- Fog ransomware was seen using a valid employee monitoring equipment Syteca, which was seen to log and grab the password
- It also used open-source tools for payload dropping and file exfoliation
- The attack was “Atpical”, the researchers claim
Fog ransomware operators have expanded their arsenal to include valid and open source tools. This, most likely, to avoid detection before deploying the encrypter.
Cementac’s security researchers were recently brought to a fog ranges to check the ransomware infection, and a valid employee monitoring equipment during the attack was determined by hackers using Steca.
The program, which is previously known as Acuran, Record Screen Activity and Kestrux, has not been seen in the earlier attacks.
“Many” accounts compromised
By logging in keystrokes and tracking PasswordsThe attackers were able to reach the additional system, map the network and then deploy the encrypter successfully.
To release Syteca, Fog used the stoveway, an open-source, multi-hop proxy tool, designed for safety researchers and paintters, to restrained traffic through several intermediate nodes or root for traffic in internal networks.
After leaving the payload, the attackers used another open-source post-explain tool SMBEXEC to execute it on the server message block protocol (SMB).
Finally, Fog used the GC2, which was an open source post-exclusion backdor, which takes advantage of the Google Sheet and Sharepoint for command-end control (C2) and data exfigures. Like Syteca, it is rarely seen in an attacks, though BlappingCopper It is claimed that the Chinese state-provided actor APT41 has sometimes seen using it.
“The toolset deployed by the attackers is quite uncommon for a ransomware attack.”
He said, “Syteca client and GC2 tools are not devices we have first deployed in ransomware attacks, while Stowaway Proxy Tools and Adap2x C2 agents beacons are also unusual equipment used in a ransomware attack,” he said.
Fog ransomware first emerged in April 2024, and its first attacks were seen a month later. Since then, the group made a name for itself, claiming notable victims such as Belgian -based semiconductor company melaxis, European Meteorological Organization Eumetsat, FHNW University (a major Swiss Educational Institute), and Ultra Tune (an Australian Motor Vehicles Service Franchise).
In initial attacks, the group used VPN credentials to reach the victims’ networks-after which they used “pass-the-hash” attacks to elevate privileges, disable antivirus products and encryp all files.
Through BlappingCopper
