Article Details

Fog ransomware attack uses unusual mix of legitimate and open-source tools. Fog ransomware hackers are using an uncommon toolset, which includes open-source pentesting utilities and a legitimate employee monitoring software called Syteca. The Fog ransomware operation was first observed last year in May leveraging compromised VPN credentials to access victims’ networks. Post-compromise, they used “pass-the-hash” attacks to gain admin privileges, disabled Windows Defender, and encrypted all files, including virtual machine storage. Later, the threat group was observed exploiting n-day flaws impacting Veeam Backup & Replication (VBR) servers, as well as SonicWall SSL VPN endpoints. New attack toolset Researchers at Symantec and the Carbon Black Threat Hunter team discovered the unusual attack toolset during an incident response last month on a financial institution in Asia. Symantec couldn’t determine the initial infection vector but documented the use of multiple new tools that have not been previously seen in such attacks. The most unusual and interesting of those is Syteca (formerly known as Ekran), a legitimate employee monitoring software that records screen activity and keystrokes. The attackers could use the tool to collect information like account credentials employees type in unaware that they are monitored remotely. Syteca was stealthily delivered to the system by Stowaway, an open-source proxy tool for covert communication and file transfers, and executed by SMBExec, the PsExec equivalent in the Impacket open-source framework used for lateral movement. The attack also involved GC2, an open-source post-exploitation backdoor that uses Google Sheets or Microsoft SharePoint for command-and-control (C2) and data exfiltration. GC2 has been rarely seen in ransomware attacks, previously used in attacks attributed to the APT41 Chinese threat group. Apart from these tools, Symantec also lists the following as part of Fog ransomware’s latest arsenal: To prepare data for exfiltration and deliver it to their infrastructure, Fog ransomware also used 7-Zip, MegaSync, and FreeFileSync utilities. “The toolset deployed by the attackers is quite atypical for a ransomware attack,” comments Symantec in the report. “The Syteca client and GC2 tool are not tools we have seen deployed in ransomware attacks before, while the Stowaway proxy tool and Adap2x C2 Agent Beacon are also unusual tools to see being used in a ransomware attack,” the researchers say. Unusual sets like the one Symantec spotted in the recent Fog ransomware attack can help threat actors evade detection. The researchers' report provides indicators of compromise that can help organizations protect against such incidents. Why IT teams are ditching manual patch management Patching used to mean complex scripts, long hours, and endless fire drills. Not anymore. In this new guide, Tines breaks down how modern IT orgs are leveling up with automation. Patch faster, reduce overhead, and focus on strategic work -- no complex scripts required.