Tuesday, November 12, 2024
HomeMalwareFIN6 Hackers Group Targeting Enterprise Network to Deploy LockerGoga and Ryuk Ransomware

FIN6 Hackers Group Targeting Enterprise Network to Deploy LockerGoga and Ryuk Ransomware

Published on

Malware protection

FIN6 cybercrime group tied with a LockerGoga and Ryuk ransomware that targets the enterprise network in an engineering industry by compromising the internet facing system.

Researchers from FireEye recently learning this incident from their customer’s network and the further investigation reveals that the FIN6 group was in the Initial stage of attack.

FIN6 using publicly available tools such as Cobalt Strike, Metasploit, Adfind and 7-Zip to conduct internal reconnaissance, compress data and other operation to gain the network access.

- Advertisement - SIEM as a Service

Lockergoga infection was first spotted in January 2019, the ransomware particularly targets on critical infrastructure, and the Ryuk Ransomware campaign targeting various enterprise network around the globe and encrypting various data in storage, personal computers, and data center.

Researchers Stated that “Our team quickly linked this activity with some recent Mandiant investigations and enabled us to determine that FIN6 has expanded their criminal enterprise to deploy ransomware in an attempt to further monetize their access to compromised entities.”

FIN6 Infection Life Cycle

Initially, FIN6 compromise the internet facing system to gain access to the enterprise environment using stolen credentials and move to the further internal network by abusing the Windows Remote Desktop Protocol.

In this case, Attackers are using 2 different technique to intrude the targeted network.

First technique, FIN6 using PowerShell to execute an encoded command that consists of base64 encoded payload which is actually a Cobalt Strike httpsstager that was injected into the PowerShell process.

FIN6
base64 encoded payload

Cobalt Strike was actually configured to download the second payload from hxxps://176.126.85[.]207:443/7sJh.

Second Technique, Attackers abusing the Windows services which are random name service that is using Metasploit.

The Metasploit reverse HTTP payload was configured to communicate with the command and control (C2) IP address to download the additional payload.

According to FireEye Report, To achieve privilege escalation within the environment, FIN6 utilized a named pipe impersonation technique included within the Metasploit framework that allows for SYSTEM-level privilege escalation.

Through separate Mandiant Incident Response investigations, FireEye has observed FIN6 conducting intrusions to deploy either Ryuk or LockerGoga ransomware.

Indicator of Compromise

TypeIndicator
 Network 31.220.45[.]151
46.166.173[.]109
62.210.136[.]65
89.105.194[.]236
93.115.26[.]171
103.73.65[.]116
176.126.85[.]207
185.202.174[.]31
185.202.174[.]41
185.202.174[.]44
185.202.174[.]80
185.202.174[.]84
185.202.174[.]91
185.222.211[.]98hxxps://176.126.85[.]207:443/7sJh
hxxps://176.126.85[.]207/ca
hxxps://176.126.85[.]207:443/ilX9zObq6LleAF8BBdsdHwRjapd8_1Tl4Y-9Rc6hMbPXHPgVTWTtb0xfb7BpIyC1Lia31F5gCN_btvkad7aR2JF5ySRLZmTtY
hxxps://pastebin[.]com/raw/0v6RiYEY
hxxps://pastebin[.]com/raw/YAm4QnE7
hxxps://pastebin[.]com/raw/p5U9siCD
hxxps://pastebin[.]com/raw/BKVLHWa0
hxxps://pastebin[.]com/raw/HPpvY00Q
hxxps://pastebin[.]com/raw/L4LQQfXE
hxxps://pastebin[.]com/raw/YAm4QnE7
hxxps://pastebin[.]com/raw/p5U9siCD
hxxps://pastebin[.]com/raw/tDAbbY52
hxxps://pastebin[.]com/raw/u9yYjTr7
hxxps://pastebin[.]com/raw/wrehJuGp
hxxps://pastebin[.]com/raw/tDAbbY52
hxxps://pastebin[.]com/raw/wrehJuGp
hxxps://pastebin[.]com/raw/Bber9jae
 Host 031dd207c8276bcc5b41825f0a3e31b0
0f9931210bde86753d0f4a9abc5611fd
12597de0e709e44442418e89721b9140
32ea267296c8694c0b5f5baeacf34b0e
395d52f738eb75852fe501df13231c8d
39b7c130f1a02665fd72d65f4f9cb634
3c5575ce80e0847360cd2306c64b51a0
46d781620afc536afa25381504059612
4ec86a35f6982e6545b771376a6f65bb
73e7ddd6b49cdaa982ea8cb578f3af15
8452d52034d3b2cb612dbc59ed609163
8c099a15a19b6e5b29a3794abf8a5878
9d3fdb1e370c0ee6315b4625ecf2ac55
d2f9335a305440d91702c803b6d046b6
34187a34d0a3c5d63016c26346371b54

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Rise Of Ransomware-As-A-Service Leads To Decline Of Custom Tools

Ransomware-as-a-Service (RaaS) platforms have revolutionized the ransomware market.Unlike traditional standalone ransomware sales, RaaS...

HookBot Malware Use Overlay Attacks Impersonate As Popular Brands To Steal Data

The HookBot malware family employs overlay attacks to trick users into revealing sensitive information...