www.mandiant.com
Open in
urlscan Pro
2606:4700:300b::a29f:f17d
Public Scan
URL:
https://www.mandiant.com/resources/unc2596-cuba-ransomware
Submission: On August 13 via api from US — Scanned from DE
Submission: On August 13 via api from US — Scanned from DE
Form analysis 2 forms found in the DOM
GET /search
<form action="/search" method="get">
<div class="js-form-item form-item js-form-type-textfield form-item-search js-form-item-search">
<label class="visually-hidden" for="edit-search">Search</label>
<input data-drupal-selector="edit-search" type="text" id="edit-search" name="search" value="" size="30" maxlength="128" class="form-text" placeholder="Search">
</div>
<div data-drupal-selector="edit-actions" class="form-actions js-form-wrapper form-wrapper" id="edit-actions">
<button data-drupal-selector="edit-submit-acquia-search" type="submit" id="edit-submit-acquia-search" class="button js-form-submit form-submit">
<span class="visually-hidden">Submit search form</span>
<svg width="16" height="17" viewBox="0 0 16 17" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true">
<path d="M7.22574 13.9446C10.6622 13.9446 13.4481 11.1588 13.4481 7.72232C13.4481 4.28583 10.6622 1.5 7.22574 1.5C3.78925 1.5 1.00342 4.28583 1.00342 7.72232C1.00342 11.1588 3.78925 13.9446 7.22574 13.9446Z" stroke="currentColor"
stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<path d="M15.0001 15.4996L11.6167 12.1162" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
</svg>
</button>
</div>
</form>GET /search
<form action="/search" method="get">
<div class="js-form-item form-item js-form-type-textfield form-item-search js-form-item-search">
<label class="visually-hidden" for="edit-search">Search</label>
<input data-drupal-selector="edit-search" type="text" id="edit-search" name="search" value="" size="30" maxlength="128" class="form-text" placeholder="Search">
</div>
<div data-drupal-selector="edit-actions" class="form-actions js-form-wrapper form-wrapper" id="edit-actions">
<button data-drupal-selector="edit-submit-acquia-search" type="submit" id="edit-submit-acquia-search" class="button js-form-submit form-submit">
<span class="visually-hidden">Submit search form</span>
<svg width="16" height="17" viewBox="0 0 16 17" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true">
<path d="M7.22574 13.9446C10.6622 13.9446 13.4481 11.1588 13.4481 7.72232C13.4481 4.28583 10.6622 1.5 7.22574 1.5C3.78925 1.5 1.00342 4.28583 1.00342 7.72232C1.00342 11.1588 3.78925 13.9446 7.22574 13.9446Z" stroke="currentColor"
stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
<path d="M15.0001 15.4996L11.6167 12.1162" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"></path>
</svg>
</button>
</div>
</form>Text Content
Skip to main content
Mandiant has created a task force & initiated a Global Event to track the
Russian invasion of Ukraine. Visit the Ukraine Crisis Resource Center to learn
more.
×
* Platform
MANDIANT ADVANTAGE
Multi-vendor XDR platform that delivers expertise and frontline intelligence
to security teams of all sizes.
Platform overview
PLATFORM MENU
* Automated Defense
Rapid event investigation & remediation
* Attack Surface Management
Map your external environment
* Security Validation
Validate controls are working properly
* Threat Intelligence
Integrate latest intel from the frontlines
* Ransomware Defense Validation
Test your ability to prevent ransomware
* Digital Threat Monitoring
Visibility into the open, deep and dark web
* Managed Defense
Eliminate threats with managed detection and response services
Get started for freeRegister for Mandiant Advantage Threat intelligence
* Solutions
MANDIANT SOLUTIONS
Solve your toughest cyber security challenges with use-case and
industry-focused combinations of our products and services.
