what is Fog ?
In June [Arctic Wolf Labs] reported a deployment of a new ransomware named Fog Ransomware, according to their report the ransomware was seen in several incident Response cases, affecting education and recreation center in the United States, the investigation revealed that the attackers gain access to victims through compromised VPNs credentials, taking advantage of that , the Threat actors disabled Windows Defenders and deployed the ransomware, the reported file is an 32-bit EXE file with the hash 83f00af43df650fda2c5b4a04a7b31790a8ad4cf, the below analysis was done by Dark Atlas Squad.
Technical investigation
the ransomware was compiled using Microsoft Visual C/C++ by the end of April/24, also the developer used a lot of debug messages which were saved in a file called “DbgLog.sys” in the same directory of the ransomware process, the malware starts by the getting the address of kernel32.dll base address to resolve 2 APIs
- GetProcessHeap
- HeapAlloc
it traverse the PEB (Process Environment Block) and then go through Kernel32 memory to get the addresses of these APIs.
then the malware start loading another APIs dynamically using GetProcAddress and LoadLibraryA APIs , also it get the a handle to ntdll.dll which will be used to load native APIs, here is resolved APIs.
- HeapReAlloc
- HeapFree
- NtQuerySystemInformation
- NtDuplicateObject
- NtQueryObject
the malware contain a lot of debugging msgs which is saved in file called Dbglog.sys
Malware Configuration
Ransomware configuration is decrypted and the malware decrypt it upon the execution, the configuration is saved in JSON format and after decryption it will try to parse it to extract its values and saves in allocated heap.
it will try to locate and save these values
- PathStopList
- FileMaskStopList
- ShutdownProcesses
- ShutdownServices
- RSAPubKey
- LockedExt
- NoteFileName
File Encryption
Fog acts as a multi threading application by checking the number of processor to attach a thread for each core it uses GetSystemInfo and NtQuerySystemInformation to do so.
it creates a thread for each directory to work independent form other threads and for each directory it will drop the ransomware note.
Crypto Initialization
FoG utilizes the Windows CryptoAPI to manage cryptographic contexts and import an RSA public key. It first attempts to acquire a cryptographic context using CryptAcquireContextA.
If this fails due to a missing key container 0x80090016, it creates a new key container. Subsequently, it imports the RSA public key from a specified memory location using CryptImportKey. This process is essential for establishing secure communication channels or managing cryptographic keys, highlighting the importance of key handling in malware and secure application development.
Stopping services
Fog will do the same as many ransomware did before by stopping a specific services that acts as obstacles for getting a read_write handle for some file, base on that For will try to stop these services.
it first gets a handle to service manager through calling OpenSCManagerA followed by a call to EnumServciesStatusA to get a list of active services
next it will check Pending services and then will start comparing active services names against the ones appeared on the malware configuration , it will compare each active services against the services list , if match happened it will get a handle to this service by calling OpenServiceA.
based on all of that it will call ControlService API to set the service in Stopping mode, by setting the second argument (dwControl) to this value “`SERVICE_CONTROL_STOP“`
Process Termination
Fog will also try to terminate a list of process if they are running on the infected system, it will get a list of the running process using CreateHealp32Snapshot, the it will go through this list using Process32First and Process32Next.
for each process it will access its name which is saved in szExeFile element in the PROCESSENTRY32 structure which was retrieved by the above calls, it compare process name with the list of blacklisted process names saved on the malware configuration, and if a match found it will get a handle to this process using OpenProcess followed by a call to TerminateProcess
Removing Backups
the malware will check if it is running inside a 32-bit or 64-bit system by using IsWow64Process API call.
“Sysnative” and “System32” are used to ensure the correct execution path for `vssadmin.exe` based on whether the system is 32-bit or 64-bit. This distinction is crucial for compatibility and proper command execution in different Windows environments.
it then will call “`SHEmptyRecycleBinA(0, 0, 7u); “` to delete all Recycle Bin elements.
and by the end of that it will log this message on the logging file
we have tried to highlight the most important parts about this ransomware , wait for us for the upcoming in-detailed articles.
| TACTIC | TECHNIQUE TITLE | MITRE ATT&CK ID | DESCRIPTION |
| Execution | Command and Scripting Interpreter | T1059 | Fog Accepts Command line arguments |
| Command and Scripting Interpreter: Windows Command Shell | T1059.003 | Fog executes commands during its execution to prevent backups | |
| Discovery | File and Directory Discovery | T1083 | NoEscape Enumerates all locations and directories for encryption |
| Network Share Discovery | T1135 | Fog encrypts all files in the remote servers and increase its effect on the whole enterprise | |
| Defense Evasion | Disable or Modify Tools | T1562.001 | The Ransomware kill a list of processes that may alter its existence or interrupt its ransom activity |
| Impact | Data Encrypted for Impact | T1486 | Fog Encrypt files on the system and ask for ransom |
| Inhibit System Recovery | T1490 | delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery | |
| Service Stop | T1489 | it stop and delete services on a system to render those services unavailable to legitimate users and to complete its path |
INDICATORS OF COMPROMISE
| IOC | Type |
| 507b26054319ff31f275ba44ddc9d2b5037bd295 | SHA1 |
| e1fb7d15408988df39a80b8939972f7843f0e785 | SHA1 |
| 83f00af43df650fda2c5b4a04a7b31790a8ad4cf | SHA1 |
| 44a76b9546427627a8d88a650c1bed3f1cc0278c | SHA1 |
| f7c8c60172f9ae4dab9f61c28ccae7084da90a06 | SHA1 |
