FIN11 Hackers Expanding Their Horizon with Hybrid Extortion Attacks | Cyware Alerts


FIN11, a financially-motivated hacker group, has been launching successful hybrid extortion attacks across the Commonwealth of Independent States (CIS) countries. It is believed that the FIN11 operators have changed their TTPs to include a diverse set of sectors and geographic regions.

Hybrid extortion attacks

Recently, the group has switched from large-scale phishing campaigns to ransomware attacks.

  • According to a recent report by FireEye’s Mandiant, FIN 11 has shifted its primary monetization method to ransomware deployment, along with data theft, to pressurize their victims into accepting the extortion demands.
  • The report has connected the FIN11 group with several dropper families such as SPOONBEARD, FORKBEARD, and MINEDOOR to drop a variety of associated payloads ( AndroMut, AZORult, CLOP, FlawedAmmyy, FRIENDSPEAK, Meterpreter, MIXLABEL) to target its victims.

Overlaps between FIN11 and TA505

In the report, the researchers have distinguished between FIN11 and TA505 despite the significant overlap in tactics, techniques, and malware used by both hacker groups. It indicates that some earlier attacks attributed to TA505 were actually undertaken by FIN11. It is suspected that FIN11 is a smaller portion of the bigger TA505 umbrella family.

Attack strategy

In most campaigns, the FIN11 group had lured its targets into downloading a malicious Microsoft Office attachment (with modified macros) to start an infection chain. The chain creates multiple backdoors into compromised systems, with the capability to grab admin credentials and move laterally across networks.

Recent FIN11 campaigns

The group has incorporated additional delivery techniques that are switched over almost on a monthly basis, while also continuing to use techniques from prior campaigns.

  • In September, FIN11 had implemented new evasion techniques to selectively choose which victims (mostly Germany-based) were redirected to domains that delivered malicious Office files.
  • The threat actor continued to modify its delivery tactics during Q3 2020; however, the changes were relatively minor as the victims had to complete a CAPTCHA challenge before being served an Excel spreadsheet with malicious macro code.

The closing statement

The new tactics adopted by FIN11, including data-theft and extortion, aimed at increasing the pressure on victims suggest that its motivations are emblematic and exclusively financial. FIN11 is expected to continue launching hybrid extortion attacks for more effectiveness and financial gains.



Source link

Recent articles

The Font of Misinformation and Lies at Trump Campaign Rallies

Thank you very — this is great. Hello. How are you? Thank you, everybody. Thank you very much. Thank you. Thank you. And...

RAAF F/A-18A ‘Classic’ Hornet makes final journey to museum | News

A Boeing F/A-18A ‘Classic’ Hornet formerly operated by the Royal Australian Air Force (RAAF) has made its way by road to the Australian...

Jack Ma is making history again with the Ant IPO, and getting even more wealthy while doing it

Financial tech company Ant Group's share sale in Hong Kong and Shanghai — the biggest in history — will catapult Ma to within...

The Best Wi-Fi Routers in 2020

Image: NetgearTop Product: Google Nest Wi-FiImage: GoogleI use Google’s Nest Wi-Fi in my own two-story house, and it’s such an...

Leave a reply

Please enter your comment!
Please enter your name here