SOLUTIONS MENU
* Ransomware
Increase resilience against multifaceted extortion
* Cyber Threat Intelligence
Know who is targeting you
* Cyber Risk Management
Advance your business approach to cyber security
* Attack Surface Visibility
See what attackers see
* Digital Risk Protection
Focus on what's most important to mitigate digital risk
* Cyber Preparedness
Validate your cyber preparedness
* OT/ICS Security
Extend cyber defense to strengthen OT and ICS security
* Detection and Response
Focus on what's most important to mitigate digital risk
* Insider Threats
Uncover and manage insider threats
* Cyber Security Skills Gap
Close gaps with flexible access to security experts
* Election Security
Focus on Election Infrastructure Protection
* Intelligence
* Services
MANDIANT SERVICES
Mitigate threats, reduce risk and get back to business with the help of
experts!
Learn more
SERVICES MENU
* Featured Consulting Solutions
* Cyber Defense Transformation
Properly establish cyber defenses
* Incident Response
Tackle breaches confidently
* Strategic Readiness
Increase resilience to risk
* Technical Assurance
Test your security program
* View all services (47)
* Expertise On Demand
Access to Mandiant Experts
* Training
* Find a Course
Browse on-demand and live training
* Mandiant Academy
Train your teams to protect effectively
Schedule a consultationGet in touch with a Mandiant expert
* Resources
RESOURCE
* Resource
* Mandiant Blog
Expert perspectives and industry news.
* Podcasts
Interviews, hot topics, and more
* Customer Stories
Case studies and customer testimonials.
* Reports
Research from the frontlines
* Webinars
Pre-recorded or livestreamed speaker events
* Insights
Cyber security concepts, methods, etc.
* Events
Conferences and collaborative events
* Infographics
Visualizations of security research and processes
* Datasheets
Descriptions of Mandiant offerings
newM-Trends 2022: Cyber Security Metrics, Insights and Guidance From the
FrontlinesLearn More
View all resources
* Company
COMPANY
Learn more about us and our mission to help organizations defend against
cyber crime.
About Mandiant
Contact Us
COMPANY MENU
* Careers
Life at Mandiant and open roles
* Investor Relations
Financial and shareholder information
* Media Center
News, reporting and research
* Partners
Partners ecosystem and resources
* Leadership
Learn more about the executive team
* Elevate
* Mandiant Gives Back
* Create a free account
* Sign in to Advantage
en expand_more
* English
* Français
* Deutsch
* 日本
* 한국어
* Español
* Italian
Start for Free
Search
Submit search form
Search
Submit search form
* Platform
* Mandiant Advantage Overview
* Automated Defense
* Security Validation
* Ransomware Defense Validation
* Attack Surface Management
* Threat Intelligence
* Digital Threat Monitoring
* Managed Defense
* Solutions
* Ransomware
* OT/ICS Security
* Cyber Risk Management
* Digital Risk Protection
* Insider Threats
* Cyber Security Skills Gap
* Election Security
* Cyber Threat Intelligence
* Attack Surface Visibility
* Cyber Preparedness
* Detection and Response
* Intelligence
* Services
* Services Overview
* Incident Response
* Strategic Readiness
* Technical Assurance
* View all services
* Mandiant Academy
* Find a Course
* Expertise On Demand
* Resources
* Resources
* Mandiant Blogs
* Customer Stories
* Webinars
* Events
* Podcasts
* Reports
* Insights
* Datasheets
* Infographics
* Company
* About Mandiant
* Careers
* Media Center
* Leadership
* Investor Relations
* Partners
* Elevate
* Mandiant Gives Back
* Mobile Footer Section
* See what’s new at Mandiant
* Get started
* Incident Response Help
* Contact Sales
* Support
* Sign In
* Create a Free Mandiant Advantage Account
TOP
* Incident Response
* Contact sales
* Support
* Advantage Free Trial
* Blog
* Support
* Contact us
* report_problemIncident Response Assistance
BREADCRUMB
1. Home
2. Resources
3. (Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy
Cuba Ransomware
Blog
(EX)CHANGE OF PACE: UNC2596 OBSERVED LEVERAGING VULNERABILITIES TO DEPLOY CUBA
RANSOMWARE
Tyler McLellan, Joshua Shilko, Shambavi Sadayappan
Feb 23, 2022
15 mins read
Threat Research
Threat Intelligence
Ransomware
Uncategorized Groups (UNC Groups)
In 2021, Mandiant observed some threat actors deploying ransomware increasingly
shift to exploiting vulnerabilities as an initial infection vector. UNC2596, a
threat actor that deploys COLDDRAW ransomware, publicly known as Cuba
Ransomware, exemplifies this trend. While public reporting has highlighted
CHANITOR campaigns as precursor for these ransomware incidents, Mandiant has
also identified the exploitation of Microsoft Exchange vulnerabilities,
including ProxyShell and ProxyLogon, as another access point leveraged by
UNC2596 likely as early as August 2021. The content of this blog focuses on
UNC2596 activity which has led to the deployment of COLDDRAW ransomware.
