- Fog ransomware was seen using Syteca, a legitimate employee monitoring tool, to log keys and grab passwords
- It also used open-source tools for payload dropping and file exfiltration
- The attack was “atypical”, researchers claim
Fog ransomware operators have expanded their arsenal to include legitimate and open source tools. This is, most likely, to avoid being detected before deploying the encryptor.
Security researchers from Symantec were recently brought in to investigate a Fog ransomware infection, and determined the hackers used Syteca, a legitimate employee monitoring tool, during the attack.
This program, previously known as Ekran, records screen activity and keystrokes, and hasn’t been seen abused in attacks before now.
“Several” accounts compromised
By logging keystrokes and tracking passwords, the attackers were able to access additional systems, map out the network, and then successfully deploy the encryptor.
To drop Syteca, Fog used Stowaway, an open-source, multi-hop proxy tool designed for security researchers and pentesters to route traffic through multiple intermediary nodes into restricted or internal networks.
After dropping the payload, the attackers used SMBExec, another open-source post-exploitation tool, to execute it over the Server Message Block protocol (SMB).
Lastly, Fog used GC2, an open source post-exploitation backdoor that leverages Google Sheets and SharePoint for command-and-control (C2) and data exfiltration. Just like Syteca, this one is rarely seen abused in attacks, although BleepingComputer claims the Chinese state-sponsored actor APT41 have been seen using it sometimes.
“The toolset deployed by the attackers is quite atypical for a ransomware attack,” Symantec said in its report.
“The Syteca client and GC2 tool are not tools we have seen deployed in ransomware attacks before, while the Stowaway proxy tool and Adap2x C2 Agent Beacon are also unusual tools to see being used in a ransomware attack,” they added.
Fog ransomware first emerged in April 2024, and its first attacks were spotted a month later. Since then, the group made a name for itself, claiming notable victims such as the Belgium-based semiconductor company Melexis, European meteorological organization EUMETSAT, FHNW University (a major Swiss educational institution), and Ultra Tune (an Australian automotive service franchise).
In early attacks, the group used compromised VPN credentials to access victims’ networks – after which, they used “pass-the-hash” attacks to elevate privileges, disable antivirus products, and encrypt all files.
Via BleepingComputer
Leave a comment