FIN13: A Cybercriminal Threat Actor Focused on Mexico
Since 2017, Mandiant has been tracking FIN13, an industrious and versatile financially motivated threat actor conducting long-term intrusions in Mexico with an activity timeframe stretching back as early as 2016. FIN13's operations have several noticeable differences from current cybercriminal data theft and ransomware extortion trends.
Although their operations continue through the present day, in many ways FIN13’s intrusions are like a time capsule of traditional financial cybercrime from days past. Instead of today’s prevalent “smash and grab” ransomware groups, FIN13 takes their time to gather information to perform fraudulent money transfers. Rather than relying heavily on attack frameworks such as Cobalt Strike, the majority of FIN13 intrusions involve heavy use of custom passive backdoors and tools to lurk in environments for the long haul. In this blog post, we describe the notable aspects of FIN13's operations to spotlight a regional cybercriminal ecosystem that deserves more exploration.
A Spanish language version of this post is available.
Since mid-2017, Mandiant has responded to multiple investigations which we have attributed to FIN13. In contrast to other financially motivated actors, FIN13 has highly localized targeting. Over five years of Mandiant intrusion data shows FIN13 operates exclusively against organizations based in Mexico and has specifically targeted large organizations in the financial, retail, and hospitality industries. A review of publicly available financial data show several of these organizations have annual revenue in the millions to billions in U.S. dollars (1 USD = 21.21 MXN as of December 6, 2021).
FIN13 will thoroughly map a victim’s network, capturing credentials, stealing corporate documents, technical documentation, financial databases, and other files that will support their objective of financial gain through the fraudulent transfer of funds from the victim organization.
Dwell Time and Operational Lifespan
Mandiant investigations determined that FIN13 had a median dwell time, (defined as the duration between the start of a cyber intrusion and it being identified), of 913 days or 2 ½ years. The lengthy dwell time for a financially motivated actor is anomalous and significant for many factors. In the Mandiant M-Trends 2021, 52% of compromises had dwell times of less than 30 days, improved from 41% in 2019: "A major factor contributing to the increased proportion of incidents with dwell times of 30 days or fewer is the continued surge in the proportion of investigations that involved ransomware, which rose to 25% in 2020 from 14% in 2019." The dwell time for ransomware investigations can be measured in days, whereas FIN13 is often present in environments for years to conduct their stealthier operations to reap as much of a reward as they can.
Mandiant clusters threat actor activity from a variety of sources, including first-hand investigations by Mandiant’s Managed Defense and Incident Response teams. In a review of over 850 clusters of financially motivated activity that Mandiant tracks, FIN13 shares a compelling statistic with only one other threat actor: FIN10, the scourge of Canada between 2013 and 2019. A mere 2.6% of the financially motivated threat actors that Mandiant has tracked across multiple intrusions have targeted organizations in only a single country.
When considering the earliest and latest dates of identified activity (“operational lifespan”) for the groups, the data gets interesting. Most of the financially motivated threat clusters Mandiant tracks have an operational lifespan of less than a year. Only ten have an operational lifespan between one and three years and four have a lifespan greater than three years. Of these four, only two of them have operated for over five years: FIN10 and FIN13, which Mandiant considers rare (Figure 1).
FIN13 has a demonstrated ability to remain stealthy in the networks of large, profitable Mexican organizations for a considerable length of time.
Mandiant Targeted Attack Lifecycle
Targeted attacks typically follow a predictable sequence of events. Appendix A (at the bottom of the post) provides additional information on Mandiant’s targeted attack lifecycle, which provides the major phases of a typical intrusion. Not all attacks follow the exact flow of this model; its purpose is to provide a visual representation of the common attack lifecycle.