UNC2596 is currently the only threat actor tracked by Mandiant that uses
COLDDRAW ransomware, which may suggest it’s exclusively used by the group.
During intrusions, these threat actors have used webshells to load the TERMITE
in-memory dropper with subsequent activity involving multiple backdoors and
built-in Windows utilities. Beyond commonplace tools, like Cobalt Strike BEACON
and NetSupport, UNC2596 has used novel malware, including BURNTCIGAR to disable
endpoint protection, WEDGECUT to enumerate active hosts, and the BUGHATCH custom
downloader. In incidents where COLDDRAW was deployed, UNC2596 used a
multi-faceted extortion model where data is stolen and leaked on the group's
shaming website, in addition to encryption using COLDDRAW ransomware. COLDDRAW
operations have impacted dozens of organizations across more than ten countries,
including those within critical infrastructure.
VICTIMOLOGY
The threat actors behind COLDDRAW ransomware attacks have not shied away from
sensitive targets (Figure 1). Their victims include utilities providers,
government agencies, and organizations that support non-profits and healthcare
entities, however, we have not observed them attacking hospitals or entities
that provide urgent care. Around 80% of impacted victim organizations are based
in North America, but they have also impacted several countries in Europe as
well as other regions (Figure 2).
Figure 1: Alleged COLDDRAW victims by industryFigure 2: Alleged COLDDRAW victims
by country
SHAMING WEBSITE
Since at least early 2021, COLDDRAW ransomware victims have been publicly
extorted by the threat actors who threaten to publish or sell stolen data
(Figure 3). Each shaming post includes information on the “date the files were
received.” While the shaming site was not included in ransom notes until early
2021, one of the entries on the site states that the files were received in
November 2019. This is consistent with earliest samples uploaded to public
malware repositories and may represent the earliest use of the ransomware.
Notably, while the data associated with most of the victims listed on this site
are provided for free, there is a paid section which listed only a single victim
at the time of publication.
Figure 3: Cuba (aka COLDDRAW) Ransomware Shaming Tor site (2021-12-31)
ATTACK LIFECYCLE
UNC2596 incidents that have led to COLDDRAW ransomware deployment have involved
a mix of public and private tools, some of which are believed to be private to
them. The threat actors use several malware and utilities that are publicly
available including NetSupport, Cobalt Strike BEACON, built-in Windows
capabilities such as PsExec, RDP, and PowerShell, malware available for purchase
such as WICKER, and exploits with publicly available proof-of-concept code.
UNC2596 also uses several tools and scripts that we have not observed in use by
other threat activity clusters to date, including BUGHATCH, BURNTCIGAR,
WEDGECUT, and COLDDRAW. See the “Notable Malware and Tools” section for
additional detail.
