Previous attacks conducted by the FIN6 group aimed at compromising point-of-sale (
“Recently, FireEye Managed Defense detected and responded to a FIN6 intrusion at a customer within the engineering industry, which seemed out of character due to FIN6’s historical targeting of payment card data.” reads the analysis published by FireEye.
“FIN6 has expanded their criminal enterprise to deploy ransomware in an attempt to further monetize their access to compromised entities.
This blog post details the latest FIN6 tactics, techniques, and procedures (
Experts have traced these intrusions back to July 2018, they have caused the loss of tens of millions of dollars to the victims.
Attackers used Windows’ Remote Desktop Protocol (RDP) for lateral movement, the attackers used the following techniques to carry on the attacks:
“The Metasploit reverse HTTP payload was configured to communicate with the command and control (C2) IP address 176.126.85[.]207 with a randomly named resource such as “/ilX9zObq6LleAF8BBdsdHwRjapd8_1Tl4Y-9Rc6hMbPXHPgVTWTtb0xfb7BpIyC1Lia31F5gCN_btvkad7aR2JF5ySRLZmTtY” over TCP port 443. This C2 URL contained shellcode that would make an HTTPS request for an additional download.” continues the analysis.
“To achieve privilege escalation within the environment, FIN6 utilized a named pipe impersonation technique included within the Metasploit framework that allows for SYSTEM-level privilege escalation.”
Attackers leverage AdFind to query the Active Directory and make lateral movements, they used 7-Zip to compress the data before sending it to the C2 server.
“Criminal operations and relationships are highly adaptable, so we commonly encounter such attribution challenges in regards to criminal
Further technical details, including Indicators of Compromise, are reported in the analysis published by FireEye.