{"id":3544,"date":"2025-06-13T12:35:09","date_gmt":"2025-06-13T12:35:09","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3544"},"modified":"2025-06-13T12:35:09","modified_gmt":"2025-06-13T12:35:09","slug":"fog-ransomware-gang-abuses-employee-monitoring-tool-in-unusual-multi-stage-attack","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3544","title":{"rendered":"Fog ransomware gang abuses employee monitoring tool in unusual multi-stage attack"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Fog ransomware hackers, known for targeting US educational institutions<\/a>, are now using legitimate employee monitoring software Syteca, and several open-source pen-testing tools alongside usual encryption.<\/p>\n

While investigating a May 2025 attack on an unnamed financial institution in Asia, Symantec researchers spotted hackers using Syteca (formerly Ekran) and several pen-testers, including GC2, Adaptix, and Stowaway, a behavior they found \u201chighly unusual\u201d in a ransomware attack chain.<\/p>\n

Reflecting on the shift in Fog\u2019s tactics, Bugcrowd\u2019s CISO, Trey Ford, said, \u201cWe should expect the use of ordinary and legitimate corporate software as the norm\u2014we refer to this as \u201cliving off the land\u201d. Why would an attacker introduce new software, create more noise in logs, and increase the likelihood of detection when \u2018allowable\u2019 software gets the job done for them?\u201c<\/p>\n

While Symantec couldn\u2019t identify the initial infection vector used in the attack, Fog ransomware actors have used critical vulnerabilities in the past, like the CVSS 9.8-rated Veeam Backup and Replication flaw<\/a>, allowing remote code execution, to gain unauthorized access.<\/p>\n

Additionally, hackers\u2019 unusual effort to maintain persistence long after encryption suggested a deeper, possibly ulterior, motive.<\/p>\n

Syteca was likely used as a stealer<\/h2>\n

Researchers found attackers using Stowaway, the open-source proxy tool designed for secure communication between internal and external networks, to deliver the Syteca executable.<\/p>\n

It is not known how the attackers used the Syteca tool during the intrusion, which was distributed as files under names like \u201csytecaclient.exe\u201d and \u201cudpate.exe.\u201d Still, the adversarial potential of an employee monitoring tool with screen recording and keystroke logging capabilities isn\u2019t too hard to guess.<\/p>\n

Several libraries are loaded by this executable, suggesting it was possibly used for information stealing or spying, researchers added<\/a>.<\/p>\n

\u201cThe real danger in this case isn\u2019t the ransom note \u2014 it\u2019s how Fog turns a simple screen-recorder into a hidden camera,\u201d said Akhil Mittal, senior manager at Black Duck. \u201cSoftware is an essential driver of growth and innovation for every company; however, business apps we install on autopilot can suddenly become spy tools, which means trust is the weak spot.\u201d<\/p>\n

Security teams should keep a live map of where every monitoring app is allowed to run and flag it the moment one pops up somewhere odd, Mittal added.<\/p>\n

Open-source pen testers for executing commands<\/h2>\n

Another peculiarity observed in the attack was the use of open-source penetration testing tools<\/a>, like GC2 and Adaptix C2, rarely seen with ransomware attacks.<\/p>\n

Google Command and Control (GC2) is an open-source post-exploitation tool that allows attackers to control compromised systems using legitimate cloud services like Google Sheets and Google Drive as their command-and-control (C2) infrastructure.<\/p>\n

The GC2 implant alone, potentially, allowed attackers to run discovery commands, transfer files, and load shellcode, hinting at deeper intelligence-gathering objectives.<\/p>\n

\u201cThe use of expected productivity platforms (e.g., Google Sheets or Microsoft SharePoint) for command and control (C2) would have blended in a bit more with normalized corporate traffic, increasing the time to detect, and slowed investigations a bit,\u201d Ford added.<\/p>\n

GC2 has been used previously in attacks attributed to the APT41<\/a> Chinese threat group. Adaptix C2, a post-exploitation pen-tester similar to the Cobalt Strike beacon<\/a>, was also seen in the Fog attack.<\/p>\n

<\/a>Persistence after encryption raises red flags<\/h2>\n

Unlike typical ransomware actors that exit post-encryption, the Fog group was seen establishing persistence even days after deploying the ransomware\u2014a move more common in espionage operations.<\/p>\n

Using a service dubbed \u201cSecurityHealthIron,\u201d likely tied to launching command-and-control utilities, the attackers ensured ongoing access.<\/p>\n

\u201cThe attackers establishing persistence on a victim network having deployed the ransomware is also not something we would typically see in a ransomware attack,\u201d researchers said. \u201cThese factors mean it could be possible that this company may in fact have been targeted for espionage purposes.\u201d<\/p>\n

Coupled with lateral movement via PsExec and SMBExec, use of file transfer tools like MegaSync and 7-Zip for exfiltration, and stealthy cleanup of Syteca artifacts, the operation looked more like a planned, multi-stage intrusion than a quick ransomware grab.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Fog ransomware hackers, known for targeting US educational institutions, are now using legitimate employee monitoring software Syteca, and several open-source pen-testing tools alongside usual encryption. While investigating a May 2025 attack on an unnamed financial institution in Asia, Symantec researchers spotted hackers using Syteca (formerly Ekran) and several pen-testers, including GC2, Adaptix, and Stowaway, a […]<\/p>\n","protected":false},"author":0,"featured_media":3545,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3544","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3544"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3544"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3544\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3545"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3544"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3544"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3544"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}