INITIAL RECONNAISSANCE / INITIAL COMPROMISE
Mandiant has observed UNC2596 frequently leverage vulnerabilities affecting
public-facing Microsoft Exchange infrastructure as an initial compromise vector
in recent COLDDRAW intrusions s where the initial vector was identified. The
threat actors likely perform initial reconnaissance activities to identify
Internet-facing systems that may be vulnerable to exploitation.
ESTABLISH FOOTHOLD
In COLDDRAW ransomware incidents, where initial access was gained via Microsoft
Exchange vulnerabilities, UNC2596 subsequently deployed webshells to establish a
foothold in the victim network. Mandiant has also observed these actors deploy a
variety of backdoors to establish a foothold, including the publicly available
NetSupport RAT, as well as BEACON and BUGHATCH, which have been deployed using
the TERMITE in-memory dropper.
ESCALATE PRIVILEGES
COLDDRAW ransomware incidents have mainly involved the use of credentials from
valid accounts to escalate privileges. In some cases, the source of these
credentials is unknown, while in other cases, UNC2596 leveraged credential theft
tools such as Mimikatz and WICKER. We have also observed these threat actors
manipulating or creating Windows accounts and modifying file access permissions.
In one intrusion, UNC2596 created a user account and added it to the
administrator and RDP groups.
INTERNAL RECONNAISSANCE
UNC2596 has performed internal reconnaissance with the goals of identifying
active network hosts that are candidates for encryption and identifying files to
exfiltrate for use in their multi-faceted extortion scheme. The threat actors
have used WEDGECUT, a reconnaissance tool typically with the filename check.exe.
It identifies active hosts by sending PING requests to a list of hosts generated
by a PowerShell script named comps2.ps1 which uses the Get-ADComputer cmdlet to
enumerate the Active Directory. The threat actors have interactively browsed
file systems to identify files of interest. Additionally, UNC2596 has routinely
used a script named shar.bat to map all drives to network shares, which may
assist in user file discovery (Figure 4).
Figure 4: UNC2596 used a batch script to enable sharing of all drives to
facilitate encryption and data harvesting
net share C=C:\ /grant:everyone,FULL
net share D=D:\ /grant:everyone,FULL
net share E=E:\ /grant:everyone,FULL
net share F=F:\ /grant:everyone,FULL
net share G=G:\ /grant:everyone,FULL
net share H=H:\ /grant:everyone,FULL
net share I=I:\ /grant:everyone,FULL
net share J=J:\ /grant:everyone,FULL
net share L=L:\ /grant:everyone,FULL
net share K=K:\ /grant:everyone,FULL
net share M=M:\ /grant:everyone,FULL
net share X=X:\ /grant:everyone,FULL
net share Y=Y:\ /grant:everyone,FULL
net share W=W:\ /grant:everyone,FULL
net share Z=Z:\ /grant:everyone,FULL
net share V=V:\ /grant:everyone,FULL
net share O=O:\ /grant:everyone,FULL
net share P=P:\ /grant:everyone,FULL
net share Q=Q:\ /grant:everyone,FULL
net share R=R:\ /grant:everyone,FULL
net share S=S:\ /grant:everyone,FULL
net share T=T:\ /grant:everyone,FULL
MOVE LATERALLY/MAINTAIN PRESENCE
During COLDDRAW incidents, UNC2596 actors have used several methods for lateral
movement including RDP, SMB, and PsExec, frequently using BEACON to facilitate
this movement. Following lateral movement, the threat actors deploy various
backdoors including the publicly available NetSupport RAT, as well as BEACON and
BUGHATCH, which are often deployed using the TERMITE in-memory dropper. These
backdoors are sometimes executed using PowerShell launchers and have in some
cases used predictable filenames. For example, NetSupport-related scripts and
executables observed during COLDDRAW incidents have typically used the filename
ra or ra<#> whereas BUGHATCH scripts and executables have used the filename
komar or komar<#>, followed by the appropriate extension.
COMPLETE MISSION
In order to complete their mission of multi-faceted extortion, the UNC2596
attempts to steal relevant user files and then identify and encrypt networked
machines. To facilitate encryption, and possibly to assist with collection
efforts, the threat actors have used a batch script named shar.bat which maps
each drive to a network share (Figure 4). These newly created shares are then
available for encryption by COLDDRAW. During a more recent intrusion involving
COLDDRAW, UNC2596 deployed the BURNTCIGAR utility using a batch script named
av.bat. BURNTCIGAR is a utility first observed in November 2021 which terminates
processes associated with endpoint security software to allow their ransomware
and other tools to execute uninhibited. UNC2596 has also been observed
exfiltrating data prior to encrypting victim systems. To date, we have not
observed UNC2596 using any cloud storage providers for data exfiltration;
rather, they prefer to exfiltrate data to their BEACON infrastructure. The
threat actors then threaten to publish data of organizations that do not pay a
ransom on their shaming site (Figure 5).
Figure 5: Sample COLDDRAW Ransom Note
Good day. All your files are encrypted. For decryption contact us.
Write here cloudkey[@]cock.li
reserve admin[@]cuba-supp.com
jabber cuba_support[@]exploit.im
We also inform that your databases, ftp server and file server were downloaded
by us to our servers.
If we do not receive a message from you within three days, we regard this as a
refusal to negotiate.
Check our platform: <REDACTED>[.]onion/
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software,
it may cause permanent data loss.
* Do not stop process of encryption, because partial encryption cannot be
decrypted.
NOTABLE MALWARE AND TOOLS
In addition to the use of publicly available malware and built-in utilities,
Mandiant has observed UNC2596 use malware that is believed to be private to
these threat actors, such as WEDGECUT, BUGHATCH, BURNTCIGAR, and COLDDRAW, or
malware that is believed to be used by a limited number of threat actors, such
as TERMITE.
WEDGECUT
WEDGECUT, which has been observed with the filename check.exe, is a
reconnaissance tool that takes an argument containing a list of hosts or IP
addresses and checks whether they are online using ICMP packets. This utility’s
functionality is implemented using the IcmpCreateFile, IcmpSendEcho, and
IcmpCloseFile APIs to send a buffer containing the string “Date Buffer”. In
practice, the list provided to WEDGECUT has been generated using a PowerShell
script that enumerates the Active Directory using the Get-ADComputer cmdlet.
BUGHATCH
BUGHATCH is a downloader that executes arbitrary code on the compromised system
downloaded from a C&C server. The code sent by the C&C server includes PE files
and PowerShell scripts. BUGHATCH has been loaded in-memory by a dropper written
in PowerShell or loaded by a PowerShell script from a remote URL.
BURNTCIGAR
BURNTCIGAR is a utility that terminates processes at the kernel level by
exploiting an Avast driver’s undocumented IOCTL code (Table 1). The malware
terminates targeted processes using the function DeviceIoControl to exploit the
undocumented 0x9988C094 IOCTL code of the Avast driver, which
calls ZwTerminateProcess with the given process identifier. We have observed a
batch script launcher that creates and starts a kernel service
called aswSP_ArPot2 loading binary file C:\windows\temp\aswArPot.sys (legitimate
Avast driver with SHA256 hash
4b5229b3250c8c08b98cb710d6c056144271de099a57ae09f5d2097fc41bd4f1).
To deploy BURNTCIGAR at a victim, the actor brings their own copy of the
vulnerable Avast driver and installs it at a service.
