Currently viewing ATT&CK v14.1 which was live between October 31, 2023 and April 22, 2024. Learn more about the versioning system or see the live site.
Thank you to Tidal Cyber and SOC Prime for becoming ATT&CK's first Benefactors. To join the cohort, or learn more about this program visit our Benefactors page.
  1. Home
  2. Groups
  3. FIN4

FIN4

FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013.[1][2] FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.[1][3]

ID: G0085
Version: 1.2
Created: 31 January 2019
Last Modified: 01 February 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

FIN4 has used HTTP POST requests to transmit data.[1][3]
Enterprise T1059 .005 Command and Scripting Interpreter: Visual Basic

FIN4 has used VBA macros to display a dialog box and collect victim credentials.[1][3]
Enterprise T1114 .002 Email Collection: Remote Email Collection

FIN4 has accessed and hijacked online email communications using stolen credentials.[1][3]
Enterprise T1564 .008 Hide Artifacts: Email Hiding Rules

FIN4 has created rules in victims' Microsoft Outlook accounts to automatically delete emails containing words such as "hacked," "phish," and "malware" in a likely attempt to prevent organizations from communicating about their activities.[1]
Enterprise T1056 .001 Input Capture: Keylogging

FIN4 has captured credentials via fake Outlook Web App (OWA) login pages and has also used a .NET based keylogger.[1][3]
.002 Input Capture: GUI Input Capture

FIN4 has presented victims with spoofed Windows Authentication prompts to collect their credentials.[1][3]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

FIN4 has used spearphishing emails containing attachments (which are often stolen, legitimate documents sent from compromised accounts) with embedded malicious macros.[1][3]
.002 Phishing: Spearphishing Link

FIN4 has used spearphishing emails (often sent from compromised accounts) containing malicious links.[1][3]
Enterprise T1090 .003 Proxy: Multi-hop Proxy

FIN4 has used Tor to log in to victims' email accounts.[1]
Enterprise T1204 .001 User Execution: Malicious Link

FIN4 has lured victims to click malicious links delivered via spearphishing emails (often sent from compromised accounts).[1][3]
.002 User Execution: Malicious File

FIN4 has lured victims to launch malicious attachments delivered via spearphishing emails (often sent from compromised accounts).[1][3]
Enterprise T1078 Valid Accounts

FIN4 has used legitimate credentials to hijack email communications.[1][3]

References

  1. Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
  2. Dennesen, K. et al.. (2014, November 30). FIN4: Stealing Insider Information for an Advantage in Stock Trading?. Retrieved December 17, 2018.
  1. Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.