FIN13

Threat Actor Profile Updated 25 days ago
Download STIX
Preview STIX
FIN13 is a financially motivated threat actor that has been active since at least 2016, primarily conducting long-term intrusions in Mexico. Tracked by Mandiant since 2017, FIN13's operations differ significantly from current cybercriminal data theft and ransomware extortion trends. Instead of the prevalent "smash and grab" tactics employed by many ransomware groups, FIN13 takes a methodical approach, gathering information over time to perform fraudulent money transfers. The group doesn't rely heavily on attack frameworks like Cobalt Strike; instead, it uses custom passive backdoors and tools for long-term lurking in targeted environments. FIN13's focus remains on traditional financially motivated cybercrime, targeting both Linux and Windows systems. Notably, unlike many other cybercriminal entities, FIN13 hasn't deployed ransomware in its intrusions as observed by Mandiant. The group interacts with databases to collect financially sensitive information, often focusing on specific data that could aid fraudulent transactions. However, it's not always clear how FIN13 capitalizes on the stolen information. In several instances, FIN13 exfiltrated files related to financial transactions or software. For example, at one victim site, they stole dependency files for the victim's ATM terminal software. In another instance, they exfiltrated files related to Verifone, a commonly used software facilitating money transfers on POS systems. They also retrieved contents of tables containing withdrawal keys and cash withdrawal codes. FIN13 then masked their staged data using the Windows certutil utility to generate a fake, Base64 encoded certificate with the input file. More details about FIN13 and SWEARJAR, a backdoor used by this group, are available through Mandiant Advantage Threat Intelligence.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the FIN13 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
6 months ago
FIN13: A Cybercriminal Threat Actor Focused on Mexico | Mandiant