Table 1: Processes Killed by BURNTCIGAR
Executable Processes Killed by BURNTCIGAR
SentinelHelperService.exe
iptray.exe
dsa-connect.exe
SentinelServiceHost.exe
ccSvcHst.exe
ResponseService.exe
SentinelStaticEngineScanner.exe
sepWscSvc64.exe
avp.exe
SentinelAgent.exe
SEPAgent.exe
avpsus.exe
SentinelAgentWorker.exe
ssDVAgent.exe
klnagent.exe
SentinelUI.exe
smcgui.exe
vapm.exe
SAVAdminService.exe
PAUI.exe
VsTskMgr.exe
SavService.exe
ClientManager.exe
mfemms.exe
SEDService.exe
SBPIMSvc.exe
mfeann.exe
Alsvc.exe
SBAMSvc.exe
macmnsvc.exe
SophosCleanM64.exe
VipreNis.exe
masvc.exe
SophosFS.exe
SBAMTray.exe
macompatsvc.exe
SophosFileScanner.exe
RepMgr.exe
UpdaterUI.exe
SophosHealth.exe
RepUtils.exe
mfemactl.exe
McsAgent.exe
scanhost.exe
McTray.exe
McsClient.exe
RepUx.exe
cpda.exe
SophosSafestore64.exe
PccNtMon.exe
IDAFServerHostService.exe
SophosSafestore.exe
svcGenericHost.exe
epab_svc.exe
SSPService.exe
pccntmon.exe
epam_svc.exe
swc_service.exe
HostedAgent.exe
cptrayLogic.exe
swi_service.exe
tmlisten.exe
EPWD.exe
SophosUI.exe
logWriter.exe
FSAgentService.exe
SophosNtpService.exe
ntrtscan.exe
RemediationService.exe
hmpalert.exe
TmCCSF.exe
TESvc.exe
SophosLiveQueryService.exe
TMCPMAdapter.exe
cptrayUI.exe
SophosOsquery.exe
coreServiceShell.exe
EFRService.exe
SophosFIMService.exe
coreFrameworkHost.exe
MBCloudEA.exe
swi_fc.exe
ds_monitor.exe
MBAMService.exe
SophosMTRExtension.exe
CloudEndpointService.exe
Endpoint Agent Tray.exe
sdcservice.exe
CETASvc.exe
EAServiceMonitor.exe
SophosCleanup.exe
EndpointBasecamp.exe
MsMpEng.exe
Sophos UI.exe
WSCommunicator.exe
AvastSvc.exe
SavApi.exe
dsa.exe
aswToolsSvc.exe
sfc.exe
Notifier.exe
bcc.exe
AvWrapper.exe
WRSA.exe
anet.exe
bccavsvc.exe
a.exe
aus.exe
AvastUI.exe
COLDDRAW
COLDDRAW is the name Mandiant uses to track the ransomware observed in Cuba
Ransomware operations. This ransomware appends the .cuba file extension to
encrypted files. When executed, it terminates services associated with common
server applications and encrypts files on the local filesystem and attached
network drives using an embedded RSA key. Encrypted files are rewritten with a
COLDDRAW-generated header prior to the encrypted file contents. For large files,
only the beginning and end of the file will be encrypted.
TERMITE
TERMITE is a password-protected memory-only dropper which contains an encrypted
shellcode payload. Observed payloads have included BEACON, METASPLOIT stager, or
BUGHATCH. TERMITE requires the actor to specify the
ClearMyTracksByProcess export and supply a password as a command line option to
operate successfully (Figure 6). Mandiant suspects that TERMITE may be available
to multiple groups and is not exclusively used by UNC2596.
Figure 6: TERMITE command line execution Rundll32.exe
c:\windows\temp\komar.dll,ClearMyTracksByProcess 11985756
TRACKING TERMITE
During UNC2596 intrusions involving COLDDRAW, the actors load tools and malware
from web accessible systems that were also typically used for BEACON. Over a
period of approximately six months, Mandiant Advanced Practices tracked a
TERMITE loader at hxxp://45.32.229[.]66/new.dll which used the password 11985756
to decode various BEACON payloads. Ongoing analysis of TERMITE payloads
collected during this timeframe showed that TERMITE underwent modifications to
evade detections. UNC2596 also began using the TERMITE password 11985757 in
October 2021.
