Fog ransomware hackers are utilizing an unusual toolset, which incorporates open-source pentesting utilities and a reliable worker monitoring software program referred to as Syteca.
The Fog ransomware operation was first noticed final 12 months in Could leveraging compromised VPN credentials to entry victims’ networks.
Put up-compromise, they used “pass-the-hash” assaults to achieve admin privileges, disabled Home windows Defender, and encrypted all information, together with digital machine storage.
Later, the menace group was noticed exploiting n-day flaws impacting Veeam Backup & Replication (VBR) servers, in addition to SonicWall SSL VPN endpoints.
New assault toolset
Researchers at Symantec and the Carbon Black Menace Hunter staff found the bizarre assault toolset throughout an incident response final month on a monetary establishment in Asia.
Symantec couldn’t decide the preliminary an infection vector however documented the usage of a number of new instruments that haven’t been beforehand seen in such assaults.
Essentially the most uncommon and fascinating of these is Syteca (previously generally known as Ekran), a reliable worker monitoring software program that information display screen exercise and keystrokes.
The attackers may use the instrument to gather info like account credentials staff sort in unaware that they’re monitored remotely.
Syteca was stealthily delivered to the system by Stowaway, an open-source proxy instrument for covert communication and file transfers, and executed by SMBExec, the PsExec equal within the Impacket open-source framework used for lateral motion.
The assault additionally concerned GC2, an open-source post-exploitation backdoor that makes use of Google Sheets or Microsoft SharePoint for command-and-control (C2) and knowledge exfiltration.
GC2 has been hardly ever seen in ransomware assaults, beforehand utilized in assaults attributed to the APT41 Chinese language menace group.
Other than these instruments, Symantec additionally lists the next as a part of Fog ransomware’s newest arsenal:
- Adapt2x C2 – open-source various to Cobalt Strike supporting post-exploitation actions
- Course of Watchdog – system monitoring utility that may restart key processes
- PsExec – Microsoft Sysinternals instrument for distant execution throughout networked machines
- Impacket SMB – Python library with low-level programmatic entry to SMB, doubtless used for deploying the ransomware payload on the sufferer’s machine.
To arrange knowledge for exfiltration and ship it to their infrastructure, Fog ransomware additionally used 7-Zip, MegaSync, and FreeFileSync utilities.
“The toolset deployed by the attackers is sort of atypical for a ransomware assault,” feedback Symantec within the report.
“The Syteca consumer and GC2 instrument will not be instruments we have now seen deployed in ransomware assaults earlier than, whereas the Stowaway proxy instrument and Adap2x C2 Agent Beacon are additionally uncommon instruments to see being utilized in a ransomware assault,” the researchers say.
Uncommon units just like the one Symantec noticed within the latest Fog ransomware assault will help menace actors evade detection. The researchers’ report offers indicators of compromise that may assist organizations shield in opposition to such incidents.
Patching used to imply complicated scripts, lengthy hours, and limitless fireplace drills. Not anymore.
On this new information, Tines breaks down how fashionable IT orgs are leveling up with automation. Patch quicker, cut back overhead, and give attention to strategic work — no complicated scripts required.
