FIN6

Threat Actor updated 16 days ago (2024-10-01T21:00:54.534Z)
Download STIX
Preview STIX
FIN6, also known as ITG08, Skelaton Spider, and MageCart, is a notorious threat actor group associated with significant cyber-attacks. The group initially gained notoriety for successfully stealing credit cards through point of sale (POS) systems in retail and hospitality establishments, notably causing the Home Depot data breach in 2015 that exposed customer credit cards in over 2000 stores, costing nearly $40 million in lawsuits and settlements. In 2018, FIN6 evolved its tactics to include ransomware. Visa attributed the use of a backdoor to FIN6 in attacks that took place in 2018, and more evidence of FIN6's fingerprints was found on TrickBot malware. The group has been linked to several other threat actors and malware services. In particular, it has ties to the Russian Cobalt Group and uses the More_eggs (or Golden Chickens) malware-as-a-service (MaaS), known as the “cyber weapon of choice” by these groups. This MaaS was provided by a Romanian man known as VENOM SPIDER, who was unmasked by eSentire. Furthermore, FIN6 has been associated with TA4557, another threat actor whose activity overlaps with other groups using More_eggs. In recent years, FIN6 has shifted its tactics from posing as fake recruiters to masquerading as fake job applicants, targeting job seekers in an attempt to infiltrate their systems. The group has also targeted critical Active Directory assets, such as the Windows NT Directory Services (NTDS.dit) file, the KRBTGT service account, and Active Directory certificates. As a result, cybersecurity firms have urged companies to update their user awareness training to mitigate the threat posed by these sophisticated, financially motivated attackers.
Description last updated: 2024-10-01T20:16:26.086Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
ITG08 is a possible alias for FIN6. ITG08 is a notable threat actor in the cybersecurity landscape, known for its malicious activities and strategic partnerships with other threat actors. This group has been linked to a series of attacks through Tactics, Techniques, and Procedures (TTPs) consistent with their known modus operandi. Whi
2
Ta4557 is a possible alias for FIN6. TA4557 is a malicious software (malware) that has been uniquely identified by cybersecurity firm Proofpoint due to its distinctive use of tools, campaign targeting, evasion measures, and controlled infrastructure. This malware is particularly notable for its sophisticated spear-phishing strategy, wh
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Cobalt Strike
Backdoor
Ransomware
Windows
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the FIN6 Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
16 days ago
InfoSecurity-magazine
10 months ago
CERT-EU
10 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
MITRE
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago