Skip to content

Hide Navigation Hide TOC

FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022)

FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. (Citation: FireEye Respond Webinar July 2017) (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)

Cluster A Galaxy A Cluster B Galaxy B Level
FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 1
RawPOS - S0169 (9752aef4-a1f3-4328-929f-b64eb0536090) Malware FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set 1
FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern 1
FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 1
FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 1
FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern 1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set 1
SDelete - S0195 (d8d19e33-94fd-4aa3-b94a-08ee801a2153) mitre-tool FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set 1
FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set Windows Credential Editor - S0005 (242f3da3-4425-4d11-8f5c-b842886da966) mitre-tool 1
FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 1
FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 1
FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 1
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set 1
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0) Attack Pattern FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set 1
FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern 1
FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set FLIPSIDE - S0173 (0e18b800-906c-4e44-a143-b11c72b3448b) Malware 1
FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set pwdump - S0006 (9de2308e-7bed-43a3-8e58-f194b3586700) mitre-tool 1
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern 2
RawPOS (80f87001-ff40-4e33-bd12-12ed1a92d1d7) Malpedia RawPOS - S0169 (9752aef4-a1f3-4328-929f-b64eb0536090) Malware 2
RawPOS - S0169 (9752aef4-a1f3-4328-929f-b64eb0536090) Malware Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 2
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern RawPOS - S0169 (9752aef4-a1f3-4328-929f-b64eb0536090) Malware 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern RawPOS - S0169 (9752aef4-a1f3-4328-929f-b64eb0536090) Malware 2
RawPOS - S0169 (9752aef4-a1f3-4328-929f-b64eb0536090) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 2
RawPOS - S0169 (9752aef4-a1f3-4328-929f-b64eb0536090) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern 2
SDelete - S0195 (d8d19e33-94fd-4aa3-b94a-08ee801a2153) mitre-tool Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern 2
SDelete - S0195 (d8d19e33-94fd-4aa3-b94a-08ee801a2153) mitre-tool File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Windows Credential Editor - S0005 (242f3da3-4425-4d11-8f5c-b842886da966) mitre-tool LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool PsExec (6dd05630-9bd8-11e8-a8b9-47ce338a4367) Tool 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0) Attack Pattern Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern 2
Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b) Attack Pattern FLIPSIDE - S0173 (0e18b800-906c-4e44-a143-b11c72b3448b) Malware 2
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern pwdump - S0006 (9de2308e-7bed-43a3-8e58-f194b3586700) mitre-tool 2
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 3
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 3
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 3
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern 3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 3