Mandiant investigations reveal that FIN13 has primarily exploited external servers to deploy generic web shells and custom malware including BLUEAGAVE and SIXPACK to establish a foothold. The details of the exploits and the specific vulnerabilities targeted over the years have not been confirmed, due to insufficient evidence compounded by FIN13's long dwell times. In two separate intrusions, the earliest evidence suggested a likely exploit against the victim's WebLogic server to write a generic web shell. In another, evidence suggested exploitation of Apache Tomcat. Although details on the exact vector are sparse, FIN13 has historically used web shells on external servers as a gateway into a victim.
The usage of JSPRAT by FIN13 allows the actor to achieve local command execution, upload/download files, and proxy network traffic for additional pivoting during later stages of the intrusion. FIN13 has also historically used publicly available web shells coded in various languages including PHP, C# (ASP.NET), and Java.
FIN13 has also extensively deployed the PowerShell passive backdoor BLUEAGAVE on target hosts when establishing an initial foothold in an environment. BLUEAGAVE utilizes the HttpListener .NET class to establish a local HTTP server on high ephemeral ports (65510-65512). The backdoor listens for incoming HTTP requests to the root URI / on the established port, parses the HTTP request, and executes the URL encoded data stored within the ‘kmd’ variable of the request via the Windows Command Prompt (cmd.exe). The output of this command is then sent back to the operator in the body of the HTTP response. In addition, Mandiant has identified a Perl version of BLUEAGAVE which allows FIN13 to establish a foothold on Linux systems. Figure 2 is sample PowerShell code from BLUEAGAVE.
Mandiant categorizes passive backdoors as malware that provides access to a victim environment without actively beaconing to a command and control server. Passive backdoors may include web shells or custom malware that accept or listen for incoming connections over a specified protocol. FIN13’s usage of passive backdoors rather than commonly used active backdoors, such as BEACON, demonstrates the actor’s desire for stealth and sustained, long term intrusions. FIN13 also maintains active knowledge of victim networks which has allowed them to effectively create complex pivots across target environments from their initial foothold. During a recent intrusion, Mandiant observed FIN13 leverage their foothold to chain multiple web shells together and proxy their traffic to BLUEAGAVE infected hosts in the environment. Figure 3 is an example logged HTTP request which demonstrates FIN13 chaining multiple web shells together from their initial foothold.
FIN13 primarily utilizes common privilege escalation techniques, however, the actor appears flexible to adapt when exposed to diverse victim networks. FIN13 has relied on publicly available utilities, such as Windows Sysinternal's ProcDump, to obtain process memory dumps of the LSASS system process and then used Mimikatz to parse the dumps and extract credentials. Figure 4 is an example host command used by FIN13 to dump the process memory of LSASS.
Mandiant has also observed FIN13 using the legitimate Windows utility certutil, in some cases to launch obfuscated copies of utilities like ProcDump for detection evasion. In one intrusion, FIN13 utilized certutil to decode a base64 encoded version of the custom dropper LATCHKEY. LATCHKEY is a PowerShell to EXE (PS2EXE) compiled dropper that base64 decodes and executes the PowerSploit function Out-Minidump which generates a minidump for the LSASS system process to disk.
FIN13 has also used some more unique privilege escalation techniques. For example, during a recent intrusion, Mandiant observed FIN13 replace legitimate KeePass binaries with trojanized versions that logged newly entered passwords to a local text file. This allowed FIN13 to target and collect credentials for numerous applications to further their mission. Figure 5 is a code excerpt from the trojanized version of KeePass deployed by FIN13 in a client environment.
FIN13 is particularly adept at leveraging native operating system binaries, scripts, third party tools and custom malware to conduct internal reconnaissance within a compromised environment. This actor appears comfortable leveraging various techniques to quickly gather background information which will support their final objectives.
Mandiant has observed FIN13 use common Windows commands to gather information, such as whoami to display group and privilege details for their currently logged in user. For network reconnaissance they have been observed taking advantage of ping, nslookup, ipconfig, tracert, netstat, and the gamut of net commands. To gather local host information, the threat actor used systeminfo, fsutil fsinfo, attrib, and extensive use of the dir command.
