- Fog ransomware using Syteca, a legitimate tool for employee monitoring, to register the keys and obtain passwords was observed.
- He also used open source tools for the fall in payload and file exfiltration
- The attack was “atypical,” says the researchers
Fog ransomware operators have expanded their arsenal to include legitimate and open source tools. This is, most likely, avoiding being detected before implementing the encrypper.
Symantec security researchers were recently brought to investigate a fog ransomware infection, and determined that hackers used Syteca, a legitimate tool for employee monitoring, during the attack.
This program, previously known as Ekran, records the activity of the screen and key pulsations, and has not been abused in attacks before now.
“Several” committed accounts
When registering the key pulsations and password monitoring, the attackers could access additional systems, assign the network and then successfully implement the encrypper.
To release Syteca, FOG used Stowaway, an open source and open source tool designed for security researchers and panties to enrut traffic through multiple intermediary nodes in restricted or internal networks.
After dropping the payload, the attackers used Smbexec, another open source exploitation tool, to execute it on the server message block protocol (SMB).
Finally, FOG used GC2, an open source rear door after the exploitation that takes advantage of Google and SharePoint leaves for command and control (C2) and data exfiltration. Like Syteca, this is rarely abused in attacks, although Bleepingcomputer They claim that the actor sponsored by the Chinese state APT41 has sometimes been using it.
“The set of tools deployed by the attackers is quite atypical for a ransomware attack,” Symantec said in his report.
“The Syteca Client and GC2 tool are not tools that we have seen implemented in ransomware attacks before, while the Stowaway Proxy tool and the AGENTO adapt2x C2 agent are also unusual tools to see what they are used in a ransomware attack,” they added.
The fog ransomware first emerged in April 2024, and its first attacks were seen a month later. Since then, the group made a name for itself, claiming notable victims such as the company of semiconductors based in Belgium Melexis, the European weather organization Eumetsat, the FHNW University (an important Switzerland educational institution) and Ultra Tune (an Australian automotive services franchise).
In the first attacks, the group used VPN credentials committed to access the victims’ networks, after which, they used attacks of “passes-the-hah” to raise privileges, disable antivirus products and encrypt all files.
Through Bleepingcomputer
