ATK113

Presumed Origin: < Back

Alias: FIN8

ATK113 (aka: FIN8) is a financially motivated group targeting the retail, hospitality and entertainment industries. The actor had previously conducted several tailored spearphishing campaigns using the downloader PUNCHBUGGY and POS malware PUNCHTRACK.

 

Target sector

  • Banking
  • Entertainment
  • Food and Agriculture
  • Healthcare
  • Hospitality
  • Retail

Target countries

  • Canada
  • Italy
  • Panama
  • South Africa
  • United States Of America

Attack pattern

  • T1002 - Data Compressed
  • T1003 - Credential Dumping
  • T1003.001 - LSASS Memory
  • T1018 - Remote System Discovery
  • T1021.001 - Remote Desktop Protocol
  • T1021.002 - SMB/Windows Admin Shares
  • T1027 - Obfuscated Files or Information
  • T1032 - Standard Cryptographic Protocol
  • T1043 - Commonly Used Port
  • T1047 - Windows Management Instrumentation
  • T1048 - Exfiltration Over Alternative Protocol
  • T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
  • T1053 - Scheduled Task
  • T1053.005 - Scheduled Task
  • T1059 - Command-Line Interface
  • T1059.001 - PowerShell
  • T1059.003 - Windows Command Shell
  • T1063 - Security Software Discovery
  • T1064 - Scripting
  • T1068 - Exploitation for Privilege Escalation
  • T1070 - Indicator Removal on Host
  • T1070.001 - Clear Windows Event Logs
  • T1070.004 - File Deletion
  • T1074 - Data Staged
  • T1074.002 - Remote Data Staging
  • T1076 - Remote Desktop Protocol
  • T1077 - Windows Admin Shares
  • T1078 - Valid Accounts
  • T1086 - PowerShell
  • T1105 - Ingress Tool Transfer
  • T1105 - Remote File Copy
  • T1107 - File Deletion
  • T1112 - Modify Registry
  • T1192 - Spearphishing Link
  • T1193 - Spearphishing Attachment
  • T1204 - User Execution
  • T1204.001 - Malicious Link
  • T1204.002 - Malicious File
  • T1518.001 - Security Software Discovery
  • T1560.001 - Archive via Utility
  • T1566.001 - Spearphishing Attachment
  • T1566.002 - Spearphishing Link
  • T1573.002 - Asymmetric Cryptography

Motivation

  • Financial Gain

Malwares

  • BADHATCH
  • PUNCHBUGGY
  • PUNCHTRACK
  • PoSlurp
  • Sardonic

Vulnerabilities

  • CVE-2016-0167