FIN13 rolled many of these reconnaissance efforts into scripts to automate their processes. For example, they used pi.bat to iterate through a list of IP addresses in a file, execute a ping command and write the output to a file (Figure 6). A similar script used dnscmd to export a host’s DNS zones to a file.
FIN13 has taken advantage of third-party tools, such as NMAP to support recon operations. In three FIN13 investigations, the threat actors employed a variant of the GetUserSPNS.vbs script to identify user accounts associated with a Service Principal Name that could be targeted for an attack known as “Kerberoasting” to crack the users’ passwords. They also use PowerShell to obtain additional DNS data and export it to a file (Figure 7). Similar PowerShell code is documented in a June 2018 post to coderoad[.]ru.
In another instance, FIN13 executed a PowerShell script to extract login events from a host over the previous seven days. This may have been used to gather information and allow FIN13 to blend into normal operations for the targeted systems. Additionally, this script will help identify users who have logged in, event 7001, for which there is no corresponding event 7002. The implication being that dumping LSASS could acquire user credentials (Figure 8). Similar PowerShell code is documented in a July 2018 post to codetwo[.]com.
Additionally, FIN13 has taken advantage of corporate infrastructure to launch recon activities. During one investigation, FIN13 accessed the target’s Symantec Altiris console, a software and hardware management platform, to repeatedly modify an existing Run Script task in the interface to acquire network and host information. In another investigation, FIN13 utilized a compromised LanDesk account to execute commands to return host, network, and database information from the environment.
Not limited to publicly available tooling, FIN13 has also used several custom malware families to aid in internal recon. In three investigations, FIN13 used PORTHOLE, a Java-based port scanner, to conduct network research. PORTHOLE may attempt multiple socket connections to many IPs and ports and, as it is multi-threaded, can execute this operation rapidly with potentially multiple overlapping connections. The malware accepts as its first argument either an IP address with wildcards in the address, or a filename. The second argument is the starting port range to scan for each IP, and the third is the ending port range.
CLOSEWATCH is a JSP web shell that communicates with a listener on localhost over a specified port, writes arbitrary files to the victim operating system, executes arbitrary commands on the victim host, disables proxying and issues customizable HTTP GET requests to a range of remote hosts. If the proper HTTP URL parameters are specified, CLOSEWATCH can create a socket connection to localhost on port 16998 where it can send and receive data using HTTP-like communications using chunked transfer-encoding. If the range parameter is specified, CLOSEWATCH can scan a range of IPs and ports using custom parameters. This malware was observed at one of the earliest FIN13 investigations. Although a sample has recently appeared on a public repository, this malware hasn’t been observed during more recent investigations. While more than just a recon tool, CLOSEWATCH’s range parameter provides FIN13 with another scanning capability.
FIN13 has been observed executing Microsoft’s osql utility, but they have also leveraged yet another JSP web shell, which Mandiant tracks as SPINOFF, for SQL research. SPINOFF can execute arbitrary SQL queries on specified databases and download the results to a file. Like CLOSEWATCH, this malware was prevalent in early investigations.
A downloader, which Mandiant tracks as DRAWSTRING, has some internal recon functionality. While primarily providing FIN13 the ability to download and execute arbitrary files, DRAWSTRING will also execute systeminfo.exe and upload that information to a command and control (C2) server. On startup the malware creates persistence through three possible methods: a Service, a .lnk file or an update to the Software\Microsoft\Windows\CurrentVersion\Run registry key. The malware checks for the numerous anti-virus processes and varies the persistence method if one is found.
The malware then runs the following two commands, Figure 9 and Figure 10, where %s is replaced by the name of the program.
This Add-MpPreference command modifies settings for Windows Defender and specifies a file path to exclude from scheduled and real-time scanning.
This command adds a new rule to a Windows firewall allowing DRAWSTRING outbound communications.
