Mandiant (FireEye) experts have published fresh report, which tells that the FIN11 group, which has existed since 2016, usually pursuing financial gain in its attacks, has switched to using ransomware and is now infecting company networks with the Clop ransomware.
The early FIN11 campaigns focused primarily on organizations in the financial, retail and restaurant sectors, but in recent years hackers have been less selective in targeting. Attackers now target a wide variety of companies in North America and Europe. For example, since August 2020, criminals have compromised companies in defense, energy, finance, healthcare and pharmaceuticals, law, telecommunications, technology, and transportation.
FIN11 attacks usually start with phishing emails, through which the FRIENDSPEAK malware loader is distributed. Attackers' emails contain a variety of decoys, including money transfer documents, invoices, or fake confidential bonus information. In reality, such messages are bundled with malicious HTML attachments to download content (iframes or embeddable tags) from hacked sites, which are often filled with outdated content and look abandoned. However, before downloading Excel with a malicious macro, the victim will be asked to solve the CAPTCHA.
The aforementioned FRIENDSPEAK, in turn, will download another malware to the user's machine – MIXLABEL, which is also considered to be specific to FIN11. This malware is used to communicate with the domain of the command and control server, which is often disguised as the Microsoft Store (us-microsoft-store (.) Com).
Mandiant's experts have discovered another interesting feature: after the victim's networks were infected with the Clop ransomware, hackers do not back down. For example, in one case, attackers re-compromised an organization several months after the first incident. In another case, FIN11 regained access to the company's network after the victims restored the infected servers from their backups.
The researchers did not specify what ransom amounts are required by FIN11 participants, but note that Coveware, a company specializing in rehabilitating firms after ransomware attacks, reports amounts ranging from several hundred thousand to tens of millions of dollars.
Communication with TA505
Mandiant researchers write that FIN11 is a separate group, but note that the tactics, methods of attacks and malware of hackers are very similar to the work of another well-known hack group – TA505. It is believed that this group has existed since at least 2014 and it has been associated with such large-scale malicious campaigns as the distribution of the Drirex banker and Locky ransomware, as well as the use of many other malicious programs, including BackNet, Cobalt Strike, ServHelper, Bart, FlawedAmmyy, SDBbot RAT , DoppelPaymer and so on.
Recently, TA505 has also been distributing the Clop ransomware and recently began exploiting the critical ZeroLogon vulnerability to gain domain controller administrator rights in the networks of compromised organizations.
It is noted that FIN11 also uses FlawedAmmyy in its attacks, a malware downloader also spotted during the TA505 and Silence attacks. According to the researchers, this means that these groups are united by a common malware developer.
Despite its strong resemblance to TA505, the FIN11 group is a separate "combat unit", although attribution of attacks is often difficult due to the fact that both groups use similar malware and the same criminal service providers. So, it is likely that the earlier attacks attributed to TA505 were actually the work of FIN11, especially those that used malware that is now uniquely associated with FIN11.
Based on their own analysis, the researchers write that FIN11 is a Russian-speaking group that operates from somewhere in the CIS countries. This theory is supported by the discovered metadata of files in Russian, the fact that hackers deploy the Clop ransomware only on machines with a layout used outside the CIS countries, as well as an obvious decrease in the group's activity during the Russian New Year and Orthodox Christmas holidays.