FIN12

Threat Actor updated 5 months ago (2024-06-24T19:17:42.018Z)

Download STIX

Preview STIX

FIN12, also known as DEV-0237 and Pistachio Tempest, is a threat actor group notorious for its malicious cyber activities. Tracked by Microsoft, this group is primarily engaged in the distribution of Hive, Conti, and Ryuk ransomware. The group has been responsible for several high-profile ransomware attacks, notably on U.S. hospitals in 2020. However, it has since broadened its targeting range. A unique aspect of FIN12's operations is its simultaneous activity with other threat actors like FIN7 on the same victim system, utilizing different infrastructure and tradecraft, which highlights the challenges of technical attribution for cybercriminal threats. FIN12 has been particularly active against the healthcare industry, as reported by the HHS in 2022. In one notable incident, the group used valid credentials belonging to a healthcare professional to gain backdoor access to a French hospital's network in Brest. They employ tools such as SystemBC alongside Cobalt Strike or CS Beacon to deploy ransomware. Additionally, DAVESHELL, a tool used by nearly 30 threat groups including FIN12, has been observed loading DICELOADER in a manner unique to a small cluster of threat activity. The group is linked to Wizard Spider, a financially motivated hacking group, and has shown connections to Exotic Lily, a Russian financially-motivated cybercrime group. Furthermore, research has identified over two dozen different threat actors, including FIN12, hosting command-and-control (C2) servers on Cloudzy infrastructure. This diverse list includes Chinese, Indian, Iranian, North Korean, Pakistani, Russian, Vietnamese actors, Israeli spyware vendor Candiru, and various cybercriminal groups. These associations underscore the interconnected nature of the cybercrime landscape and the significant threat posed by FIN12.

Description last updated: 2024-06-24T19:16:58.395Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Pistachio Tempest is a possible alias for FIN12. Pistachio Tempest, also known as FIN12, is a threat actor that has been identified as a significant cybersecurity risk, particularly to the healthcare industry. According to a report by the U.S. Department of Health and Human Services (HHS) in 2022, this group has specifically targeted healthcare en	3
Wizard Spider is a possible alias for FIN12. Wizard Spider, also known as ITG23, DEV-0193, Trickbot Group, Fin12, and Grimspider, is a prominent cybercrime group. As per IBM Security X-Force's research, this threat actor is responsible for developing several crypters and has been expanding the number and variety of channels it uses to distribu	2
EXOTIC LILY is a possible alias for FIN12. Exotic Lily, an initial access broker (IAB), has been active since at least September 2021. The entity conducts highly sophisticated phishing campaigns to gain initial access to organizations and then sells this access to other threat actors, including ransomware groups. A notable example of their m	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Beacon

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Conti Malware is associated with FIN12. Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them. Often spreading through suspicious downloads, emails, or websites, it can steal personal information, disrupt operations, or hold data hostage for ransom. Notably, Conti was linked to several ra	Unspecified	2
The Systembc Malware is associated with FIN12. SystemBC is a type of malware, or malicious software, known for its disruptive and exploitative nature. It infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once embedded, it can steal personal information, interrupt operations, or hold data hostage f	Unspecified	2

Source Document References

Information about the FIN12 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
BankInfoSecurity	5 months ago	European Union Sanctions Russian State Hackers
BankInfoSecurity	a year ago	Sizing Up the Worst Healthcare Hacks of 2023
MITRE	a year ago	FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
MITRE	a year ago	The many lives of BlackCat ransomware \| Microsoft Security Blog
CERT-EU	a year ago	Southern African power generator targeted with DroxiDat malware \| #daitngscams \| #lovescams \| #datingscams \| #love \| #relationships \| #scams \| #pof \| #match.com \| #dating \| National Cyber Security Consulting
CERT-EU	a year ago	US internet hosting company appears to facilitate global cybercrime, researchers say
CERT-EU	a year ago	Iranian ISP suspected of aiding cybercriminals and nation-state hackers
CERT-EU	a year ago	US internet hosting company appears to facilitate global cybercrime, researchers say
CERT-EU	a year ago	Focus on DroxiDat/SystemBC – GIXtools
CERT-EU	a year ago	Iranian Company Cloudzy Accused of Aiding Cybercriminals and Nation-State Hackers
InfoSecurity-magazine	a year ago	DroxiDat-Cobalt Strike Duo Targets Power Generator Network
Securityaffairs	a year ago	Power Generator in South Africa hit with DroxiDat and Cobalt Strike
CERT-EU	a year ago	Focus on DroxiDat/SystemBC
MITRE	2 years ago	Exposing initial access broker with ties to Conti