← All Threat Actors
Threat Actor Profile

FIN13

Elephant Beetle G1016 TG2003
▲ High Threat
Since 2017, Mandiant has been tracking FIN13, an industrious and versatile financially motivated threat actor conducting long-term intrusions in Mexico with an activity timeframe stretching back as early as 2016. Although their operations continue through the present day, in many ways FIN13's intrusions are like a time capsule of traditional financial cybercrime from days past. Instead of today's prevalent smash-and-grab ransomware groups, FIN13 takes their time to gather information to perform fraudulent money transfers. Rather than relying heavily on attack frameworks such as Cobalt Strike, the majority of FIN13 intrusions involve heavy use of custom passive backdoors and tools to lurk in environments for the long haul.
Origin Russia

Known TTPs

Malware
Default Accounts
Protocol Tunneling
Windows Remote Management
External Remote Services
Domain Account
Network Service Discovery
Web Shell
System Information Discovery
System Network Configuration Discovery
Internal Proxy
Data Manipulation
PowerShell
Scheduled Task
Local Account
Security Account Manager
NTDS
Exploit Public-Facing Application
Gather Victim Identity Information
Masquerade Task or Service
SMB/Windows Admin Shares
LSASS Memory
Hidden Files and Directories
Credentials In Files
Financial Theft
Tool
Make and Impersonate Token
Ingress Tool Transfer
Web Protocols
Pass the Hash
Windows Command Shell
Registry Run Keys / Startup Folder
Internet Connection Discovery
Masquerading
Visual Basic
Additional Local or Domain Groups
DLL
Remote Desktop Protocol
Network Topology
Network Share Discovery
Archive via Utility
Deobfuscate/Decode Files or Information
Modify Authentication Process
Windows Management Instrumentation
SSH
Local Data Staging
Keylogging
Match Legitimate Resource Name or Location
System Network Connections Discovery
File and Directory Discovery
Data from Local System
Permission Groups Discovery
Account Discovery

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD