FIN6 Hackers Group Targeting Enterprise Network to Deploy LockerGoga and Ryuk Ransomware


FIN6

FIN6 cybercrime group tied with a LockerGoga and Ryuk ransomware that targets the enterprise network in an engineering industry by compromising the internet facing

Source: gbhackerssystem.

Researchers from FireEye recently learning this incident from their customer’s network and the further investigation reveals that the FIN6 group was in the Initial stage of attack.

FIN6 using publicly available tools such as Cobalt Strike, Metasploit, Adfind and 7-Zip to conduct internal reconnaissance, compress data and other operation to gain the network access.

Lockergoga infection was first spotted in January 2019, the ransomware particularly targets on critical infrastructure, and the Ryuk Ransomware campaign targeting various enterprise network around the globe and encrypting various data in storage, personal computers, and data center.

Researchers Stated that “Our team quickly linked this activity with some recent Mandiant investigations and enabled us to determine that FIN6 has expanded their criminal enterprise to deploy ransomware in an attempt to further monetize their access to compromised entities.”

FIN6 Infection Life Cycle

Initially, FIN6 compromise the internet facing system to gain access to the enterprise environment using stolen credentials and move to the further internal network by abusing the Windows Remote Desktop Protocol.

In this case, Attackers are using 2 different technique to intrude the targeted network.

First technique, FIN6 using PowerShell to execute an encoded command that consists of base64 encoded payload which is actually a Cobalt Strike httpsstager that was injected into the PowerShell process.FIN6

More information…

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at WordPress.com.

Up ↑

%d bloggers like this: