October 21, 2022 HAWKEYE

An overview of FIN11 and their motivations

A financially driven threat group FIN11 has run some of the most extensive and longest-running malware dissemination campaigns. Researchers have noted to date among financially motivated threat actors. In addition to their prolific malicious email operations, FIN11 is noteworthy for its ongoing development of malware delivery strategies.


The most frequent outcomes of recent FIN11 intrusions have been data theft, extortion, and network disruption caused by the spread of CLOP ransomware. Point-of-sale (POS) malware was at least once previously deployed by FIN11 to at least one victim setting, indicating a flexible and dynamic approach to their infiltration activities.

Fin11 Target:

Numerous industries and geographical areas have been impacted by FIN11 campaigns. From 2017 to 2018, the group’s malicious email campaigns mostly targeted businesses in the restaurant, retail, and banking industries. In 2019 and 2020, FIN11 broadened the scope of the businesses and nations they targeted, becoming more indiscriminate and diverse, frequently employing generic financial enticements. However, a portion of FIN11’s 2019 and 2020 campaigns specifically targeted businesses in particular sectors or geographical areas, frequently using the target’s native tongue along with manipulated email sender information, like spoof email display names and email sender addresses, to make the emails appear more authentic.

The majority of purported victims reported on the CL0P – LEAKS website have been based in Europe, with around half of the victim organizations being situated in Germany, despite the fact that well-known ransomware attacks are most typically cited as having affected North American-based firms. FIN11 has utilized German-language lures in several of their 2020 campaigns, implying that they have intentionally targeted German organizations, even though this data is skewed towards those who decided not to comply with extortion demands.

Recent Campaign:

On September 2022, FIN 11 was observed employing Zoom download pages to install Vidar Infostealer targeting a large attack surface. The threat actor attempted to infiltrate a vast number of PCs across all operating systems utilizing popular online apps by leveraging the disguised Zoom program, which is utilized globally as a video conference solution. Due to COVID-19, there has been a considerable rise in remote work, distance learning, and online social interactions during the previous two years. The Zoom application saw a spike in downloads as a result, and the pattern has persisted even after the outbreak. Due to Zoom’s growing popularity, phishing lures using it have become more prevalent once again.


Since at least January 2019, FIN11 activity has been characterized by the fast evolution of their malicious email distribution TTPs. Small adjustments to their initial delivery methods have been made by the group during their 2019 and 2020 campaigns, probably in an effort to get beyond victims’ detection systems. These modifications affected the ways that the payloads were delivered, the downloaders in the documents that supported macros, the Windows API functions that the FRIENDSPEAK downloader utilized, the lure languages, and the payloads themselves. However, the group’s sophistication is not apparent in these comparatively insignificant and less creative adjustments. Between September 2019 and September 2020, FIN11 made minor adjustments to the methods used to distribute malicious Microsoft Office files with FRIENDSPEAK payloads, including the use of HTML attachments, URL shortening services, and vulnerable infrastructure. The organization continued to use methods from earlier campaigns while also incorporating new distribution strategies practically monthly.

Fin11 Origin:

Based on Russian-language file metadata, avoiding CLOP installations in CIS nations, and the observance of the Russian New Year and Orthodox Christmas holiday season, it is most likely that FIN11 is operating out of the Commonwealth of Independent States (CIS). Before executing, samples of the ransomware CLOP check for the Russian character set (204) and popular CIS keyboard layouts. CLOP will erase itself if both the keyboard layout and the character indicate that the host is in a CIS nation. Also, Researchers have observed that the Russian New Year holiday and Orthodox Christmas, which fall between January 1 and 8 every year, seem to have a significant impact on FIN11’s activities.


  • Keep an eye out for activities related to the execution of scripts, such as the loading of modules for scripting languages (ex: JScript.dll or vbscript.dll).
  • Check log files for process execution using scripting and command-line operations. The use of native processes or customized tools by adversaries can be further understood with the use of this knowledge. Observe the loading of modules related to certain languages as well.
  • Keep an eye on newly created files that might create persistence or elevate privileges by using system mechanisms that start execution in response to certain actions.
  • Keep an eye out for unexpected login behavior, especially for privileged accounts, coming from strange or unusual locations (ex: Exchange administrator account).


  • Enable Attack Surface Reduction (ASR) rules on Windows 10/11 to stop Visual Basic and JavaScript scripts from processing downloaded content that may be harmful.
  • To reduce the value of usernames and passwords to adversaries, it is advised as a best practice to utilize multi-factor authentication for webmail servers that are accessible to the general public.
  • Make sure that software developers and system administrators are aware of the dangers of leaving software configuration files containing unencrypted passwords on endpoint devices or servers.
  • To educate users on typical phishing and spearphishing tactics and how to be suspicious of potentially dangerous activities, employ user training.
, ,


We welcome you to contact us for more information
about HAWKEYE - SOC As A Service.