Financial Threat Groups
Copy link

Financial Threat Groups
Copy link

Financial threat groups (FIN) comprise of actors that target financial institutions. The following rules detect the presence of FIN groups based on publicly available information.

FIN4
Copy link

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.

Other names for this group include: Wolf Spider

Suspicious DNS Request - FIN4 Related Domain Observed

Description
Copy link

This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Digital Risk Protection (Threat Command) Threat Library.

Recommendation
Copy link

This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Acquire Infrastructure - T1583
  • Domains - T1583.001
  • Compromise Infrastructure - T1584
  • Domains - T1584.001

Suspicious Process - FIN4 Related Binary Executed

Description
Copy link

This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Digital Risk Protection (Threat Command) Threat Library.

Recommendation
Copy link

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - FIN4 Related Domain Observed

Description
Copy link

This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Digital Risk Protection (Threat Command) Threat Library.

Recommendation
Copy link

This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Acquire Infrastructure - T1583
  • Domains - T1583.001
  • Virtual Private Server - T1583.003
  • Server - T1583.004
  • Compromise Infrastructure - T1584
  • Domains - T1584.001
  • Virtual Private Server - T1584.003
  • Server - T1584.004

FIN5
Copy link

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.

Suspicious DNS Request - FIN5 Related Domain Observed

Description
Copy link

This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Digital Risk Protection (Threat Command) Threat Library.

Recommendation
Copy link

This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Acquire Infrastructure - T1583
  • Domains - T1583.001
  • Compromise Infrastructure - T1584
  • Domains - T1584.001

Suspicious Process - FIN5 Related Binary Executed

Description
Copy link

This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Digital Risk Protection (Threat Command) Threat Library.

Recommendation
Copy link

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - FIN5 Related Domain Observed

Description
Copy link

This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Digital Risk Protection (Threat Command) Threat Library.

Recommendation
Copy link

This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Acquire Infrastructure - T1583
  • Domains - T1583.001
  • Virtual Private Server - T1583.003
  • Server - T1583.004
  • Compromise Infrastructure - T1584
  • Domains - T1584.001
  • Virtual Private Server - T1584.003
  • Server - T1584.004

FIN6
Copy link

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.

Other names for this group include: ITG08 Skeleton Spider

Suspicious DNS Request - FIN6 Related Domain Observed

Description
Copy link

This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Digital Risk Protection (Threat Command) Threat Library.

Recommendation
Copy link

This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Acquire Infrastructure - T1583
  • Domains - T1583.001
  • Compromise Infrastructure - T1584
  • Domains - T1584.001

Suspicious Process - FIN6 Related Binary Executed

Description
Copy link

This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Digital Risk Protection (Threat Command) Threat Library.

Recommendation
Copy link

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - FIN6 Related Domain Observed

Description
Copy link

This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Digital Risk Protection (Threat Command) Threat Library.

Recommendation
Copy link

This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Acquire Infrastructure - T1583
  • Domains - T1583.001
  • Virtual Private Server - T1583.003
  • Server - T1583.004
  • Compromise Infrastructure - T1584
  • Domains - T1584.001
  • Virtual Private Server - T1584.003
  • Server - T1584.004

FIN7
Copy link

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.

Other names for this group include: Anunak Carbon Spider

Suspicious DNS Request - FIN7 Related Domain Observed

Description
Copy link

This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Digital Risk Protection (Threat Command) Threat Library.

Recommendation
Copy link

This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Acquire Infrastructure - T1583
  • Domains - T1583.001
  • Compromise Infrastructure - T1584
  • Domains - T1584.001

Suspicious Process - FIN7 Related Binary Executed

Description
Copy link

This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Digital Risk Protection (Threat Command) Threat Library.

Recommendation
Copy link

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - FIN7 Related Domain Observed

Description
Copy link

This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Digital Risk Protection (Threat Command) Threat Library.

Recommendation
Copy link

This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Acquire Infrastructure - T1583
  • Domains - T1583.001
  • Virtual Private Server - T1583.003
  • Server - T1583.004
  • Compromise Infrastructure - T1584
  • Domains - T1584.001
  • Virtual Private Server - T1584.003
  • Server - T1584.004

FIN8
Copy link

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.

Suspicious DNS Request - FIN8 Related Domain Observed

Description
Copy link

This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Digital Risk Protection (Threat Command) Threat Library.

Recommendation
Copy link

This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Acquire Infrastructure - T1583
  • Domains - T1583.001
  • Compromise Infrastructure - T1584
  • Domains - T1584.001

Suspicious Process - FIN8 Related Binary Executed

Description
Copy link

This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Digital Risk Protection (Threat Command) Threat Library.

Recommendation
Copy link

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - FIN8 Related Domain Observed

Description
Copy link

This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Digital Risk Protection (Threat Command) Threat Library.

Recommendation
Copy link

This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Acquire Infrastructure - T1583
  • Domains - T1583.001
  • Virtual Private Server - T1583.003
  • Server - T1583.004
  • Compromise Infrastructure - T1584
  • Domains - T1584.001
  • Virtual Private Server - T1584.003
  • Server - T1584.004

FIN10
Copy link

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.

Suspicious DNS Request - FIN10 Related Domain Observed

Description
Copy link

This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Digital Risk Protection (Threat Command) Threat Library.

Recommendation
Copy link

This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Acquire Infrastructure - T1583
  • Domains - T1583.001
  • Compromise Infrastructure - T1584
  • Domains - T1584.001

Suspicious Process - FIN10 Related Binary Executed

Description
Copy link

This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Digital Risk Protection (Threat Command) Threat Library.

Recommendation
Copy link

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - FIN10 Related Domain Observed

Description
Copy link

This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Digital Risk Protection (Threat Command) Threat Library.

Recommendation
Copy link

This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Acquire Infrastructure - T1583
  • Domains - T1583.001
  • Virtual Private Server - T1583.003
  • Server - T1583.004
  • Compromise Infrastructure - T1584
  • Domains - T1584.001
  • Virtual Private Server - T1584.003
  • Server - T1584.004

FIN12
Copy link

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.

Suspicious DNS Request - FIN12 Related Domain Observed

Description
Copy link

This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Digital Risk Protection (Threat Command) Threat Library.

Recommendation
Copy link

This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Acquire Infrastructure - T1583
  • Domains - T1583.001
  • Compromise Infrastructure - T1584
  • Domains - T1584.001

Suspicious Process - FIN12 Related Binary Executed

Description
Copy link

This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Digital Risk Protection (Threat Command) Threat Library.

Recommendation
Copy link

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - FIN12 Related Domain Observed

Description
Copy link

This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Digital Risk Protection (Threat Command) Threat Library.

Recommendation
Copy link

This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Acquire Infrastructure - T1583
  • Domains - T1583.001
  • Virtual Private Server - T1583.003
  • Server - T1583.004
  • Compromise Infrastructure - T1584
  • Domains - T1584.001
  • Virtual Private Server - T1584.003
  • Server - T1584.004