Skip to content

Hide Navigation Hide TOC

FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022)

FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. (Citation: FireEye Respond Webinar July 2017) (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)

Cluster A Galaxy A Cluster B Galaxy B Level
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set 1
RawPOS - S0169 (9752aef4-a1f3-4328-929f-b64eb0536090) Malware FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set 1
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set 1
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set 1
Windows Credential Editor - S0005 (242f3da3-4425-4d11-8f5c-b842886da966) mitre-tool FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set 1
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set 1
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set 1
pwdump - S0006 (9de2308e-7bed-43a3-8e58-f194b3586700) mitre-tool FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set 1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set 1
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set 1
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set 1
Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set 1
FLIPSIDE - S0173 (0e18b800-906c-4e44-a143-b11c72b3448b) Malware FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set 1
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set 1
SDelete - S0195 (d8d19e33-94fd-4aa3-b94a-08ee801a2153) mitre-tool FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set 1
External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set 1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set 1
RawPOS - S0169 (9752aef4-a1f3-4328-929f-b64eb0536090) Malware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 2
RawPOS - S0169 (9752aef4-a1f3-4328-929f-b64eb0536090) Malware Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 2
RawPOS - S0169 (9752aef4-a1f3-4328-929f-b64eb0536090) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
RawPOS - S0169 (9752aef4-a1f3-4328-929f-b64eb0536090) Malware Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern 2
RawPOS (80f87001-ff40-4e33-bd12-12ed1a92d1d7) Malpedia RawPOS - S0169 (9752aef4-a1f3-4328-929f-b64eb0536090) Malware 2
RawPOS - S0169 (9752aef4-a1f3-4328-929f-b64eb0536090) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 2
Windows Credential Editor - S0005 (242f3da3-4425-4d11-8f5c-b842886da966) mitre-tool LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 2
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
pwdump - S0006 (9de2308e-7bed-43a3-8e58-f194b3586700) mitre-tool Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
PsExec (6dd05630-9bd8-11e8-a8b9-47ce338a4367) Tool PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern 2
FLIPSIDE - S0173 (0e18b800-906c-4e44-a143-b11c72b3448b) Malware Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b) Attack Pattern 2
Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern SDelete - S0195 (d8d19e33-94fd-4aa3-b94a-08ee801a2153) mitre-tool 2
SDelete - S0195 (d8d19e33-94fd-4aa3-b94a-08ee801a2153) mitre-tool File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 3
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 3
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 3