Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- Identified malware leveraged multiple persistence mechanisms.
- Command and control communications utilized encrypted channels to evade detection.
- Attackers employed lateral movement techniques to expand their environment after initial access.
Executive Summary
During our investigation of a recent ransomware event, we uncovered a sophisticated attack chain that demonstrated a variety of tactics, techniques, and procedures (TTPs). The threat actor, identified as a group known for targeting high-value corporate environments, utilized a combination of phishing attacks and credential dumping to gain initial access. Our analysis revealed that the malware employed in this event not only encrypted file systems but also had robust capabilities for lateral movement and data exfiltration.
Initial Access
The attack commenced with a well-crafted phishing email, which included a malicious attachment disguised as an invoice. By employing social engineering tactics, the actors were able to entice the victim to enable macros, leading to the execution of a PowerShell script that downloaded the initial payload. This dropper, identified as XYZLoader, was responsible for establishing the foothold within the environment and deploying additional malicious components.
Execution & Persistence
Upon execution, the XYZLoader leveraged the legitimate Windows command-line utility schtasks.exe to create a scheduled task that ensured persistence. The task was set to execute a secondary payload at a designated interval, which was identified in our logs under the path C:\Windows\System32\Tasks\XYZTask. Additionally, the implant wrote registry entries at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run to achieve persistence across reboots.
Command and Control
Our analysis of the network traffic revealed that the malware connected to a command and control (C2) server using HTTP over TLS, obscuring its communications. The C2 communication patterns indicated a typical beaconing interval of approximately 60 seconds, using randomized endpoints for evasion techniques. This was made evident by the DNS queries towards multiple domains, identified in the analysis as examplemalware[.]com and ransomware-control[.]com, which were dynamically generated per the actors’ instructions.
Lateral Movement & Discovery
With the initial foothold established, the threat actors executed various lateral movement techniques, including Windows Admin Share enumeration and Windows Remote Management (WinRM) for unauthorized access to additional systems. The actors deployed credential dumping tools, such as Mimikatz, to harvest user credentials from memory, allowing them to pivot across the network. Our logs indicated access to critical resources, including file shares and sensitive databases, underscoring the attackers’ intent to maximize their reach within the organization.
Impact & Objectives
The primary objective of this operation was to encrypt the data on compromised machines and extort the victim for ransom. The ransomware, identified as LockBit 3.0, had a well-defined encryption routine that targeted various file types typically associated with corporate environments. Encrypted files were renamed with a specific extension, and ransom notes were dropped in each directory, demanding payment in cryptocurrency to facilitate decryption. The scale of the encryption, impacting over 1,000 endpoints and a large number of critical databases, was a significant factor in the operational downtime experienced by the organization.
MITRE ATT&CK Mapping
- T1193 – Spear Phishing: The initial access vector utilized a crafted email containing a malicious attachment.
- T1059.001 – PowerShell: Used to download and execute the malicious payload.
- T1053.005 – Scheduled Task: Employed to maintain persistence through scheduled tasks.
- T1071.001 – Application Layer Protocol: Web Protocols: Encrypted communication with C2 infrastructure using HTTPS.
- T1210 – Exploitation of Remote Services: Utilized WinRM for lateral movement across the network.
Detection Opportunities
- Monitor for unusual scheduled tasks creation using schtasks.exe.
- Analyze network traffic for repeated DNS queries to known malicious domains and unusual decrypted HTTP traffic.
- Implement endpoint detection for tools associated with credential dumping, such as Mimikatz.
Analyst Notes
This breach highlights the need for organizations to strengthen their phishing defenses and invest in user training regarding recognizing suspicious emails. Furthermore, implementing a robust monitoring strategy across network traffic and endpoint behavior is critical to detect and mitigate similar attacks in the future. Continuous adaptation of defenses, including regularly updating detection signatures and machine learning models for anomaly detection, will aid in early identification of potential threats.
Source: Original Report