FIN11, a financially-motivated hacker group, has been launching successful hybrid extortion attacks across the Commonwealth of Independent States (CIS) countries. It is believed that the FIN11 operators have changed their TTPs to include a diverse set of sectors and geographic regions.
Hybrid extortion attacks
Recently, the group has switched from large-scale phishing campaigns to ransomware attacks.
- FIN 11 has shifted its primary monetization method to ransomware deployment, along with data theft, to pressurize their victims into accepting the extortion demands.
- The report has connected the FIN11 group with several dropper families such as SPOONBEARD, FORKBEARD, and MINEDOOR to drop a variety of associated payloads ( AndroMut, AZORult, CLOP, FlawedAmmyy, FRIENDSPEAK, Meterpreter, MIXLABEL) to target its victims.
FIN11 & TA505 Collaboration
The researchers given a variation between FIN11 and TA505 despite the significant overlap in tactics, techniques, and malware used by both hacker groups. It indicates that some earlier attacks attributed to TA505 were actually undertaken by FIN11. It is suspected that FIN11 is a smaller portion of the bigger TA505 umbrella family.
Attack strategy
The FIN11 group had lured its targets into downloading a malicious Microsoft Office attachment to start an infection chain. The chain creates multiple backdoors into compromised systems, with the capability to grab admin credentials and move laterally across networks.
Recent FIN11 lightson
The group has incorporated additional delivery techniques that are switched over almost on a monthly basis, while also continuing to use techniques from prior campaigns.
- FIN11 had implemented new evasion techniques to selectively choose which victims (mostly Germany-based) were redirected to domains that delivered malicious Office files.
- The threat actor continued to modify its delivery tactics during Q3 2020; the changes were relatively minor as the victims had to complete a CAPTCHA challenge before being served an Excel spreadsheet with malicious macro code.
Concluding notes
The tactics adopted by FIN11, including data-theft and extortion, aimed at increasing the pressure on victims suggest that its motivations are emblematic and exclusively financial. FIN11 is expected to continue launching hybrid extortion attacks for more effectiveness and financial
