Posted on Leave a comment

FIN13: A Cybercriminal Threat Actor With Major Focus  On Mexico city.

Mandiant has been tracking FIN13 since 2017, an industrious and versatile financially motivated threat actor who has been conducting long-term intrusions in Mexico since 2016. FIN13’s operations are distinct from current cybercriminal data theft and ransomware extortion trends.

Unlike today’s popular “smash and grab” ransomware groups, FIN13 takes their time gathering information in order to perform fraudulent money transfers. Rather than relying heavily on attack frameworks such as Cobalt Strike, the majority of FIN13 intrusions make extensive use of custom passive backdoors and tools designed to lurk in environments for extended periods of time.

Mandiant has responded to a number of investigations that we have linked to FIN13. Unlike other financially motivated actors, FIN13’s targeting is highly localised. FIN13 has specifically targeted large organisations in the financial, retail, and hospitality industries.

FIN13 will thoroughly map a victim’s network, capturing credentials and stealing corporate documents, technical documentation, financial databases and other files that will help them achieve their goal of financial gain through the fraudulent transfer of funds from the victim organisation.

According to Mandiant investigations,” FIN13 had a median dwell time (the time between the start of a cyber intrusion and its detection) of 913 days, or 2 12 years. The long dwell time of a financially motivated actor is unusual and significant for a variety of reasons. 52 percent of compromises had dwell times of less than 30 days in the Mandiant M-Trends 2021 report, up from 41 percent in 2019.”

A significant factor contributing to the increased proportion of incidents with dwell times of 30 days or less is the continued rise in the proportion of investigations involving ransomware, which increased to 25% in 2020 from 14% in 2019. The dwell time for ransomware investigations is measured in days, whereas FIN13 is frequently present in environments for years to conduct stealthier operations in order to reap as much of a reward as possible.

NIGHTJAR is a Java uploader discovered during several investigations and appears to be based on code found here. NIGHTJAR will listen on a specified socket, which will be provided at runtime on the command line, to download and save a file to disc. This malware has no persistence mechanism and has been found in the C:WindowsTemp or C:inetpubwwwroot directories. Figure 14 and Figure 15 show two versions of the command line syntax.

FIN13 also interacted with databases in order to gather financial information. FIN13 extracted the contents of the following tables from one victim database for exfiltration:

“claves retiro” (English translation “withdrawal keys”)
“codes retiro sin tarjeta” (English translation “keyless card withdrawal codes”)
“retirosefectivo” is an abbreviation for “retirosefectivo” (English translation “cash withdrawal”)
With their treasures in hand, FIN13 disguised their staged data by using the Windows certutil utility to generate a bogus, Base64 encoded certificate with the input file. The certificate contained the archive file’s content (Figure 18), which had been prepared for exfiltration with standard certificate beginning and end statements.

Between the complex web of cybercriminal activity, traditional organised crime turning to cryptocurrency, aggressive targeting by North Korea, Chinese espionage, and the ransomware pandemic, Latin American cyberspace will be an area of additional research for years to come, as noted by Proofpoint and ESET publications earlier this year.

Notably, while ransomware has captured the cybercriminal zeitgeist, at the time of publication, Mandiant had not observed FIN13 use ransomware in an intrusion. Throughout their operations, FIN13 has remained focused on more traditional financially motivated cybercrime, targeting both Linux and Windows systems. It remains to be seen whether Latin American criminal actors will also shift their focus to ransomware operations or continue to pursue fraud.

