ATK88

Presumed Origin: Unknown < Back

Alias: FIN6, ITG08, Skeleton Spider, TAG-CR2

ATK88 (aka: FIN6) is a cybercrime group active since at least 2015, and focuses mostly on the financial sector. Their claim to fame is in attacking Point-of-Sales and stealing credit card data from them. Millions of cards were stolen using this method in recent years, and subsequently found to be sold on the dark web. Furthermore, in some cases, if they are unable to steal this data, they move to target card-not-present (CNP) data. They usually use specifically POS malware, and their victims are from companies that have many transactions. Therefore, most of their activity is against victims in the US and Europe. Of note, since mid-2018, it was spotted that the group has started to deploy ransomware on non Ecommerce networks.

The group may also be part of attacks that deploy ransomware such as Ryuk, LockerGoga and MegaCortex, again in likely partnership with banking Trojan botnets, which could be a further attempt to move into new “markets” that do not rely on the need to monetize credit card data.

REFERENCES

- 01/04/2016, FireEye, FOLLOW THE MONEY: DISSECTING THE OPERATIONS OF THE CYBER CRIME GROUP FIN6, https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf
- 15/06/2016, Secure Week, New FrameworkPOS Campaign Gains Momentum, https://www.securityweek.com/new-frameworkpos-campaign-gains-momentum
- 06/07/2016, NJCCIC, FrameworkPOS, https://www.cyber.nj.gov/threat-profiles/pos-malware-variants/frameworkpos
- 01/09/2018, Malware Analysis, X-Force IRIS Identifies FIN6 Activity on POS Networks,https://malware.news/t/x-force-iris-identifies-fin6-activity-on-pos-networks/22509
- 05/09/2018, ZDNet, FIN6 returns to attack retailer point of sale systems in US, Europe, https://www.zdnet.com/article/fin6-returns-to-attack-retailers-in-us-europe/
- 01/02/2019, Visa Payment Fraud Disruption, FIN6 Cybercrime Group Expands Threat to eCommerce Merchants, https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf
- 05/04/2019, FireEye, Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
- 29/08/2019, SecurityIntelligence, More_eggs, Anyone? Threat Actor ITG08 Strikes Again, https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/
- 09/10/2019, TrendMicro, FIN6 Compromised E-commerce Platform via Magecart to Inject Credit Card Skimmers Into Thousands of Online Shops, https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/

Target sector

Energy
Financial Services
Healthcare
Hospitality
Manufacturing
Retail

Target countries

United States Of America

Attack pattern

T1002 - Data Compressed
T1003 - Credential Dumping
T1003.001 - LSASS Memory
T1003.003 - NTDS
T1005 - Data from Local System
T1018 - Remote System Discovery
T1021.001 - Remote Desktop Protocol
T1022 - Data Encrypted
T1027 - Obfuscated Files or Information
T1032 - Standard Cryptographic Protocol
T1035 - Service Execution
T1036 - Masquerading
T1036.004 - Masquerade Task or Service
T1040 - Network Sniffing
T1046 - Network Service Scanning
T1047 - Windows Management Instrumentation
T1048 - Exfiltration Over Alternative Protocol
T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1053 - Scheduled Task
T1053.005 - Scheduled Task
T1055 - Process Injection
T1059 - Command and Scripting Interpreter
T1059.001 - PowerShell
T1059.003 - Windows Command Shell
T1059.007 - JavaScript/JScript
T1060 - Registry Run Keys / Startup Folder
T1064 - Scripting
T1068 - Exploitation for Privilege Escalation
T1069 - Permission Groups Discovery
T1070.004 - File Deletion
T1071 - Standard Application Layer Protocol
T1074 - Data Staged
T1074.002 - Remote Data Staging
T1076 - Remote Desktop Protocol
T1078 - Valid Accounts
T1086 - PowerShell
T1087 - Account Discovery
T1087.002 - Domain Account
T1095 - Non-Application Layer Protocol
T1102 - Web Service
T1110.002 - Password Cracking
T1119 - Automated Collection
T1134 - Access Token Manipulation
T1204.002 - Malicious File
T1213 - Data from Information Repositories
T1547.001 - Registry Run Keys / Startup Folder
T1553.002 - Code Signing
T1555 - Credentials from Password Stores
T1555.003 - Credentials from Web Browsers
T1560 - Archive Collected Data
T1560.003 - Archive via Custom Method
T1562.001 - Disable or Modify Tools
T1566.001 - Spearphishing Attachment
T1566.003 - Spearphishing via Service
T1569.002 - Service Execution
T1572 - Protocol Tunneling
T1573.002 - Asymmetric Cryptography
Thales 003 - Web Skimming

Motivation

Financial Gain

Malwares

FlawedAmmyy
FrameworkPOS
GRABNEW
GratefulPOS
HARDTACK
LockerGoga
More_eggs
Ryuk
SHIPBREAD
TRINITY

Vulnerabilities

CVE-2010-4398
CVE-2011-2005
CVE-2013-3660