Blog Details

Fog ransomware hackers are the spend of an irregular toolset, which entails beginning-source pentesting utilities and a legit employee monitoring software program known as Syteca.

The Fog ransomware operation became first noticed final Twelve months in Would possibly per chance per chance per chance moreover merely leveraging compromised VPN credentials to construct up valid of entry to victims’ networks.

Submit-compromise, they frail “pass-the-hash” assaults to electrify admin privileges, disabled Dwelling windows Defender, and encrypted all recordsdata, along side virtual machine storage.

Later, the chance community became noticed exploiting n-day flaws impacting Veeam Backup & Replication (VBR) servers, along with SonicWall SSL VPN endpoints.

Data breach Contemporary assault toolset

Researchers at Symantec and the Carbon Unlit Risk Hunter team realized the irregular assault toolset during an incident response final month on a financial institution in Asia.

Symantec couldn’t resolve the initial an infection vector however documented the spend of multiple unique instruments which hold not been previously considered in such assaults.

Essentially the most irregular and enticing of those is Syteca (previously is named Ekran), a legit employee monitoring software program that records camouflage teach and keystrokes.

The attackers might per chance moreover spend the instrument to gain knowledge like legend credentials workers form in unaware that they are monitored remotely.

Syteca became stealthily delivered to the gadget by Stowaway, an beginning-source proxy instrument for covert conversation and file transfers, and executed by SMBExec, the PsExec same in the Impacket beginning-source framework frail for lateral movement.

The assault moreover involved GC2, an beginning-source post-exploitation backdoor that uses Google Sheets or Microsoft SharePoint for dispute-and-management (C2) and knowledge exfiltration.

GC2 has been infrequently considered in ransomware assaults, previously frail in assaults attributed to the APT41 Chinese language chance community.

Rather than these instruments, Symantec moreover lists the following as piece of Fog ransomware’s most modern arsenal:

• Adapt2x C2 – beginning-source various to Cobalt Strike supporting post-exploitation actions
• Course of Watchdog – gadget monitoring utility that can restart key processes
• PsExec – Microsoft Sysinternals instrument for far off execution across networked machines
• Impacket SMB – Python library with low-stage programmatic accumulate valid of entry to to SMB, seemingly frail for deploying the ransomware payload on the victim’s machine.

To put together data for exfiltration and ship it to their infrastructure, Fog ransomware moreover frail 7-Zip, MegaSync, and FreeFileSync utilities.

“The toolset deployed by the attackers is highly odd for a ransomware assault,” feedback Symantec in the portray.

“The Syteca client and GC2 instrument usually are not instruments we hold considered deployed in ransomware assaults sooner than, while the Stowaway proxy instrument and Adap2x C2 Agent Beacon are moreover irregular instruments to stare being frail in a ransomware assault,” the researchers bid.

Uncommon objects just like the one Symantec seen in the most modern Fog ransomware assault can succor chance actors evade detection. The researchers’ portray provides indicators of compromise that can succor organizations offer protection to in opposition to such incidents.