FIN11 is a new designation for a financially motivated threat actor that may previously have been obscured within the activity set and group usually referred to as TA505. Although there are similarities and overlaps in the TTPs of both groups, researchers have discovered enough differences to separate the groups.
TA505 is largely defined by its large-scale phishing campaigns. It has distributed Dridex and dropped multiple types of ransomware, including GlobeImposter and Philadelphia. The group now defined by Mandiant (FireEye) Threat Intelligence researchers as FIN11 similarly uses large-scale phishing campaigns, but is primarily defined by its unique use of the CLOP ransomware. The researchers also believe that the code families known as FlawedAmmyy, FRIENDSPEAK and MIXLABEL are unique to FIN11.
It is possible that some earlier attacks attributed to TA505 were actually undertaken by FIN11 -- especially those that used any of the malware now uniquely attributed to FIN11. Examples could include the use of FlawedAmmyy and the CLOP ransomware. An example of the latter could be the CLOP ransomware attack in December 2019 against the University of Maastricht (Netherlands); although Kimberly Goody, FireEye's manager of cyber crime analysis said that she could not confirm this without first seeing the attack forensics.
"I would think of TA505 as a really big umbrella, while FIN11 is a portion of that activity," she said. "So, the TA505 attribution isn't necessarily incorrect, it's just another name that other companies use for this activity. We would caution against just saying we attribute that attack to FIN11 because we don't have the technical artifacts. We need to see the full life cycle of the tactics and malware that attackers use within an environment ..
Support the originator by clicking the read the rest link below.
