FIN11 Hackers Spotted Using New Techniques In Ransomware Attacks
According to the FireEye's Mandiant threat intelligence team, the collective — known as FIN11 — has engaged in a pattern of cybercrime campaigns at least since 2016 that involves legalizing their access to organizations' networks, in addition to deploying point-of-sale (POS) malware targeting financial, retail, restaurant as well as pharmaceutical industries.Mandiant stated that recently FIN11 intrusions have most commonly led to data theft, extortion and the disruption of victim networks through the distribution of CLOP malware.Even though FIN11's activities in the past have been tied to malware that included FlawedAmmyy, FRIENDSPEAK and MIXLABEL, Mandiant denotes significant overlap in TTPs with another threat group that cybersecurity researchers call TA505 which is behind the unpopular Dridex banking Trojan and Locky malware that is delivered through malspam campaigns through the Necurs botnet.It's worth signifying that Microsoft directed the disapproval of the Necurs botnet earlier in March so that the operators could be prevented from registering new domains furthering attacks in the future.High-Volume Malspam CampaignsFIN11, in addition to gripping a high-volume suspicious email distribution mechanism has expanded its targeting to local language combined with influencing email sender information such as take off email presents names and email sender addresses to make the messages appear more legal with a strong inclination towards attacking German organizations in their 2020 campaigns.For example, the opponent triggered an email campaign with email subjects such as "research report N-[five-digit number]" and "laboratory accident" in January 2020 followed by a second wave in March using cracking emails with the subject line " 2020 YTD billing spreadsheet.