Sarah Chen — Malware Reverse Engineer
Key Takeaways
- Ransomware was delivered via a phishing email with a malicious attachment.
- Initial access was achieved utilizing T1071.001 – Application Layer Protocol for C2 communications.
- Indicators of Compromise (IOCs) include unique file hashes and specific registry modifications.
Executive Summary
During our analysis of the recent ransomware incident affecting multiple organizations, we uncovered a sophisticated attack chain leveraged by the threat actor. The investigation revealed an intricate use of social engineering for initial access, followed by effective lateral movement tactics, allowing the actor to achieve their objectives of encryption and ransom demands. This post details the methodology employed by the actor, the mechanisms exploited throughout the attack, and the specific indicators that network defenders should actively monitor.
Initial Access
Initial access was established through a carefully crafted phishing email that contained a seemingly innocuous attachment. The attachment, when opened, executed a macro that initiated the download of the ransomware component. Our investigation uncovered that the file used the name Invoice_Details.docm, which is a typical masquerade tactic aimed at enticing users into enabling macros. The macro itself employed VBA scripts to download the payload from a remote server, serving as the first stage in the execution workflow.
Execution & Persistence
Upon successful execution, the ransomware then performed a series of system modifications to establish persistence. We observed it creating a scheduled task via T1053.005 – Scheduled Task/Job: Scheduled Task, which re-triggered the ransomware at system startup. The task was located at C:\Windows\System32\Tasks\RansomwareTask. Additionally, we noted that the ransomware made modifications to registry keys, specifically HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, to ensure it executed during user login. This dual persistence mechanism effectively allowed the malware to remain active across reboots.
Command and Control
The malware communicated with its command and control (C2) server using HTTP over the application layer, which falls under T1071.001 – Application Layer Protocol. Our analysis detected outbound connections to domains that exhibited domain generation algorithm (DGA) behavior, indicating attempts to evade detection and maintain flexibility within their infrastructure. The C2 interactions were designed to retrieve encryption keys and configuration details while periodically beaconing back system information to the actor. We identified the domains as malicious-domain-example.com and suspended-evil.site.net, both linked to prior malicious campaigns.
Lateral Movement & Discovery
Post-initial access, the actor sought to escalate privileges and move laterally within the network. Utilizing the T1075 – Pass the Hash technique, the attacker exploited cached credentials to access additional systems without the need for further user interaction. We observed attempts to enumerate user accounts and group memberships using tools like net user and net group, which provided insights into higher privilege accounts. Further enumeration of network shares using net view allowed them to find resources and share drives, ultimately expanding their footprint across the environment.
Impact & Objectives
Ultimately, the actor’s goal was to encrypt files across the network, and once the deployment of the ransomware was completed, it proceeded to use T1486 – Data Encrypted for Impact to implement the encryption process. We noted that specific file types, such as .docx, .xlsx, and .pdf, were particularly targeted in the encryption process, reflecting the actor’s strategy to impact critical operational data. A ransom note was subsequently delivered, instructing victims to contact an anonymized email address to receive further instructions for decryption. The impacts were significant, resulting in prolonged downtime and substantial recovery costs for affected organizations.
MITRE ATT&CK Mapping
- T1566 – Phishing: Phishing techniques to deliver the initial payload.
- T1053.005 – Scheduled Task/Job: Scheduled Task: Established persistence and re-executed on startup.
- T1071.001 – Application Layer Protocol: Utilized HTTP for command and control communications.
- T1075 – Pass the Hash: Facilitated lateral movement using cached domain credentials.
- T1486 – Data Encrypted for Impact: Implemented encryption on critical file types.
Detection Opportunities
- Monitor for unusual outbound HTTP/HTTPS connections, particularly to known malicious domains.
- Develop rules to detect creation of scheduled tasks with unusual names or arguments.
- Implement alerts for modifications to
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runwhich may indicate unauthorized persistence mechanisms.
Analyst Notes
This incident underscores the importance of robust user training around phishing threats and the necessity of employing advanced detection mechanisms to spot lateral movement. Continued monitoring and analysis of C2 communications will provide insight into evolving tactics employed by these threat actors. Collaboration across teams is crucial in fortifying defenses and responding swiftly to incidents of this nature.
Source: Original Report