Mist Ransomware raids use employee monitoring tool to break into company networks
- Advertisement -
Related Posts
- Advertisement -
- Ransomware van Mist was seen with the help of Syteca, a legitimate employee monitoring instrument, to log tests and take passwords
- The also used open-source tools for dropping the payload and the files of exfiltration
- The attack was “atypical”, researchers claim
Fog ransomware Operators have expanded their arsenal with legitimate and open source tools. This is most likely to prevent you from being detected before using the encryptor.
Security researchers from Symantec have recently been introduced to investigate a fog -ransomware infection and during the attack, the hackers used Syteca, a legitimate employee monitoring instrument.
This program, previously known as Ekran, records screen activity and test attacks and has never before been abused in attacks.
“Different” accounts are compromised
By logging test attacks and tracking passwordsThe attackers had access to extra systems, were able to map the network and then successfully implement the coding.
To drop Syteca, Fog Stowaway, an open-source, multi-hop proxy tool that is designed for security researchers and pentesters to rouge traffic through several intermediate nodes to limited or internal networks.
After dropping the payload, the attackers used SMBEXEC, another open-source post-exploitation tool, to perform it via the Server Message Block Protocol (SMB).
Finally used GC2, one Source Backdoor after the exploitation that uses Google Sheets and SharePoint for Command-and-Control (C2) and data output. Just like Syteca, it is rarely abused in attacks, although Bleeping computer Claims that the actor APT41 sponsored by the State has sometimes seen it.
“The tool set implemented by the attackers is quite atypical for a ransomware attack,” Symantec said in his report.
“The Syteca client and GC2 tool are not tools that we have seen before in Ransomware attacks, while the Stowaway Proxy Tool and ADAP2X C2 Agent Beacon are also unusual aids to see are used in a ransomware attack,” they added.
FOG -Ransomware came out for the first time in April 2024 and the first attacks were seen a month later. Since then, the group has made a name for himself for itself and claimed the claiming of remarkable victims such as the semiconductor company Melexis, the European Meteorological Organization Eumetsat, FHNW University (an important Swiss educational institution) and Ultra Tune (an Australian franchise for automotive service).
In early attacks, the group used compromised VPN references to gain access to the networks of victims-to which they used “Pass-the-Hash” attacks to increase privileges, eliminate antivirus products and cod all files.
Maybe you like it too
- Advertisement -
