Fog ransomware hackers are utilizing an unusual toolset, which incorporates open-source pentesting utilities and a reliable worker monitoring software program known as Syteca.
The Fog ransomware operation was first noticed final 12 months in Might leveraging compromised VPN credentials to entry victims’ networks.
Submit-compromise, they used “pass-the-hash” assaults to realize admin privileges, disabled Home windows Defender, and encrypted all recordsdata, together with digital machine storage.
Later, the menace group was noticed exploiting n-day flaws impacting Veeam Backup & Replication (VBR) servers, in addition to SonicWall SSL VPN endpoints.
New assault toolset
Researchers at Symantec and the Carbon Black Menace Hunter crew found the weird assault toolset throughout an incident response final month on a monetary establishment in Asia.
Symantec couldn’t decide the preliminary an infection vector however documented using a number of new instruments that haven’t been beforehand seen in such assaults.
Essentially the most uncommon and fascinating of these is Syteca (previously often known as Ekran), a reliable worker monitoring software program that data display screen exercise and keystrokes.
The attackers might use the instrument to gather info like account credentials staff kind in unaware that they’re monitored remotely.
Syteca was stealthily delivered to the system by Stowaway, an open-source proxy instrument for covert communication and file transfers, and executed by SMBExec, the PsExec equal within the Impacket open-source framework used for lateral motion.
The assault additionally concerned GC2, an open-source post-exploitation backdoor that makes use of Google Sheets or Microsoft SharePoint for command-and-control (C2) and information exfiltration.
GC2 has been hardly ever seen in ransomware assaults, beforehand utilized in assaults attributed to the APT41 Chinese language menace group.
Aside from these instruments, Symantec additionally lists the next as a part of Fog ransomware’s newest arsenal:
- Adapt2x C2 – open-source different to Cobalt Strike supporting post-exploitation actions
- Course of Watchdog – system monitoring utility that may restart key processes
- PsExec – Microsoft Sysinternals instrument for distant execution throughout networked machines
- Impacket SMB – Python library with low-level programmatic entry to SMB, seemingly used for deploying the ransomware payload on the sufferer’s machine.
To arrange information for exfiltration and ship it to their infrastructure, Fog ransomware additionally used 7-Zip, MegaSync, and FreeFileSync utilities.
“The toolset deployed by the attackers is kind of atypical for a ransomware assault,” feedback Symantec within the report.
“The Syteca shopper and GC2 instrument will not be instruments we have now seen deployed in ransomware assaults earlier than, whereas the Stowaway proxy instrument and Adap2x C2 Agent Beacon are additionally uncommon instruments to see being utilized in a ransomware assault,” the researchers say.
Uncommon units just like the one Symantec noticed within the current Fog ransomware assault will help menace actors evade detection. The researchers’ report gives indicators of compromise that may assist organizations defend in opposition to such incidents.
Patching used to imply complicated scripts, lengthy hours, and limitless hearth drills. Not anymore.
On this new information, Tines breaks down how fashionable IT orgs are leveling up with automation. Patch sooner, cut back overhead, and deal with strategic work — no complicated scripts required.
