ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > FIN13

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: FIN13

NamesFIN13 (Mandiant)
Country[Unknown]
MotivationFinancial crime, Financial gain
First seen2016
Description(Mandiant) Since 2017, Mandiant has been tracking FIN13, an industrious and versatile financially motivated threat actor conducting long-term intrusions in Mexico with an activity timeframe stretching back as early as 2016. FIN13's operations have several noticeable differences from current cybercriminal data theft and ransomware extortion trends.

Although their operations continue through the present day, in many ways FIN13’s intrusions are like a time capsule of traditional financial cybercrime from days past. Instead of today’s prevalent “smash and grab” ransomware groups, FIN13 takes their time to gather information to perform fraudulent money transfers. Rather than relying heavily on attack frameworks such as Cobalt Strike, the majority of FIN13 intrusions involve heavy use of custom passive backdoors and tools to lurk in environments for the long haul.
ObservedCountries: Mexico.
Tools usedBLUEAGAVE, BUSTEDPIPE, CLOSEWATCH, DRAWSTRING, GetUserSPNS.vbs, GoBot2, HOTLANE, JSPRAT, LATCHKEY, MAILSLOT, NIGHTJAR, nmap, PORTHOLE, PowerSploit, ProcDump, SHELLSWEEP, SIXPACK, SPINOFF, SWEARJAR, Tiny SHell.
Information<https://www.mandiant.com/resources/fin13-cybercriminal-mexico>

Last change to this card: 26 December 2021

Download this actor card in PDF or JSON format

Previous: FIN12
Next: Fishing Elephant

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]