Fog ransomware hackers are using an uncommon toolset, which includes open-source pentesting utilities and a legitimate employee monitoring software called Syteca.
The Fog ransomware operation was first observed last year in May leveraging compromised VPN credentials to access victims’ networks.
Post-compromise, they used “pass-the-hash” attacks to gain admin privileges, disabled Windows Defender, and encrypted all files, including virtual machine storage.
Later, the threat group was observed exploiting n-day flaws impacting Veeam Backup & Replication (VBR) servers, as well as SonicWall SSL VPN endpoints.
New attack toolset
Researchers at Symantec and the Carbon Black Threat Hunter team discovered the unusual attack toolset during an incident response last month on a financial institution in Asia.
Symantec couldn’t determine the initial infection vector but documented the use of multiple new tools that have not been previously seen in such attacks.
The most unusual and interesting of those is Syteca (formerly known as Ekran), a legitimate employee monitoring software that records screen activity and keystrokes.
The attackers could use the tool to collect information like account credentials employees type in unaware that they are monitored remotely.
Syteca was stealthily delivered to the system by Stowaway, an open-source proxy tool for covert communication and file transfers, and executed by SMBExec, the PsExec equivalent in the Impacket open-source framework used for lateral movement.
... continue reading