Researchers from FireEye uncovered a threat cluster that is named FIN11, a threat group that is financially-motivated and has a history commencing since 2016. It has adopted all ill-disposed email campaigns to alter itself to ransomware as the main monetization process.
FireEye researchers Mandiant has recorded FIN11’s different tactics, methods, and policies that are available now by signing up for Mandiant Advantage Free. However, this ransomware attack has led to a shift in focus for some cybercrime groups originally involved in financial crime and payment card theft.
FIN11 has a motive to leverage a high-volume ill-disposed email distribution mechanism, and it has expanded its targets to native language that lures the coupled along with manipulated email-sender data.
These are spoofed emails that display names and email sender addresses to create the messages as legitimate, along with a strong bent towards targeting German organizations in their 2020 campaigns.
According to the FireEye report “Moreover, the adversary had activated an email campaign that has an email subject like “research report N-[five-digit number]” and “laboratory accident” in January 2020, that has been followed by a second wave in March utilizing phishing emails that has a subject line “[pharmaceutical company name] 2020 YTD billing spreadsheet.”
From August, cybercriminals have started targetting organizations in defense, energy, finance, healthcare/pharmaceutical, legal, telecommunications, technology, and transportation business. But, the researchers at FireEye’s Mandiant affirmed that FIN11 has targeted its victims with ill-disposed emails allocating a malware downloader, and it has been tracked as FRIENDSPEAK.
Roleplay of TA505
TA505 is a high-profile cybercriminal gang that distributes Clop ransomware. This group has started to exploit the ZeroLogon critical flaw in Windows to obtain admin-level privileges for a domain controller of a business firm.
The experts serve the group as a separate threat actor team, considering its significant overlap as it has different tactics, techniques, and malware by TA505.
Moreover, FIN11 also uses FlawedAmmyy, it is a malware downloader that has been seen in various attacks from TA505 and Silence, and a group of hackers attacking the banks across the world. All this implies that all three groups have a similar malware developer.
In spite of all the strong similarities to TA505, commencing certain campaigns to FIN11 is difficult, as both groups use malware and criminal service providers, and it could have led to misattribution in some cases.
Apart from this, the security experts have average confidence that FIN11 operates from the Commonwealth of Independent States. In accordance with the assessment is Russian-language file metadata, locating Clop ransomware only on machines with the help of a keyboard layout that has been used by outside CIS countries, and there is a drop-in activity in the Russian New Year and Orthodox Christmas holidays.
The threat actors have been prolific and fortunate, but, still, businesses can evade becoming such victims to such campaigns of FIN11 and other financially activated groups by simply following common security measures and applying the patches to circumvent the threat actors using known exploits to obtain a foothold in networks.