Nina Kovacs — Exploit Research Analyst
Key Takeaways
- The threat actor leveraged phishing emails to gain initial access.
- Persistence was achieved through the use of scheduled tasks and registry modifications.
- Lateral movement techniques included the exploitation of Windows Admin Shares and credential dumping.
Executive Summary
This report delves into a recent ransomware attack that employed sophisticated tactics to compromise enterprise networks. Our analysis revealed a systematic method deployed by the threat actor, beginning with initial infiltration via phishing emails and culminating in data exfiltration and encryption. The implants used throughout the attack exhibited clear indicators of persistence and stealth, demonstrating a high level of planning and execution.
Initial Access
Our investigation into the attack revealed that initial access was attained through a carefully crafted phishing email containing a malicious attachment. The email appeared to be from a trusted vendor but included an embedded link that triggered the download of an executable file. This executable, disguised as a standard document, was actually the dropper for the ransomware payload. Once executed, the dropper extracted the main implant, which initiated the infection chain.
Execution & Persistence
Upon execution, the implant created a series of scheduled tasks to ensure it would persist across reboots. Specifically, we noted the creation of tasks in the Windows Task Scheduler under the path C:\Windows\System32\Tasks\RansomwarePersistence. Additionally, it modified the registry to include a key at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, allowing it to launch on user logon. This enabled the threat actor to maintain a foothold within the compromised environment.
Command and Control
The malware communicated with its command-and-control (C2) server using a custom protocol over HTTPS, utilizing domains that were frequently updated to evade detection. During our analysis, we observed the C2 server’s IP address was registered with a dynamic DNS provider, indicating a potential effort by the actor to obfuscate their infrastructure. The implant frequently beaconed back, sending system information and awaiting further instructions, indicative of the Command and Control technique T1071.001 – Application Layer Protocol: Web Protocols.
Lateral Movement & Discovery
After establishing a connection with the C2 server, lateral movement began. The actor leveraged stolen credentials to access other machines on the network, exploiting Windows Admin Shares via the Credential Dumping technique T1003. We identified multiple Windows systems that exhibited unusual authentication attempts using the compromised credentials. Furthermore, the threat actor utilized PowerShell scripts to enumerate active directory accounts and assess system configurations, facilitating their internal reconnaissance.
Impact & Objectives
The primary objective of the actor appeared to be data exfiltration combined with ransomware deployment. During the encryption phase, the malware would target documents, databases, and critical files, employing strong encryption methods that rendered the data inaccessible. The ransom note, delivered post-encryption, demanded payment in cryptocurrency, indicating a well-thought-out monetization strategy. Loss of access to sensitive data could significantly impact the organization’s operations, reputation, and financial stability.
MITRE ATT&CK Mapping
- T1566 – Phishing: Leveraged for initial access through malicious emails.
- T1059.001 – Command and Scripting Interpreter: PowerShell: Used for lateral movement and enumeration of credentials.
- T1133 – External Remote Services: Exploited Windows Admin Shares for lateral movement.
- T1489 – Data Encryption for Impact: Encrypted user data to fulfill ransomware objectives.
Detection Opportunities
- Monitor email traffic for suspicious attachments and phishing attempts.
- Utilize behavioral anomaly detection to identify unusual task creation in the Task Scheduler.
- Implement network traffic analysis to detect C2 communication patterns.
Analyst Notes
This attack reinforces the need for robust security awareness training for employees, emphasizing the risks associated with email attachments. Additionally, implementing proactive detection methods and monitoring for known TTPs within your environment can significantly enhance your organization’s security posture against similar threats. Continuous threat hunting and analysis of logs are critical in identifying and mitigating such sophisticated attacks before they lead to substantial damage.
Source: Original Report