Alex Morgan — Threat Intelligence Analyst
Key Takeaways
- The XYZ ransomware leverages spear-phishing emails for initial access.
- Post-exploitation involved sophisticated lateral movement using compromised credentials.
- The attack chain signifies a reliance on encrypted C2 communication for data exfiltration.
Executive Summary
In our recent investigation of the XYZ ransomware, we traced its execution and persistence methods through multiple phases of the attack lifecycle. The sample we analyzed highlighted a sophisticated approach, exhibiting various tactics and techniques consistent with modern ransomware operations. This report details our findings, underscoring the techniques the threat actor deployed from initial access through to impact.
Initial Access
Our analysis revealed that the initial access vector for the XYZ ransomware involved a targeted spear-phishing campaign. The actors utilized emails containing malicious attachments, often disguised as legitimate documents. The attachment, a macro-enabled Excel file, when executed, would download a downloader payload. The path observed during our investigation was %TEMP%\xyz_downloader.exe, which was used to initiate the infection chain.
Execution & Persistence
Upon execution, the downloader dropped the main ransomware payload onto the system. This payload was specifically designed to maintain persistence through scheduled tasks. We found evidence of the creation of a task at C: asks that triggered the ransomware every time the system booted. This ensured that, even after a system cleanup or reboot, the ransomware would execute again.
un_xyz_task
Command and Control
During our investigation, we discovered that the XYZ ransomware communicated with its command and control servers using encrypted HTTPS requests. The C2 domains were frequently changing, utilizing Domain Generation Algorithms (DGA) to evade detection. We recorded several domain names such as xyz-c2.xyzdomain.com that were involved in this process. The threat actor employed external services to obfuscate their traffic, adding another layer of complexity for defenders.
Lateral Movement & Discovery
After establishing a foothold, the threat actor leveraged MFA fatigue and T[1078] – Valid Accounts to carry out lateral movement within the network. We observed successful enumeration of other hosts using tools like PsExec. The actor accessed the Windows Management Instrumentation (WMI) to conduct discovery and assess other machines’ readiness for encryption. We noted the command wmic /node:TARGET_HOST process call create “C:\Program Files\xyz_ransomware.exe” used for executing the payload across various endpoints.
Impact & Objectives
The primary objective of the XYZ ransomware was to encrypt sensitive files across network shares and endpoints, followed by exfiltration of critical data to bolster leverage against the victim organization. During the investigation, we noted files were encrypted with a strong algorithm, rendering them inaccessible without the decryption key. Moreover, ransom notes were generated on infected machines, demanding payment in cryptocurrency, effectively highlighting the dual-pronged threat of both data encryption and exfiltration.
MITRE ATT&CK Mapping
- T1566 – Phishing: Spear-phishing emails containing malicious attachments were used for initial access.
- T1055 – Process Injection: The ransomware injected itself into legitimate processes to bypass security software.
- T1071.001 – Application Layer Protocol: Web Protocols: Encrypted HTTPS was utilized to contact the C2 server for further commands.
- T1135 – Access Remote Services: Utilization of WMI for lateral movement within the network.
Detection Opportunities
- Monitor email gateways for attachments containing macros from untrusted sources.
- Implement behavior-based detection to identify unusual process creation patterns indicative of ransomware activity.
- Track and alert on scheduled tasks that are created without typical organizational naming conventions.
Analyst Notes
This investigation highlights the importance of implementing layered security measures within the organization. Employee training on recognizing phishing attempts, combined with robust endpoint detection and response capabilities, significantly enhances the ability to detect and mitigate threats like the XYZ ransomware. Continuous monitoring for suspicious network activity, especially concerning credential usage and lateral movement, is essential for quick response and containment.
Source: Original Report