Open-source pen testers for executing commands: Another peculiarity observed in the attack was the use of open-source penetration testing tools, like GC2 and Adaptix C2, rarely seen with ransomware attacks.Google Command and Control (GC2) is an open-source post-exploitation tool that allows attackers to control compromised systems using legitimate cloud services like Google Sheets and Google Drive as their command-and-control (C2) infrastructure.The GC2 implant alone, potentially, allowed attackers to run discovery commands, transfer files, and load shellcode, hinting at deeper intelligence-gathering objectives.”The use of expected productivity platforms (e.g., Google Sheets or Microsoft SharePoint) for command and control (C2) would have blended in a bit more with normalized corporate traffic, increasing the time to detect, and slowed investigations a bit,” Ford added.GC2 has been used previously in attacks attributed to the APT41 Chinese threat group. Adaptix C2, a post-exploitation pen-tester similar to the Cobalt Strike beacon, was also seen in the Fog attack. Persistence after encryption raises red flags: Unlike typical ransomware actors that exit post-encryption, the Fog group was seen establishing persistence even days after deploying the ransomware”, a move more common in espionage operations.Using a service dubbed “SecurityHealthIron,” likely tied to launching command-and-control utilities, the attackers ensured ongoing access.”The attackers establishing persistence on a victim network having deployed the ransomware is also not something we would typically see in a ransomware attack,” researchers said. “These factors mean it could be possible that this company may in fact have been targeted for espionage purposes.”Coupled with lateral movement via PsExec and SMBExec, use of file transfer tools like MegaSync and 7-Zip for exfiltration, and stealthy cleanup of Syteca artifacts, the operation looked more like a planned, multi-stage intrusion than a quick ransomware grab.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4006743/fog-ransomware-gang-abuses-employee-monitoring-tool-in-unusual-multi-stage-attack.html
