FIN6

Threat Actor updated a month ago (2024-11-29T14:22:16.897Z)

Download STIX

Preview STIX

FIN6, also known as ITG08, Skelaton Spider, and MageCart, is a notorious threat actor group associated with significant cyber-attacks. The group initially gained notoriety for successfully stealing credit cards through point of sale (POS) systems in retail and hospitality establishments, notably causing the Home Depot data breach in 2015 that exposed customer credit cards in over 2000 stores, costing nearly $40 million in lawsuits and settlements. In 2018, FIN6 evolved its tactics to include ransomware. Visa attributed the use of a backdoor to FIN6 in attacks that took place in 2018, and more evidence of FIN6's fingerprints was found on TrickBot malware. The group has been linked to several other threat actors and malware services. In particular, it has ties to the Russian Cobalt Group and uses the More_eggs (or Golden Chickens) malware-as-a-service (MaaS), known as the “cyber weapon of choice” by these groups. This MaaS was provided by a Romanian man known as VENOM SPIDER, who was unmasked by eSentire. Furthermore, FIN6 has been associated with TA4557, another threat actor whose activity overlaps with other groups using More_eggs. In recent years, FIN6 has shifted its tactics from posing as fake recruiters to masquerading as fake job applicants, targeting job seekers in an attempt to infiltrate their systems. The group has also targeted critical Active Directory assets, such as the Windows NT Directory Services (NTDS.dit) file, the KRBTGT service account, and Active Directory certificates. As a result, cybersecurity firms have urged companies to update their user awareness training to mitigate the threat posed by these sophisticated, financially motivated attackers.

Description last updated: 2024-10-01T20:16:26.086Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
ITG08 is a possible alias for FIN6. ITG08 is a notable threat actor in the cybersecurity landscape, known for its malicious activities and strategic partnerships with other threat actors. This group has been linked to a series of attacks through Tactics, Techniques, and Procedures (TTPs) consistent with their known modus operandi. Whi	2
Ta4557 is a possible alias for FIN6. TA4557 is a malicious software (malware) that has been uniquely identified by cybersecurity firm Proofpoint due to its distinctive use of tools, campaign targeting, evasion measures, and controlled infrastructure. This malware is particularly notable for its sophisticated spear-phishing strategy, wh	2
Venom Spider is a possible alias for FIN6. Venom Spider is a potent and stealthy malware suite, operated by a threat actor of the same name. Identified by Elite Threat Hunters, Venom Spider, also known as badbullzvenom, operates under a Malware-as-a-Service (MaaS) model. This means that the malware is provided as a service to other cybercrim	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Cobalt Strike

Backdoor

Ransomware

Maas

Windows

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The More_eggs Malware is associated with FIN6. More_eggs, also known as Golden Chickens, is a dangerous malware suite used by financially-motivated cybercrime actors such as the Cobalt Group and FIN6. This malicious software is designed to infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge, a	Unspecified	2

Source Document References

Information about the FIN6 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	16 days ago	Venom Spider Spins Web of MaaS Malware
DARKReading	3 months ago	Attackers Targeting Recruiters With More_Eggs Backdoor
InfoSecurity-magazine	a year ago	Threat Actor Targets Recruiters With Malware
CERT-EU	a year ago	Hiring? New scam campaign means ‘resume’ downloads may contain malware
CERT-EU	a year ago	Domain of Thrones: Part I
CERT-EU	a year ago	Demystifying the Dark Web and DarkNets, Part V—FINs, APTs, Rogues, Hacktivists, Cyber Warriors, and Accidentals
CERT-EU	a year ago	High-severity Chrome vulnerabilities addressed
CERT-EU	2 years ago	Minnesota VA medical center plagued with IT security gaps
CERT-EU	2 years ago	Golden Chickens malware developer unmasked
MITRE	2 years ago	ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework
MITRE	2 years ago	More_eggs, Anyone? Threat Actor ITG08 Strikes Again
MITRE	2 years ago	Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware \| Mandiant
MITRE	2 years ago	FIN8 is Back in Business, Targeting the Hospitality Industry
MITRE	2 years ago	Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware
CERT-EU	2 years ago	В киберпространстве появилась новая угроза для финансовых организаций: кампания OCX#HARVESTER
CERT-EU	2 years ago	Researchers Identify Second Developer of ‘Golden Chickens’ Malware
CERT-EU	2 years ago	Meet 'Jack' from Romania! Mastermind Behind Golden Chickens Malware
CERT-EU	2 years ago	Αποκαλύφθηκε ο προμηθευτής malware των πιο επικίνδυνων Ρώσων κυβερνο-εγκληματιών
CERT-EU	2 years ago	Researchers identify second developer behind Golden Chickens MaaS