FIN6

Threat Actor updated 4 months ago (2024-05-04T18:19:19.801Z)
Download STIX
Preview STIX
FIN6, also known as ITG08, Skelaton Spider, and MageCart, is a notorious threat actor that has been implicated in various cybercrime activities. The group gained notoriety for stealing credit cards through point-of-sale (POS) systems in retail and hospitality establishments, most notably in the Home Depot breach in 2015 which exposed customer credit cards in over 2000 stores, costing the company nearly $40 million in lawsuits and settlements. By 2018, Visa had attributed the use of a backdoor to FIN6 in attacks on e-commerce merchants. In the same year, FIN6 appeared to pivot to include ransomware tactics in its arsenal. The group's activities are linked with several malware-as-a-service (MaaS) offerings, including more_eggs, also known as Golden Chickens, and TrickBot's Anchor Framework. More_eggs is considered the "cyber weapon of choice" by the Russia-based FIN6 and Cobalt Group cyber gangs. The identity of the malware provider was uncovered by eSentire as a Romanian man known as VENOM SPIDER. Additionally, FIN6 has been associated with TA4557, another threat actor whose activity overlaps with other groups using more_eggs, namely Cobalt Group and Evilnum. FIN6's activities have evolved over time, with the group targeting critical Active Directory assets and deploying sophisticated malware suites such as Cobalt Strike in their attacks. In 2019, eSentire noted that FIN6 leveraged a malware suite that included the PureLocker ransomware plugin. This suite was previously used by the Cobalt Group in 2017 and 2018. Furthermore, SecurityWeek reports that the developer behind the Golden Chickens malware, used by both the Russian Cobalt Group and FIN6, was identified as a Romanian named Jack, also known as Lucky and badbullzvenom.
Description last updated: 2024-05-04T17:53:08.530Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
ITG08
2
ITG08 is a notable threat actor in the cybersecurity landscape, known for its malicious activities and strategic partnerships with other threat actors. This group has been linked to a series of attacks through Tactics, Techniques, and Procedures (TTPs) consistent with their known modus operandi. Whi
Ta4557
2
TA4557 is a malicious software (malware) that has been uniquely identified by cybersecurity firm Proofpoint due to its distinctive use of tools, campaign targeting, evasion measures, and controlled infrastructure. This malware is particularly notable for its sophisticated spear-phishing strategy, wh
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Cobalt Strike
Ransomware
Windows
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the FIN6 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
InfoSecurity-magazine
9 months ago
Threat Actor Targets Recruiters With Malware
CERT-EU
9 months ago
Hiring? New scam campaign means ‘resume’ downloads may contain malware
CERT-EU
a year ago
Domain of Thrones: Part I
CERT-EU
a year ago
Demystifying the Dark Web and DarkNets, Part V—FINs, APTs, Rogues, Hacktivists, Cyber Warriors, and Accidentals
CERT-EU
a year ago
High-severity Chrome vulnerabilities addressed
CERT-EU
a year ago
Minnesota VA medical center plagued with IT security gaps
CERT-EU
a year ago
Golden Chickens malware developer unmasked
MITRE
2 years ago
ITG08 (aka FIN6) Partners With TrickBot Gang, Uses Anchor Framework
MITRE
2 years ago
More_eggs, Anyone? Threat Actor ITG08 Strikes Again
MITRE
2 years ago
Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware | Mandiant
MITRE
2 years ago
FIN8 is Back in Business, Targeting the Hospitality Industry
MITRE
2 years ago
Dropping Anchor: From a TrickBot Infection to the Discovery of the Anchor Malware
CERT-EU
a year ago
В киберпространстве появилась новая угроза для финансовых организаций: кампания OCX#HARVESTER
CERT-EU
a year ago
Researchers Identify Second Developer of ‘Golden Chickens’ Malware
CERT-EU
a year ago
Meet 'Jack' from Romania! Mastermind Behind Golden Chickens Malware
CERT-EU
a year ago
Αποκαλύφθηκε ο προμηθευτής malware των πιο επικίνδυνων Ρώσων κυβερνο-εγκληματιών
CERT-EU
a year ago
Researchers identify second developer behind Golden Chickens MaaS