- Fog -Ransomware was seen using Syteca, a legitimate staff monitoring tool, to log keys and seize passwords
- It also used Open Source tools to drop payload and archive exfiltration
- The attack was “atypical,” scientists claim
Took Ransomware operators have expanded their arsenal to include legitimate and open source tools. This is most likely to avoid being discovered before implementing the encryption.
Symantec security researchers were recently brought in to examine a fog -Ransomware infection and determined that the hackers used Syteca, a legitimate employee monitoring tool, during the attack.
This program, formerly known as Ekran, detects screen activity and keystrokes and has not been seen abused in attack until now.
“More” accounts compromised
By logging keyprint and tracking of passwords, attackers were able to access additional systems, map the network and then successfully implement the encryption.
To drop Syteca, Fog used Stowaway, an open source, Multi-Hop Proxy Tools designed for security researchers and pented testers to route traffic through multiple intermediary nodes for limited or internal networks.
After dropping the payload, attackers used SMBEXEC, another Open Source Post utilization tool, to perform it over Server Message Block Protocol (SMB).
Finally, Fog GC2, an open source post-Exploitation used back door utilizing Google Sheets and SharePoint for Command Control (C2) and Data Exfiltration. Like SYTECA, this rarely seen abused in attack, although Bleeping computer Requires that the Chinese state -sponsored actor APT41 has been seen using it sometimes.
“The tool set inserted by attackers is quite atypical for a ransomware attack,” Symantec said in his report.
“The SYTECA client and the GC2 tool are not tools we’ve seen that have been inserted into ransomware -attacks before, while the Stowaway Proxy tool and ADAP2X C2 Agent Beacon are also unusual tools to see them used in a ransomware -attack,” they added.
Fog ransomware first appeared in April 2024, and its first attack was discovered a month later. Since then, the group made a name for itself and claimed remarkable victims such as the Belgium-based semiconductor Melexis, European Meteorological Organization Eumetsat, FHNW University (a major Swiss educational institution) and Ultra Tune (an Australian car service franchise).
In early attacks, the group used compromised VPN credentials to gain access to the victims’ networks and then used “Pass-The-Hash” attacks to raise privileges, disable antivirus products and encrypt all files.
Via Bleeping computer
