- The fog ransomware was seen using Syteca, a legitimate employee surveillance tool, to record keys and enter passwords
- He also used open source tools for deleting the payload and exfiltration of files
- The attack was “atypical”, say the researchers
The fog ransomware operators have expanded their arsenal to include legitimate and open source tools. It is most likely to avoid being detected before deploying the cryptor.
Symantec safety researchers were recently brought to investigate a fog ransomware infection and determined that the pirates used Syteca, a legitimate surveillance tool during the attack.
This program, previously known as Ekran, records the screen activity and the strikes, and was not seen abused in the attacks before.
“Several” compromises accounts
By recording the key strikes and following the passwords, the attackers were able to access additional systems, to map the network, then to successfully deploy the encryptor.
To remove Syteca, the fog used Stowaway, an open-source multi-hop proxy tool designed for safety researchers and slopes to transport traffic through several intermediate nodes in limited or internal networks.
After deleting the payload, the attackers used SMBEXEC, another Open Source post-exploitation tool, to execute it on the server messages (SMB) protocol.
Finally, the FOG used GC2, an open source post-exploitation stolen door which operates Google Sheets and SharePoint for ordering and control (C2) and data exfiltration. Like Syteca, he is rarely seen abused in attacks, although Bleeping Compompute Affirms that the Chinese actor sponsored by the Apt41 state has sometimes been seen by using it.
“The tool game deployed by the attackers is quite atypical for a ransomware attack,” said Symantec in his report.
“The SYTECA customer and the GC2 tool are not tools that we have seen in ransomware attacks before, while the intermediate proxy tool and the adapt2X C2 agent tag are also unusual tools to see being used in a ransomware attack,” they added.
The fog ransomware emerged for the first time in April 2024, and its first attacks were spotted a month later. Since then, the group has made a name for itself, claiming notable victims such as the semiconductor company based in Belgium, Melexis, the European meteorological organization Eumetsat, the FHNW University (a large Swiss education establishment) and Ultra Tune (an Australian franchise for car services).
During the first attacks, the group used compromised VPN identification information to access victims networks-after which they used “Pass-le-Hash” attacks to raise privileges, deactivate antivirus products and encrypt all files.
Via Bleeping Compompute
