ATK88

Presumed Origin: Unknown < Back

Alias: FIN6, ITG08, Skeleton Spider, TAG-CR2

ATK88 (aka: FIN6) is a cybercrime group active since at least 2015, and focuses mostly on the financial sector. Their claim to fame is in attacking Point-of-Sales and stealing credit card data from them. Millions of cards were stolen using this method in recent years, and subsequently found to be sold on the dark web. Furthermore, in some cases, if they are unable to steal this data, they move to target card-not-present (CNP) data. They usually use specifically POS malware, and their victims are from companies that have many transactions. Therefore, most of their activity is against victims in the US and Europe. Of note, since mid-2018, it was spotted that the group has started to deploy ransomware on non Ecommerce networks.

 

The group may also be part of attacks that deploy ransomware such as Ryuk, LockerGoga and MegaCortex, again in likely partnership with banking Trojan botnets, which could be a further attempt to move into new “markets” that do not rely on the need to monetize credit card data.

 

 

REFERENCES

Target sector

  • Energy
  • Financial Services
  • Healthcare
  • Hospitality
  • Manufacturing
  • Retail

Target countries

  • United States Of America

Attack pattern

  • T1002 - Data Compressed
  • T1003 - Credential Dumping
  • T1003.001 - LSASS Memory
  • T1003.003 - NTDS
  • T1005 - Data from Local System
  • T1018 - Remote System Discovery
  • T1021.001 - Remote Desktop Protocol
  • T1022 - Data Encrypted
  • T1027 - Obfuscated Files or Information
  • T1032 - Standard Cryptographic Protocol
  • T1035 - Service Execution
  • T1036 - Masquerading
  • T1036.004 - Masquerade Task or Service
  • T1040 - Network Sniffing
  • T1046 - Network Service Scanning
  • T1047 - Windows Management Instrumentation
  • T1048 - Exfiltration Over Alternative Protocol
  • T1048.003 - Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
  • T1053 - Scheduled Task
  • T1053.005 - Scheduled Task
  • T1055 - Process Injection
  • T1059 - Command and Scripting Interpreter
  • T1059.001 - PowerShell
  • T1059.003 - Windows Command Shell
  • T1059.007 - JavaScript/JScript
  • T1060 - Registry Run Keys / Startup Folder
  • T1064 - Scripting
  • T1068 - Exploitation for Privilege Escalation
  • T1069 - Permission Groups Discovery
  • T1070.004 - File Deletion
  • T1071 - Standard Application Layer Protocol
  • T1074 - Data Staged
  • T1074.002 - Remote Data Staging
  • T1076 - Remote Desktop Protocol
  • T1078 - Valid Accounts
  • T1086 - PowerShell
  • T1087 - Account Discovery
  • T1087.002 - Domain Account
  • T1095 - Non-Application Layer Protocol
  • T1102 - Web Service
  • T1110.002 - Password Cracking
  • T1119 - Automated Collection
  • T1134 - Access Token Manipulation
  • T1204.002 - Malicious File
  • T1213 - Data from Information Repositories
  • T1547.001 - Registry Run Keys / Startup Folder
  • T1553.002 - Code Signing
  • T1555 - Credentials from Password Stores
  • T1555.003 - Credentials from Web Browsers
  • T1560 - Archive Collected Data
  • T1560.003 - Archive via Custom Method
  • T1562.001 - Disable or Modify Tools
  • T1566.001 - Spearphishing Attachment
  • T1566.003 - Spearphishing via Service
  • T1569.002 - Service Execution
  • T1572 - Protocol Tunneling
  • T1573.002 - Asymmetric Cryptography
  • Thales 003 - Web Skimming

Motivation

  • Financial Gain

Malwares

  • FlawedAmmyy
  • FrameworkPOS
  • GRABNEW
  • GratefulPOS
  • HARDTACK
  • LockerGoga
  • More_eggs
  • Ryuk
  • SHIPBREAD
  • TRINITY

Vulnerabilities

  • CVE-2010-4398
  • CVE-2011-2005
  • CVE-2013-3660