The Fog ransomware group is leveraging a distinctive and rarely seen combination of tools, including legitimate employee monitoring software Syteca and open-source penetration testing utilities, to carry out targeted attacks.
This threat group first emerged in May last year, breaching networks by using compromised VPN credentials. Once inside, they executed “pass-the-hash” attacks to escalate privileges, disabled Windows Defender, and encrypted systems — including virtual machine files. Subsequently, they exploited known vulnerabilities in Veeam Backup & Replication (VBR) and SonicWall SSL VPN endpoints to expand their reach.
Discovery of a New Toolset
Researchers from Symantec and Carbon Black’s Threat Hunter team recently uncovered an unconventional collection of tools during an incident response investigation involving a financial institution in Asia. Although the exact method of initial access remains undetermined, the attackers used several utilities rarely observed in ransomware operations.
One notable inclusion is Syteca (formerly Ekran), a legitimate tool designed to monitor employee activity through screen recording and keystroke logging. Attackers could have used this to stealthily collect sensitive data such as login credentials.
Syteca was delivered covertly using Stowaway, an open-source proxy for stealth communication and file movement, and was executed through SMBExec, a lateral movement tool from the Impacket framework.
Another rare component used was GC2, an open-source backdoor that communicates via Google Sheets or Microsoft SharePoint, providing both command-and-control (C2) and data exfiltration capabilities. While GC2 has previously been linked to the Chinese state-sponsored APT41 group, it’s seldom found in ransomware operations.
In addition to these, Symantec identified several other tools in Fog’s arsenal:
- Adapt2x C2 – an open-source alternative to Cobalt Strike
- Process Watchdog – utility for maintaining system process stability
- PsExec – Microsoft’s tool for executing processes remotely
- Impacket SMB – Python library for direct SMB access, likely used to deploy ransomware
To facilitate data exfiltration, Fog attackers also employed 7-Zip, MegaSync, and FreeFileSync.
“The toolset deployed by the attackers is quite atypical for a ransomware attack,” comments Symantec in the report.
“The Syteca client and GC2 tool are not tools we have seen deployed in ransomware attacks before, while the Stowaway proxy tool and Adap2x C2 Agent Beacon are also unusual tools to see being used in a ransomware attack,” the researchers say.
The report underscores how the Fog ransomware group’s choice of obscure and legitimate software can help evade traditional detection mechanisms. Symantec’s analysis includes indicators of compromise (IOCs) to help organizations defend against such sophisticated threats.