<< All Posts

#ThreatThursday - FIN6 Phase 2

December 10, 2020

FIN6 is a cyber crime group that specializes in stealing payment card data and sells it in underground marketplaces. This group, also known as Skeleton Spider and ITG08, has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors since at least 2017. This post takes a deeper dive into the FIN6 Adversary Emulation plan released by MITRE Engenuity’s Center for Threat-Informed Defense and in particular what they call their Phase 2 plan which covers 3 different scenarios.

It’s exciting to see our friends at MITRE creating MITRE’s Adversary Emulation Library. We share in their goal to bring TTP focused defense to the community as we’ve been doing with the SCYTHE Threat Thursday’s and our Community Threats GitHub. The ability to repeatedly and easily emulate a threat’s behaviors is critical to a strong cyber defense. To that point, SCYTHE makes our Threat templates as simple and straightforward as possible to allow for Red, Blue, and Purple teams to work through these adversary emulations in their production environment to test, measure, and improve their people, process, and technology.

Cyber Threat Intelligence

The FIN6 intelligence summary from the document:

FIN6 is thought to be a financially motivated cybercrime group. As such, they appear to take a pragmatic approach toward targeting and exploitation. Their strategic objective over time and across a diverse target set remains the same, monetizing compromised environments. Early on, FIN6 used social engineering to gain unauthorized access to targets that process high-volume point-of-sale (PoS) transactions.

Adversary Emulation Plan

The FIN6 Emulation Plan provided by the Center is separated into “Phases”:

Phase 1

  • Discovery
  • Privilege Escalation
  • Credential Access
  • Collection
  • Exfiltration

Phase 2

  • Execution - Point of Sale (POS)
  • Persistence - Point of Sale (POS)
  • Exfiltration - Point of Sale (POS)
  • Execution - Ransomware
  • Lateral Movement - Ransomware
  • Execution - Ransomware (... again)
  • Exfiltration

For this week’s Threat Thursday, we focused exclusively on the “Phase 2” steps of FIN6 emulation plan. We explored the multiple scenarios that FIN6 has been seen using:




Command and Control

T1071 - Application Layer Protocol

T1105 - Ingress Tool Transfer

T1219 - Remote Access Software

T1573 - Encrypted Channel


T1059 - Command and Scripting Interpreter

T1059.001 - PowerShell

T1059.003 - Windows Command Shell

T1053.005 - Scheduled Task

T1204.002 - Malicious File


T1053.002 - Scheduled Task/Job

T1547.001 - Registry Run Keys / Startup Folder

Defense Evasion

T1562.004 - Disable or Modify System Firewall

T1070.004 - File Deletion

T1036 - Masquerading

T1112 - Modify Registry


We explore 3 different scenarios for the second phase of FIN6. These different scenarios exist because of how FIN6 changes its objectives strategically. On point of sale systems, it looks to exfiltrate data. On e-commerce sites, it looks to hijack payment portals. On other high value endpoints, it looks to gain through ransomware.

Caption: Scenario 1 - Persistence on POS Systems
Caption: Scenario 2 - Payment Portal Javascript Files
Caption: Scenario 3 - Ransomware

Additional Files

For the various scenarios, we also included various files to stay true to our emulation of Fin 6 Phase 2. For Scenarios 2 and 3, there were a few additional files we added to improve our emulation. One of them is kill.bat, a batch file that FIN6 uses to disable security products.

Caption: Strings from kill.bat courtesy of MITRE


Thanks to the MITRE Adversary Emulation Library, we were able to quickly and easily port things over to SCYTHE. Moving towards threat templates that are machine readable, easily repeated, customizable, and detail explicit threat actor behaviors are critical for the validation of defenses and defenders. FIN6 was a fantastic initial threat from the Center, as it set the foundation for their syntax while also being a solid general threat for the community to analyze. For all our threats, check out the SCYTHE Community Threats Github.

This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.


SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, or follow on Twitter @scythe_io.


Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form

More Unicorn Content

See All Posts

let our tech speak for itself

Know where you stand with SCYTHE. Talk to us to start the evaluation process today! We’d love to talk to you about how SCYTHE can fit into your cybersecurity workflow.