Security News > 2020 > October > FIN11 Hackers Spotted Using New Techniques In Ransomware Attacks

Although FIN11's activities in the past have been tied to malware such as FlawedAmmyy, FRIENDSPEAK, and MIXLABEL, Mandiant notes significant overlap in TTPs with another threat group that cybersecurity researchers call TA505, which is behind the infamous Dridex banking Trojan and Locky ransomware that's delivered through malspam campaigns via the Necurs botnet.

"Although we have not independently verified the connection, there is substantial public reporting to suggest that until sometime in 2018, FIN11 relied heavily on the Necurs botnet for malware distribution. Notably, observed downtime of the Necurs botnet has directly corresponded to lulls in the activity we attribute to FIN11."

In recent months FIN11's monetization efforts have resulted in a number of organizations infected by CLOP ransomware, in addition to resorting to hybrid extortion attacks - combining ransomware with data theft - in a bid to force businesses into acquiescing to extortion payments that range from a few hundred thousand dollars up to 10 million dollars.

"Barring some sort of disruption to their operations, it is highly likely that FIN11 will continue to attack organizations with an aim to deploy ransomware and steal data to be used for extortion," Moore said.

"As the group has regularly updated their TTPs to evade detections and increase the effectiveness of their campaigns, it is also likely that these incremental changes will continue. Despite these changes recent FIN11 campaigns have consistently relied on the use of macros embedded in malicious Office documents to deliver their payloads."

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/ZJE2KQjwV0Q/fin11-hackers-spotted-using-new.html