The malware gathers system information by executing systeminfo.exe and the Username, Computername, System Patch Information, Program Files directory list, and Architecture are encrypted and base64 encoded. DRAWSTRING then performs a HTTP POST request over port 443 with the captured system data. While this communication uses port 443, the data is not over TLS/SSL and is not encrypted. The malware makes 10 attempts to contact the C2, sleeping for 10 seconds between each round. The response is decrypted, saved, and executed.
An example callout is illustrated in Figure 11. Mandiant has observed FIN13 use the same IP for both a DRAWSTRING and GOTBOT2 C2.
The group has frequently leveraged Windows Management Instrumentation (WMI) to remotely execute commands and move laterally, namely by employing the native wmic command, a version of the publicly available Invoke-WMIExec script, or WMIEXEC. Figure 12 is an example WMIC command used by FIN13.
In the same investigation where FIN13 has used wmiexec.vbs, Mandiant has also observed the actor use a custom JSP web shell tunneler named BUSTEDPIPE to facilitate lateral movement via web requests.
Mandiant has also observed FIN13 use similar utilities to Invoke-WMIExec, such as the Invoke-SMBExec PowerShell utility, at a Managed Defense client. Figure 13 is an example Invoke-SMBExec command used by FIN13.
NIGHTJAR is a Java uploader observed during multiple investigations that appears to be based on code found on Tech Talk. NIGHTJAR will listen on a designated socket, provided at runtime on the command line, to download a file and save it to disk. This malware does not contain a persistence mechanism and has been observed in the C:\Windows\Temp or C:\inetpub\wwwroot directory. Two versions of the command line syntax have been observed, Figure 14 and Figure 15.
To move laterally cross-platform, FIN13 has used their BLUEAGAVE web shell, and two other small PHP web shells which were used to execute commands remotely between Linux systems via SSH with a specified username and password. A snippet of one of these web shells is in Figure 16.
Early FIN13 intrusions involved multiple generic web shells for persistence, but over the years, FIN13 has developed a portfolio of both custom and publicly available malware families to use for persistence in an environment.
In multiple intrusions, FIN13 deployed SIXPACK and SWEARJAR. SIXPACK is an ASPX web shell written in C# that functions as a tunneler. SIXPACK accepts HTTP form data that contains a remote host and TCP port to connect to, a timeout value, and Base64-encoded data to send after connecting to the specified host. Response data is read by SIXPACK and returned to the original client. SWEARJAR is a Java-based cross-platform backdoor that can execute shell commands.
In one instance, FIN13 deployed a backdoor called MAILSLOT, which communicates over SMTP/POP over SSL, sending and receiving emails to and from a configured attacker-controlled email account for its command and control. MAILSLOT makes FIN13 a rare case of a threat actor who has used email communications for C2.
They have also employed a custom utility Mandiant named HOTLANE, which is a tunneler written in C/C++ that can operate in client or server mode and communicates with a custom binary protocol over TCP.
One unique publicly available utility the actor has used is a PHP webshell based on PHPSPY, which Mandiant tracks as SHELLSWEEP, which contained functionality to retrieve credit card information. Figure 17 contains a snippet of the PHP web shell.
To persistently execute their backdoors, FIN13 has used Windows Registry run keys such as HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hosts which was configured to execute a file located at C:\WINDOWS\hosts.exe. They have also created scheduled tasks with names such as acrotryr and AppServicesr to execute binaries of the same name in the C:\Windows directory.
While many organizations are inundated with ransomware, FIN13 nostalgically monetizes their intrusions through targeted data theft to enable fraudulent transactions. FIN13 has exfiltrated commonly targeted data such as LSASS process dumps and registry hives, but ultimately targeted users effective towards their financial goals. In one intrusion, FIN13 specifically enumerated all users and roles from the victim's main treasury system. FIN13 then moved further into sensitive parts of the network, including POS and ATM networks, where they could exfiltrate a range of highly targeted data.