Indicators of Compromise

MALWARE FAMILYMD5SHA1SHA256
CLOSEWATCH1c871dba90faeef9cb637046be04f291ea71757fcd45425353d4c432f8fcef4451cd9b22e9e25584475ebf08957886725ebc99a2b85af7a992b6c6ae352c94e8d9c79101
DRAWSTRINGf774a1159ec25324c3686431aeb9a0381f53342aaa71be3d25e6c28dd36f949b7b504a282d2a67fcce58c73e96358161e48e8b09fa2b171c837d7539c22461e46c47656c
DRAWSTRING9a6993ee1af31dc386be4583dd866bfc67c7469aaaf352705ec66c3bb73366c77cf3577c77b4da7f513b7bf555e34fd6450a43e869ec9aa037c0e274ace81ae3d9cda94f
Invoke-SMBExec9e484e32505758a6d991c33652ad1b1416a71f2ffc1bb24b2862295072831b698ae38f3a674fc045dc198874f323ebdfb9e9ff2f591076fa6fac8d1048b5b8d9527c64cd
Invoke-WMIExec081beadd4dc5f070c087df82df22179cca0cc3d624be7a2933413e8d7440374b25eae1bdb41bd54bbf119d153e0878696cd5a944cbd4316c781dd8e390507b2ec2d949e7
GOBOT2384fea272567d924c2a256ce9e91d9490ae8dd21ce229884519cb8e5ed6b2753a18a7eadd961148e97857562b9cf06a0e2d154352338d60d375f9b48f61e9f26480e443b
HOTLANEb451fe96ab76cf676cf22a258fdb38ce8c8ad56ec08a4b23e0593c3d578fd7e23dc452114b1b1fd688a5bf4e27a4e62a56b67e1c45536603c8ecdefe88a3b0ff37cec798
HOTLANE94642e317bdbcc5d216aa730ae851a05adca9b2d2e9e1c2cfbeb2f730894bf5ba54acad8906b0e99850448a45ab3de4115954d5ff02b6edd4c2b0f5d59f40045f668246c
JSPRATab2dbe55a54368e0ba4c9a4abe71b47b7439a49cd10616a7c9d649120dfba7eca7f224b8c7740484dba2eaac5f3455596df3b8f9c127a9d6f50268bc3375afbff3c6020e
JSPRATa4cff691eda32dc11a621d9731fcea7375b58a5fef77886d697041cfab5c3d6beda21661efce809b03fe30765837e99bdfa6766d4506f9ba8351ec611979ce16f841e1ac
JSPRAT8a8597d1bfa42229224c46e38ebed07b5fc73458f617a7fb12d3c769ea07f5ec61e12153ba5f9281ac9a9bc7c4684dd96603e033f133c26482734b27be4b6f4b5f74f5ad
JSPRAT34a8ac7dfc5ce7b4a1992abdb5e0fa1512f6c27f400e85fb8f075ff7b17f475a383b4499db3bda73338c164d523c0ab27e774f81921d5ab6518ef667fffd10edf169bfbd
LATCHKEY0b26021f37f01f00cc6cf880bd3d7f684ab56883ddcb3d3e9af22aa73898d5ca7d2250a6b23621caf5323e2207d8fbf5bee0a9bd9ce110af64b8f5579a80f2767564f917
MAILSLOT5fe987a61b88e34102002a1f13cfee3d28333822aab1eeebfb299c845b32a2fa17e7747d5e59b103bccf5cad21dde116c71e4261f26c2f02ed1af35c0a17218b4423a638
MIMIKATZd7af79c4533e3050c47044e41c90e829463a36c5fb8c8dffc659f9d1eb4509d8f62816e7c1fb986e7f6fde354382d7b46460fb9af799a0abbac4c179ca9b3f56aadc7f98
NIGHTJARb130215dd140fa47d06f6e1d5ad8e94128427a2778731b3b247edf6a576b8149e9784d28fa6f93ef0bb35a9dad1a5e60105c7110da3a2f8bd37a4ae3bff7f1a1c61b2720
NIGHTJAR86327a5429ca8c58685a310b98d1be95e92c1a2f03f5895889313c8e8f4fea1aa6f246525ece301c0e0295b511f4def643bf6c01129803bac52b032bb19d1e91c679cacb
PORTHOLEf4b56e8b6c0710f1e8a18dc4f11a4edc2e309fa21194a069feb02ff0cd9cafe06d84f94d84ac021af9675763af11c955f294db98aeeb08afeacd17e71fb33d8d185feed5
PORTHOLE33c22962e43cef8627cbc63535f33fce72906cec6bc424f8a9db5ca28ece2d2d2200dba261257b4ef15e20aa9407592e25a513ffde7aba2f323c2a47afbc3e588fc5fcaf
PROCDUMP42539491f0e4fe145b9ed7d002bcb9aeddebbf15665986402e662947c071979329dd1a712f1520301536958bcf5c65516ca85a343133b443db9835a58049cd1694460424
PROCDUMPa92669ec8852230a10256ac23bbf44894bed038c66e7fdbbfb0365669923a73fbc9bb8f416f413862efda3aba631d8a7ae2bfff6d84acd9f454a7adaa518c7a8a6f375a5
SIXPACK863ead7a592b47d7547ab7931c935633f7cc106b208a9c3e4d630627954489dd2b0d5bdaa3676562571f48c269027a069ecb08ee08973b7017f4965fa36a8fa34a18134e
SPINOFF9e0563caa00582c3aa4bf6c41d9f9c464716aeb3076a6b0fd00ec9f5144747270407dcc14029788b2cb65282f4264283a359710988380bce22ed67788c8d978b28e0aea9
SWEARJARf50efee758de4aa18f0ce9459d5722f413dfe71b95d3932ca4e39b84e6ded5086abe2b601e675e32ebb61b6259b0df978e3ffa02695ef120f8a2a5639f2ae18e14fd1a4d
SWEARJAR9340e6fc1d6d6b0379ab1583ccc2a0b1b0caaf26e52168cb839f12ba499ff1602ce8191b0463fa109106363b4c87c8909bfcc4bf3ce238566173359108b0a5ae5d749be2
SWEARJAR6488086b07a36a2842df5b5451b3640bdda98668eda22cf20897960fc8ffc964ae4155822f23224937ac723f58e4036eaf1ee766b95ebcbe5b6a27633b5c0efcd314ce36
SWEARJAR2e9ae2864d368ed1e6747ba28440ba5c8bfd968026b4268ba7d205871e329717aec2def8e76e0a692be03fdc5b12483b7e1bd6abd46ad88167cd6b6a88f6185ed58c8841
TINYSHELL428b47caf74ce986bc3688262355d5b7dadb1cc49fa8fa577bb6d09e15639ab54dd46c180dd4d924c9069992dd7b3e007c0f3ca149b7fb1ce0dfb74b37c7efc6e1aebb46
WMIEXECdc78c63a267ef5f894e99aa1e6bfe88875c728ec83c65348e51ef1e63915a2415886bc9f

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply