, SHELLTEA + POSLURP MALWARE MEMORY-RESIDENT POINT-OF-SALE MALWARE ATTACKS IN DUSTRY
- 10/06/2019, Morphisec, FIN8 is Back in Business, Targeting the Hospitality Industry

Target sector

Banking
Entertainment
Food and Agriculture
Healthcare
Hospitality
Retail

Target countries

Canada
Italy
Panama
South Africa
United States Of America

Attack pattern

T1002 - Data Compressed
T1003 - Credential Dumping
T1003.001 - LSASS Memory
T1018 - Remote System Discovery
T1021.001 - Remote Desktop Protocol
T1021.002 - SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1032 - Standard Cryptographic Protocol
T1043 - Commonly Used Port
T1047 - Windows Management Instrumentation
T1048 - Exfiltration Over Alternative Protocol
T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1053 - Scheduled Task
T1053.005 - Scheduled Task
T1059 - Command-Line Interface
T1059.001 - PowerShell
T1059.003 - Windows Command Shell
T1063 - Security Software Discovery
T1064 - Scripting
T1068 - Exploitation for Privilege Escalation
T1070 - Indicator Removal on Host
T1070.001 - Clear Windows Event Logs
T1070.004 - File Deletion
T1074 - Data Staged
T1074.002 - Remote Data Staging
T1076 - Remote Desktop Protocol
T1077 - Windows Admin Shares
T1078 - Valid Accounts
T1086 - PowerShell
T1105 - Ingress Tool Transfer
T1105 - Remote File Copy
T1107 - File Deletion
T1112 - Modify Registry
T1192 - Spearphishing Link
T1193 - Spearphishing Attachment
T1204 - User Execution
T1204.001 - Malicious Link
T1204.002 - Malicious File
T1518.001 - Security Software Discovery
T1560.001 - Archive via Utility
T1566.001 - Spearphishing Attachment
T1566.002 - Spearphishing Link
T1573.002 - Asymmetric Cryptography

Motivation

Financial Gain

Malwares

BADHATCH
PUNCHBUGGY
PUNCHTRACK
PoSlurp
Sardonic

Vulnerabilities

CVE-2016-0167