According to cybersecurity experts at FireEye, the FIN6 cybercrime group is diversifying its activities and added LockerGoga and Ryuk ransomware to its arsenal.
Previous attacks conducted by the FIN6 group aimed at compromising point-of-sale (
“Recently, FireEye Managed Defense detected and responded to a FIN6 intrusion at a customer within the engineering industry, which seemed out of character due to FIN6’s historical targeting of payment card data.” reads the analysis published by FireEye.
“FIN6 has expanded their criminal enterprise to deploy ransomware in an attempt to further monetize their access to compromised entities.
This blog post details the latest FIN6 tactics, techniques, and procedures (
Recent attacks involving both Ryuk and LockerGoga were attributed to FIN6 crime gang or some of its members that appear to have operated independently.
Experts have traced these intrusions back to July 2018, they have caused the loss of tens of millions of dollars to the victims.
The recent wave of attacks attributed to FIN6 leverage on stolen credentials, Cobalt Strike, Metasploit, and other publicly available tools in the reconnaissance phase.
Attackers used Windows’ Remote Desktop Protocol (RDP) for lateral movement, the attackers used the following techniques to carry on the attacks:
“The Metasploit reverse HTTP payload was configured to communicate with the command and control (C2) IP address 176.126.85[.]207 with a randomly named resource such as “/ilX9zObq6LleAF8BBdsdHwRjapd8_1Tl4Y-9Rc6hMbPXHPgVTWTtb0xfb7BpIyC1Lia31F5gCN_btvkad7aR2JF5ySRLZmTtY” over TCP port 443. This C2 URL contained shellcode that would make an HTTPS request for an additional download.” continues the analysis.
“To achieve privilege escalation within the environment, FIN6 utilized a named pipe impersonation technique included within the Metasploit framework that allows for SYSTEM-level privilege escalation.”
Attackers leverage AdFind to query the Active Directory and make lateral movements, they used 7-Zip to compress the data before sending it to the C2 server.
“Criminal operations and relationships are highly adaptable, so we commonly encounter such attribution challenges in regards to criminal
Further technical details, including Indicators of Compromise, are reported in the analysis published by FireEye.
| [adrotate banner=”9″] ||[adrotate banner=”12″]|