The hacker group FIN11 has made a ransom attempt to monetize its cybercrime activities with financial motives.

The FIN11 hacker group, motivated by financial reasons, changed tactics, starting with the use of ransom as the main method of monetisation.

The group has carried out numerous large-scale operations aimed at companies around the world, mostly in North America and Europe.

In recent attacks, the group has observed how it uses clop ransom programs in its victims’ networks.

Since August, FIN11 has been working with organisations in many sectors, including defence, energy, finance, medicine, law, pharmaceuticals, telecommunications, technology and transport.

Researchers from FireEye’s Mandiant have noted that FIN11 hackers use spiral phishing messages that emit a malicious bootloader called FRIENDSPEAK.

FIN11 recently used CLOP to obtain the ransom and threatened to publish filtered data to force victims to pay the ransom. The evolution of the methods used to monetize groups – from point-of-sale malware in 2018 to ransom in 2019 and hybrid blackmail in 2020 – is part of a broader trend where criminal elements increasingly focus on ransom enforcement after compromise and data extortion.

The chain of attacks starts when victims embed a macro in the Excel spreadsheet that accompanies the phishing email.

Macros download and execute the FRIENDSPEAK code, which in turn downloads the MIXLABEL malware.

Experts also reported that the company that posed the threat had modified the macros on the agency documents used as bait and added geo-fencing techniques.

Mandiante researchers pointed to an important operation by the cybercriminal gang TA505 (known as Evil Corp.), which has been active in the retail and banking sectors since 2014.

TA505 has also used Clop Ransomware in its anti-malware campaigns and has recently started using the critical ZeroLogon bug to compromise target organizations.

The attribution of the historical activities of TA505 and the more recent activities of FIN11 is complicated by the fact that the actors use criminal service providers. Like most financially motivated actors, FIN11 does not operate in a vacuum. We believe that the group has made use of services that offer anonymous domain registration, bulletproof hosting, certificates for signing codes and private or semi-private malware. Outsourcing work to these criminal service providers is likely to enable FIN11 to increase the scale and complexity of its activities.

fin11 services3

The experts found that FIN11 subjects did not abandon their target after resetting the clop buyback program after the loss of access, in at least one case they repeatedly compromised the target organization a few months later.

Researchers believe that FIN11 operates from the Commonwealth of Independent States (CIS – countries of the former Soviet Union).

The experts observed the Russian-language file metadata in the malware code and pointed out that the clop ransom was only used on machines with keyboards used outside the CIS countries.

Mandiante investigators suspect that FIN11 will continue to be targeted by organisations with their own confidential data that are likely to pay a ransom to restart their activities after the attacks.

Pierluigi Paganini

(Security issues – Hacking, FIN11)