SYMBOLCOMMON_NAMEaka. SYNONYMS

FIN8  (Back to overview)

aka: ATK113, G0061

FIN8 is a financially motivated group targeting the retail, hospitality and entertainment industries. The actor had previously conducted several tailored spearphishing campaigns using the downloader PUNCHBUGGY and POS malware PUNCHTRACK.


Associated Families
win.poslurp win.badhatch

References
2021-08-15SymantecThreat Hunter Team
@techreport{team:20210815:ransomware:f799696, author = {Threat Hunter Team}, title = {{The Ransomware Threat}}, date = {2021-08-15}, institution = {Symantec}, url = {https://symantec.broadcom.com/hubfs/The_Ransomware_Threat_September_2021.pdf}, language = {English}, urldate = {2021-12-15} } The Ransomware Threat
Babuk BlackMatter DarkSide Avaddon Babuk BADHATCH BazarBackdoor BlackMatter Clop Cobalt Strike Conti DarkSide DoppelPaymer Egregor Emotet FiveHands FriedEx Hades IcedID LockBit Maze MegaCortex MimiKatz QakBot RagnarLocker REvil Ryuk TrickBot WastedLocker
2021-03-15Team CymruJosh Hopkins
@online{hopkins:20210315:fin8:838cdc2, author = {Josh Hopkins}, title = {{FIN8: BADHATCH Threat Indicator Enrichmen}}, date = {2021-03-15}, organization = {Team Cymru}, url = {https://team-cymru.com/blog/2021/03/15/fin8-badhatch-threat-indicator-enrichment/}, language = {English}, urldate = {2021-03-18} } FIN8: BADHATCH Threat Indicator Enrichmen
BADHATCH
2021-03-10BitdefenderVictor Vrabie, Bogdan Botezatu
@techreport{vrabie:20210310:fin8:5da0a40, author = {Victor Vrabie and Bogdan Botezatu}, title = {{FIN8 Returns with Improved BADHATCH Toolkit}}, date = {2021-03-10}, institution = {Bitdefender}, url = {https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf}, language = {English}, urldate = {2021-03-11} } FIN8 Returns with Improved BADHATCH Toolkit
BADHATCH
2019-12-31One Night in NorfolkNorfolk
@online{norfolk:20191231:fuel:37d7e73, author = {Norfolk}, title = {{Fuel Pumps II – PoSlurp.B}}, date = {2019-12-31}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/fuel-pumps-ii-poslurp-b/}, language = {English}, urldate = {2020-01-08} } Fuel Pumps II – PoSlurp.B
PoSlurp
2019-08-15Twitter (@just_windex)Windex
@online{windex:20190815:poslurpb:29adb6b, author = {Windex}, title = {{Tweet on PoSlurp.B}}, date = {2019-08-15}, organization = {Twitter (@just_windex)}, url = {https://twitter.com/just_windex/status/1162118585805758464}, language = {English}, urldate = {2020-01-09} } Tweet on PoSlurp.B
PoSlurp
2019-07-23GigamonKristina Savelesky, Ed Miles, Justin Warner
@online{savelesky:20190723:abadbabe:061c7a8, author = {Kristina Savelesky and Ed Miles and Justin Warner}, title = {{ABADBABE 8BADF00D: Discovering BADHATCH and a Detailed Look at FIN8’s Tooling}}, date = {2019-07-23}, organization = {Gigamon}, url = {https://atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/}, language = {English}, urldate = {2020-02-09} } ABADBABE 8BADF00D: Discovering BADHATCH and a Detailed Look at FIN8’s Tooling
PoSlurp Powersniff
2019-07-23GigamonKristina Savelesky, Ed Miles, Justin Warner
@online{savelesky:20190723:abadbabe:7d07c9b, author = {Kristina Savelesky and Ed Miles and Justin Warner}, title = {{ABADBABE 8BADF00D: Discovering BADHATCH and a Detailed Look at FIN8’s Tooling}}, date = {2019-07-23}, organization = {Gigamon}, url = {https://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/}, language = {English}, urldate = {2023-08-31} } ABADBABE 8BADF00D: Discovering BADHATCH and a Detailed Look at FIN8’s Tooling
BADHATCH
2019MITREMITRE ATT&CK
@online{attck:2019:fin8:2b2b924, author = {MITRE ATT&CK}, title = {{Group description: FIN8}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0061}, language = {English}, urldate = {2019-12-20} } Group description: FIN8
FIN8
2017-06-30FireEyeNick Carr, Daniel Bohannon
@online{carr:20170630:obfuscation:c3d947e, author = {Nick Carr and Daniel Bohannon}, title = {{Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques}}, date = {2017-06-30}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html}, language = {English}, urldate = {2019-12-20} } Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques
FIN8
2017-06-19root9broot9b
@techreport{root9b:20170619:shelltea:13b1ebd, author = {root9b}, title = {{SHELLTEA + POSLURP Malware Memory-resident Point-of-Sale Malware Attacks Industry}}, date = {2017-06-19}, institution = {root9b}, url = {https://raw.githubusercontent.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/master/2017/2017.06.19.SHELLTEA_POSLURP_MALWARE/PoS%20Malware%20ShellTea%20PoSlurp_0.pdf}, language = {English}, urldate = {2021-03-22} } SHELLTEA + POSLURP Malware Memory-resident Point-of-Sale Malware Attacks Industry
FIN8
2017-06-19root9broot9b
@techreport{root9b:20170619:shelltea:223ad32, author = {root9b}, title = {{SHELLTEA + POSLURP Malware Memory-resident Point-of-Sale Malware Attacks Industry}}, date = {2017-06-19}, institution = {root9b}, url = {https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp.pdf}, language = {English}, urldate = {2021-03-24} } SHELLTEA + POSLURP Malware Memory-resident Point-of-Sale Malware Attacks Industry
PoSlurp FIN8
2017-03-14FireEyeFireEye
@online{fireeye:20170314:mtrend:0ea7d30, author = {FireEye}, title = {{M-Trend 2017: A View From the Front Lines}}, date = {2017-03-14}, organization = {FireEye}, url = {https://content.fireeye.com/m-trends/rpt-m-trends-2017}, language = {English}, urldate = {2020-06-03} } M-Trend 2017: A View From the Front Lines
DistTrack Powersniff FIN8
2016-06-08FireEyeFireEye
@online{fireeye:20160608:spear:0d7a2c9, author = {FireEye}, title = {{Spear Phishing Attacks: Why They are Successful and How to Stop Them}}, date = {2016-06-08}, organization = {FireEye}, url = {https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html}, language = {English}, urldate = {2020-01-09} } Spear Phishing Attacks: Why They are Successful and How to Stop Them
FIN8
2016-05-11FireEyeYu Wang, Dhanesh Kizhakkinan, Dan Caselden, Erica Eng
@online{wang:20160511:threat:4419cca, author = {Yu Wang and Dhanesh Kizhakkinan and Dan Caselden and Erica Eng}, title = {{Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks}}, date = {2016-05-11}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html}, language = {English}, urldate = {2019-12-20} } Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks
FIN8

Credits: MISP Project