#ThreatThursday - FIN6 Phase 2

    by Sean
    December 10, 2020

    FIN6 is a cyber crime group that specializes in stealing payment card data and sells it in underground marketplaces. This group, also known as Skeleton Spider and ITG08, has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors since at least 2017. This post takes a deeper dive into the FIN6 Adversary Emulation plan released by MITRE Engenuity’s Center for Threat-Informed Defense and in particular what they call their Phase 2 plan which covers 3 different scenarios.

    It’s exciting to see our friends at MITRE creating MITRE’s Adversary Emulation Library. We share in their goal to bring TTP focused defense to the community as we’ve been doing with the SCYTHE Threat Thursday’s and our Community Threats GitHub. The ability to repeatedly and easily emulate a threat’s behaviors is critical to a strong cyber defense. To that point, SCYTHE makes our Threat templates as simple and straightforward as possible to allow for Red, Blue, and Purple teams to work through these adversary emulations in their production environment to test, measure, and improve their people, process, and technology.

    Cyber Threat Intelligence

    The FIN6 intelligence summary from the document:

    FIN6 is thought to be a financially motivated cybercrime group. As such, they appear to take a pragmatic approach toward targeting and exploitation. Their strategic objective over time and across a diverse target set remains the same, monetizing compromised environments. Early on, FIN6 used social engineering to gain unauthorized access to targets that process high-volume point-of-sale (PoS) transactions.

    Adversary Emulation Plan

    The FIN6 Emulation Plan provided by the Center is separated into “Phases”:

    Phase 1

    • Discovery
    • Privilege Escalation
    • Credential Access
    • Collection
    • Exfiltration

    Phase 2

    • Execution - Point of Sale (POS)
    • Persistence - Point of Sale (POS)
    • Exfiltration - Point of Sale (POS)
    • Execution - Ransomware
    • Lateral Movement - Ransomware
    • Execution - Ransomware (... again)
    • Exfiltration

    For this week’s Threat Thursday, we focused exclusively on the “Phase 2” steps of FIN6 emulation plan. We explored the multiple scenarios that FIN6 has been seen using:




    Command and Control

    T1071 - Application Layer Protocol

    T1105 - Ingress Tool Transfer

    T1219 - Remote Access Software

    T1573 - Encrypted Channel


    T1059 - Command and Scripting Interpreter

    T1059.001 - PowerShell

    T1059.003 - Windows Command Shell

    T1053.005 - Scheduled Task

    T1204.002 - Malicious File


    T1053.002 - Scheduled Task/Job

    T1547.001 - Registry Run Keys / Startup Folder

    Defense Evasion

    T1562.004 - Disable or Modify System Firewall

    T1070.004 - File Deletion

    T1036 - Masquerading

    T1112 - Modify Registry


    We explore 3 different scenarios for the second phase of FIN6. These different scenarios exist because of how FIN6 changes its objectives strategically. On point of sale systems, it looks to exfiltrate data. On e-commerce sites, it looks to hijack payment portals. On other high value endpoints, it looks to gain through ransomware.

    Caption: Scenario 1 - Persistence on POS Systems
    Caption: Scenario 2 - Payment Portal Javascript Files
    Caption: Scenario 3 - Ransomware

    Additional Files

    For the various scenarios, we also included various files to stay true to our emulation of Fin 6 Phase 2. For Scenarios 2 and 3, there were a few additional files we added to improve our emulation. One of them is kill.bat, a batch file that FIN6 uses to disable security products.

    Caption: Strings from kill.bat courtesy of MITRE


    Thanks to the MITRE Adversary Emulation Library, we were able to quickly and easily port things over to SCYTHE. Moving towards threat templates that are machine readable, easily repeated, customizable, and detail explicit threat actor behaviors are critical for the validation of defenses and defenders. FIN6 was a fantastic initial threat from the Center, as it set the foundation for their syntax while also being a solid general threat for the community to analyze. For all our threats, check out the SCYTHE Community Threats Github.

    This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.

    About SCYTHE

    SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, or follow on Twitter @scythe_io.

    Post by Sean
    December 10, 2020