At one victim, FIN13 exfiltrated files related to Verifone, a commonly used software that facilitates money transfers on POS systems. In at least one case, FIN13 exfiltrated the entire base folder for a POS system which included file dependencies, images used for printing receipts, and .wav files used for sound effects. At a different victim, FIN13 similarly stole dependency files for the victim's ATM terminal software. The information stolen from systems important to a monetary transaction could be used to illuminate potential avenues for fraudulent activity.
FIN13 also interacted with databases to gather financially sensitive information. In one victim database, FIN13 retrieved contents of the following tables for exfiltration:
- "claves_retiro" (English translation "withdrawal keys")
- "codigos_retiro_sin_tarjeta" (English translation "keyless card withdrawal codes")
- "retirosefectivo" (English translation "cash withdrawal")
With treasures in hand, FIN13 masqueraded their staged data by using the Windows certutil utility to generate a fake, Base64 encoded certificate with the input file. The certificate contained the content of the archive file (Figure 18), prepared for exfiltration with normal certificate beginning and end statements.
FIN13 then exfiltrated the data via web shells previously deployed in the environment or using a simple JSP tool (Figure 19) in a web accessible directory.
Although FIN13 targeted specific data that could aide fraudulent transactions, we were not always able to witness firsthand how FIN13 capitalized on the stolen information. At one victim, we were able to recover a tool, named GASCAN, that gave us visibility into their endgame.
GASCAN is Java based malware that processes point-of-sale data and sends specially crafted messages to a command-line specified remote server. The data sent contains a value that corresponds to one of two different ISO 8583 message types and can be used to construct fraudulent ISO 8583 transactions. The first message type, 0100, indicates data corresponding to an authorization message and is used to determine if funds are available on a specific account. After receiving the first message, the C2 server returns a buffer that includes the string “Aprobada”, which translates to “Approved”. The second message type, 0200, contains data used for a financial request message and is used to post a charge to a specific account. The second message structure includes a field called “monto”, which translates to “amount”. The value of “monto” is calculated using an internal function that returns a randomly generated number between 2000 and 3000, used as the transaction amount sent in the second message. Based on the information sent, it is likely that the specified remote server is responsible for formatting and sending the ISO 8583 message for fraudulent transactions.
The GASCAN sample was tailored to the victim environment and expected data from POS systems used by the organization. The same victim was alerted of over one thousand fraudulent transactions in a short time window, totaling millions of pesos, or several hundred thousand U.S. dollars.
Between the complex web of cybercriminal activity, traditional organized crime turning to cryptocurrency, aggressive targeting by North Korea, Chinese espionage, and the ransomware pandemic, Latin American cyberspace will continue to be an area for additional research for years to come as noted by Proofpoint and ESET publications earlier this year.
Notably, while ransomware has captured the cybercriminal zeitgeist, Mandiant has not observed FIN13 deploy ransomware in an intrusion at the time of this publication. FIN13 has remained focused on more traditional financially motivated cybercrime and has targeted both Linux and Windows systems throughout their operations. It remains to be seen whether Latin American criminal actors will also transition to primarily executing ransomware operations or will continue to pursue fraud.
Latin American security teams and executives should be aware of these threats, assess their current posture, and adapt accordingly. Mandiant encourages these organizations to continue to collaborate with the larger industry to mitigate these threats. Mandiant’s team of Incident Response, Strategic Readiness, and Technical Assurance consultants in Mexico and around the globe are ready to assist with these efforts.
Learn more about FIN13 and SWEARJAR, a backdoor used by FIN13 that retrieves commands via DNS TXT records, by registering for a free subscription to Mandiant Advantage Threat Intelligence.
Indicators of Compromise
MITRE ATT&CK Techniques
Mandiant Security Validation Actions
Organizations can validate their security controls using the following Actions with Mandiant Security Validation.
