Nina Kovacs — Exploit Research Analyst
Key Takeaways
- The attack leveraged compromised RDP credentials for initial access.
- The custom malware employed multiple persistence mechanisms to ensure longevity.
- Command and control communication featured both direct and proxied traffic patterns.
Executive Summary
During our investigation of a recent cyber incident, we analyzed a sophisticated attack leveraging Remote Desktop Protocol (RDP) to achieve initial access. The attackers utilized compromised credentials to infiltrate the target environment, subsequently deploying custom malware with various functions, including reconnaissance and lateral movement capabilities. This report details the attack chain, the technical attributes of the malware, and provides insights into detection strategies.
Initial Access
The initial access vector involved the exploitation of weak RDP credentials. We observed that the threat actor employed brute-force techniques to gain unauthorized access to several systems. Once the actor successfully logged in, they initiated reconnaissance to identify high-value targets within the network. Tools like **Mimikatz** and static credential dumpers were likely used to extract sensitive information required for the next steps.
Execution & Persistence
Our analysis revealed that the actor deployed a custom binary dubbed **Slink**, which facilitates multiple functions including shell access and data exfiltration. The sample utilized a combination of **regsvr32.exe** and a PowerShell script to create persistence through the Windows Registry. We found the analysis to correlate with the following registry key modification: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Slink. This ensured the malware would execute on system startup, increasing its chances of survival against system reboots.
Command and Control
The command and control (C2) communications were executed over HTTP using a domain generated algorithm (DGA) to obscure the actual C2 endpoints. The malware beaconed back to several domains, rotating through a list of generated subdomains. This technique aligns with **T1071.001 – Application Layer Protocol** and helps the actor evade detection. Traffic patterns revealed connections to suspicious IP addresses, indicating potential private proxy services were used to anonymize their operations.
Lateral Movement & Discovery
After establishing a foothold, the actor employed lateral movement techniques to spread across the network. Utilizing **PsExec** and **WMI** (Windows Management Instrumentation), they escalated privileges and deployed additional payloads to further entrench their presence. Unique file paths configured for the malware included C:\Windows\Temp\slink.exe, which was noted as a common drop location for secondary binaries. Our team tracked the use of network shares to both gather further intelligence and deliver subsequent payloads across the environment.
Impact & Objectives
The main objectives of this attack appeared to involve data exfiltration and potential ransom based on the reconnaissance results. Victims were identified as being in industries rich with sensitive data, indicating a possible financial motive for the attack. Moreover, remnants of **Cobalt Strike** were discovered within the environment, hinting at intentions to deploy further tailored exploits for targeted lateral movement towards more critical assets.
MITRE ATT&CK Mapping
- T1110 – Brute Force: The actor brute-forced RDP credentials to gain access.
- T1047 – Windows Management Instrumentation: Used for lateral movement within the network.
- T1071.001 – Application Layer Protocol: C2 communications used HTTP/S with fast-flux techniques.
- T1543.003 – Create or Modify System Process: Windows Service: Installed as a service for persistence.
Detection Opportunities
- Monitor for anomalies in RDP authentication attempts, especially during off-hours.
- Implement host-based detection rules for known C2 domain patterns and unusual process creation in
C:\Windows\Temp\. - Analyze registry modifications frequently, particularly targeting the Windows run keys and unusual tasks.
Analyst Notes
This investigation underscores the critical need for organizations to enforce strong credential policies and monitor RDP access actively. The use of custom malware and sophisticated evasion tactics suggests a high level of operational security by the actor, indicating that future iterations of similar threats should be anticipated. Continuous threat hunting for lateral movement signatures and unauthorized service installations is essential to mitigate these risks effectively.
Source: Original Report