Pierluigi Paganini April 06, 2019

Security experts at FireEye observed the financially motivated group FIN6 adding the LockerGoga and Ryuk ransomware to its arsenal.

According to cybersecurity experts at FireEye, the FIN6 cybercrime group is diversifying its activities and added LockerGoga and Ryuk ransomware to its arsenal.

Previous attacks conducted by the FIN6 group aimed at compromising point-of-sale (PoS) systems, but recent operations conducted by the group expanded its targets and hit entities in the engineering industry.

“Recently, FireEye Managed Defense detected and responded to a FIN6 intrusion at a customer within the engineering industry, which seemed out of character due to FIN6’s historical targeting of payment card data.” reads the analysis published by FireEye.

“FIN6 has expanded their criminal enterprise to deploy ransomware in an attempt to further monetize their access to compromised entities.

This blog post details the latest FIN6 tactics, techniques, and procedures (TTPs), including ties to the use of LockerGoga and Ryuk ransomware families.”

Recent attacks involving both Ryuk and LockerGoga were attributed to FIN6 crime gang or some of its members that appear to have operated independently.

Experts have traced these intrusions back to July 2018, they have caused the loss of tens of millions of dollars to the victims.

The recent wave of attacks attributed to FIN6 leverage on stolen credentials, Cobalt Strike, Metasploit, and other publicly available tools in the reconnaissance phase.

Attackers used Windows’ Remote Desktop Protocol (RDP) for lateral movement, the attackers used the following techniques to carry on the attacks:

• Attackers used PowerShell to execute an encoded command to add Cobalt Strike to the compromised system and execute a chain of payloads until retrieving a final one.
• Attackers created random Windows services to execute encoded PowerShell command that included a reverse HTTP shellcode payload stored in a byte-array like the first technique.

“The Metasploit reverse HTTP payload was configured to communicate with the command and control (C2) IP address 176.126.85[.]207 with a randomly named resource such as “/ilX9zObq6LleAF8BBdsdHwRjapd8_1Tl4Y-9Rc6hMbPXHPgVTWTtb0xfb7BpIyC1Lia31F5gCN_btvkad7aR2JF5ySRLZmTtY” over TCP port 443. This C2 URL contained shellcode that would make an HTTPS request for an additional download.” continues the analysis.

“To achieve privilege escalation within the environment, FIN6 utilized a named pipe impersonation technique included within the Metasploit framework that allows for SYSTEM-level privilege escalation.”

Attackers leverage AdFind to query the Active Directory and make lateral movements, they used 7-Zip to compress the data before sending it to the C2 server.

“Criminal operations and relationships are highly adaptable, so we commonly encounter such attribution challenges in regards to criminal activity.” concludes FireEye. “Given that these intrusions have been sustained for almost a year, we expect that continued research into further intrusion attempts may enable us to more fully answer these questions regarding FIN6’s current status,”

Further technical details, including Indicators of Compromise, are reported in the analysis published by FireEye.

Pierluigi Paganini

(SecurityAffairs – FIN6, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]