Command and Control - FIN13, DRAWSTRING, C2 Communication
Host CLI - FIN13, DRAWSTRING, Exclude From Scanning
Host CLI - FIN13, DRAWSTRING, Using netsh to Allow Communications
Host CLI - FIN13, Persistence Using Registry Keys
Host CLI - FIN13, Persistence Using Schedule Tasks
Malicious File Transfer - FIN13, CLOSEWATCH, Download, Variant #1
Malicious File Transfer - FIN13, DRAWSTRING, Download, Variant #1
Malicious File Transfer - FIN13, DRAWSTRING, Download, Variant #2
Malicious File Transfer - FIN13, GOBOT2, Download
Malicious File Transfer - FIN13, JSPRAT, Download, Variant #1
Malicious File Transfer - FIN13, JSPRAT, Download, Variant #2
Malicious File Transfer - FIN13, JSPRAT, Download, Variant #3
Malicious File Transfer - FIN13, JSPRAT, Download, Variant #4
Malicious File Transfer - FIN13, LATCHKEY, Download
Malicious File Transfer - FIN13, MAILSLOT, Download
Malicious File Transfer - FIN13, MIMIKATZ, Download
Malicious File Transfer - FIN13, NIGHTJAR, Download, Variant #1
Malicious File Transfer - FIN13, NIGHTJAR, Download, Variant #2
Malicious File Transfer - FIN13, PORTHOLE, Download, Variant #1
Malicious File Transfer - FIN13, PORTHOLE, Download, Variant #2
Malicious File Transfer - FIN13, SIXPACK, Download
Malicious File Transfer - FIN13, SPINOFF, Download
Malicious File Transfer - FIN13, SWEARJAR, Download, Variant #1
Malicious File Transfer - FIN13, SWEARJAR, Download, Variant #2
Malicious File Transfer - FIN13, SWEARJAR, Download, Variant #3
Malicious File Transfer - FIN13, SWEARJAR, Download, Variant #4
Malicious File Transfer - FIN13, TINYSHELL, Download
Malicious File Transfer - FIN13, WMIEXEC, Download
Malicious File Transfer - HOTLANE (UPX unpacked), Download
Malicious File Transfer - HOTLANE, Download, UPX Packed
Protected Theater - FIN13, GOBOT2, Execution
This blog post would not have been possible without the exceptional efforts from Mandiant Consulting’s Incident Response team, Managed Defense Analysts, FLARE’s outstanding Reverse Engineers, Detection Wizard Evan Reese, Jeremy Kennelly for his expertise, Mandiant Threat Intelligence’s collections team, and all those unsung Mandiant Engineers that keep the cogs greased and turning.
Appendix A: Targeted Attack Lifecycle
Initial Reconnaissance: The attacker researches systems and employees of a target and outlines a methodology for the intrusion. The attacker may search for infrastructure that provides remote access to an environment or research employees to target for social engineering attacks.
Initial Compromise: The attacker successfully executes malicious code on one or more systems. This usually occurs as the result of a social engineering attack or exploitation of a vulnerability on an Internet-facing system.
Establish Foothold: Immediately following the initial compromise, the attacker maintains continued control over a recently compromised system. The attacker typically establishes a foothold by installing a persistent backdoor or downloading additional utilities to the compromised system.
Escalate Privileges: The attacker obtains further access to systems and data within the environment. Attackers often escalate their privileges through credential harvesting, keystroke logging, or subversion of authentication systems.
Internal Reconnaissance: The attacker explores the organization’s environment to gain a better understanding of infrastructure, storage of information of interest, and the roles and responsibilities of key individuals.
Move Laterally: The attacker uses accounts obtained from the “Escalate Privileges” phase and moves laterally to additional systems within the compromised environment. Common lateral movement techniques include accessing network file shares, remote execution of commands, or accessing systems through remote login protocols such as Remote Desktop Services (RDS) or secure shell (SSH).
Maintain Presence: The attacker ensures continued access to the environment by installing multiple variants of backdoors or by accessing remote access services such as the corporate virtual private network (VPN).
Complete Mission: The attacker accomplishes the objectives of the intrusion such as stealing intellectual property, financial data, mergers and acquisition information, or personally identifiable information (PII). In other cases, the objective of the mission might be a disruption of systems or services or destruction of data within the environment.