FIN13 is a financially motivated threat actor that has been active since at least 2016, primarily conducting long-term intrusions in Mexico. Tracked by Mandiant since 2017, FIN13's operations differ significantly from current cybercriminal data theft and ransomware extortion trends. Instead of the prevalent "smash and grab" tactics employed by many ransomware groups, FIN13 takes a methodical approach, gathering information over time to perform fraudulent money transfers. The group doesn't rely heavily on attack frameworks like Cobalt Strike; instead, it uses custom passive backdoors and tools for long-term lurking in targeted environments.
FIN13's focus remains on traditional financially motivated cybercrime, targeting both Linux and Windows systems. Notably, unlike many other cybercriminal entities, FIN13 hasn't deployed ransomware in its intrusions as observed by Mandiant. The group interacts with databases to collect financially sensitive information, often focusing on specific data that could aid fraudulent transactions. However, it's not always clear how FIN13 capitalizes on the stolen information.
In several instances, FIN13 exfiltrated files related to financial transactions or software. For example, at one victim site, they stole dependency files for the victim's ATM terminal software. In another instance, they exfiltrated files related to Verifone, a commonly used software facilitating money transfers on POS systems. They also retrieved contents of tables containing withdrawal keys and cash withdrawal codes. FIN13 then masked their staged data using the Windows certutil utility to generate a fake, Base64 encoded certificate with the input file. More details about FIN13 and SWEARJAR, a backdoor used by this group, are available through Mandiant Advantage Threat Intelligence.