Previous attacks conducted by the FIN6 group aimed at compromising point-of-sale (
“Recently, FireEye Managed Defense detected and responded to a FIN6 intrusion at a customer within the engineering industry, which seemed out of character due to FIN6’s historical targeting of payment card data.” reads the analysis published by FireEye.
“FIN6 has expanded their criminal enterprise to deploy ransomware in an attempt to further monetize their access to compromised entities.
This blog post details the latest FIN6 tactics, techniques, and procedures (
Experts have traced these intrusions back to July 2018, they have caused the loss of tens of millions of dollars to the victims.
Attackers used Windows’ Remote Desktop Protocol (RDP) for lateral movement, the attackers used the following techniques to carry on the attacks:
“The Metasploit reverse HTTP payload was configured to communicate with the command and control (C2) IP address 176.126.85[.]207 with a randomly named resource such as “/ilX9zObq6LleAF8BBdsdHwRjapd8_1Tl4Y-9Rc6hMbPXHPgVTWTtb0xfb7BpIyC1Lia31F5gCN_btvkad7aR2JF5ySRLZmTtY” over TCP port 443. This C2 URL contained shellcode that would make an HTTPS request for an additional download.” continues the analysis.
“To achieve privilege escalation within the environment, FIN6 utilized a named pipe impersonation technique included within the Metasploit framework that allows for SYSTEM-level privilege escalation.”
Attackers leverage AdFind to query the Active Directory and make lateral movements, they used 7-Zip to compress the data before sending it to the C2 server.
“Criminal operations and relationships are highly adaptable, so we commonly encounter such attribution challenges in regards to criminal
Further technical details, including Indicators of Compromise, are reported in the analysis published by FireEye.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.