In a recent report, FireEye’s Mandiant publicly announced the identification of a new financially motivated threat group dubbed FIN11. The most notable characteristic of FIN11 is its overlap with activity that other security researcher attribute to the well-known TA505 threat group. Both groups have deployed Cl0p ransomware in the past as well as the downloader FlawedAmmyy. The group that FireEye identifies as FIN11 also uses the Get2 downloader, which FireEye refers to as FRIENDSPEAK and delivers the SDBBot backdoor, which FireEye refers to as MIXLABEL. The TTPs of these attackers are very similar and noted that the potential for misattribution is possible. FIN11 will attempt to take a long-term approach after they choose a target. Even after losing access to a victim they will attempt to regain a foothold with multiple phishing campaigns months after the initial compromise.
As with the announcements of all new threat actors, understanding how the threat actors move from the initial compromise to maintaining persistence is crucial. Methodologies change far less than the tools used to get there. Once these are understood, utilizing and setting internal controls and policies to allow for defense-in-depth will enable organizations to detect and protect their data, people and reputation.