CHANITOR OVERLAPS
Mandiant has not responded to any intrusions where we have directly observed
CHANITOR malware lead to COLDDRAW ransomware; however, we have identified
overlaps between CHANITOR-related operations and COLDDRAW incidents. These
include infrastructure overlaps, common code signing certificates, use of a
shared packer, and naming similarities for domains, files, and URL paths, among
others.
* The code signing certificate with the Common Name FDFWJTORFQVNXQHFAH has been
used to sign COLDDRAW payloads, as well as SENDSAFE payloads distributed by
CHANITOR. Mandiant has not observed the certificate used by other threat
actors.
* COLDDRAW payloads and SENDSAFE payloads distributed by CHANITOR have used a
shared packer that we refer to as LONGFALL. LONGFALL, which is also known as
CryptOne, has been used with a variety of malware families.
* The WICKER stealer has been used in both CHANITOR-related post-exploitation
activity and COLDDRAW incidents, including samples sharing the same command
and control (C&C) server.
* Payloads distributed through CHANITOR and payloads identified in COLDDRAW
ransomware incidents have masqueraded as the same legitimate applications
including mDNSResponder and Java.
* Public reporting has also highlighted some overlaps between COLDDRAW and
ZEPPELIN, another ransomware that has reportedly been distributed via
CHANITOR.
IMPLICATIONS
As the number of vulnerabilities identified and publicly disclosed continues to
increase year after year, Mandiant has also observed an increase in the use of
vulnerabilities as an initial compromise vector by ransomware threat actors
including utilizing both zero-day and n-day vulnerabilities in their activity;
notable examples include UNC2447 and FIN11. Shifting towards vulnerabilities for
initial access could offer threat actors more accurate targeting and higher
success rates when compared to malicious email campaigns, which rely more on
uncontrollable factors, such as victims’ interacting with malicious links or
documents. The rise in zero-day usage specifically could be reflective of
significant funds and resources at the disposal of ransomware operators, which
are being directed towards exploit research and development or the purchasing of
exploits from trusted brokers. However, threat actors do not have to use
zero-days to be effective. A subset of n-day vulnerabilities are often
considered attractive targets for threat actors due to their impact of publicly
exposed products, ability to facilitate code execution after successful
exploitation, and the availability of significant technical details and/or
exploit code in public venues. As the number of vulnerabilities publicly
disclosed continues to rise, we anticipate threat actors, including ransomware
operators, to continue to exploit vulnerabilities in their operations.
ACKNOWLEDGEMENTS
With thanks to Thomas Pullen and Adrian Hernandez for technical research, and
Nick Richard for technical review.
MITRE ATT&CK
Mandiant has observed COLDDRAW activity involving the following techniques in
COLDDRAW intrusions:
Table 2: MITRE ATT&CK Framework
ATT&CK Tactic Category
Techniques
Initial Access
T1190: Exploit Public-Facing Application
Discovery
T1010: Application Window Discovery
T1012: Query Registry
T1016: System Network Configuration Discovery
T1018: Remote System Discovery
T1033: System Owner/User Discovery
T1057: Process Discovery
T1082: System Information Discovery
T1083: File and Directory Discovery
T1087: Account Discovery
T1518: Software Discovery
Impact
T1486: Data Encrypted for Impact
T1489: Service Stop
Collection
T1056.001: Keylogging
T1074.002: Remote Data Staging
Defense Evasion
T1027: Obfuscated Files or Information
T1055: Process Injection
T1055.003: Thread Execution Hijacking
T1070.004: File Deletion
T1112: Modify Registry
T1134: Access Token Manipulation
T1134.001: Token Impersonation/Theft
T1140: Deobfuscate/Decode Files or Information
T1497.001: System Checks
T1553.002: Code Signing
T1564.003: Hidden Window
T1574.011: Services Registry Permissions Weakness
T1620: Reflective Code Loading
Persistence
T1098: Account Manipulation
T1136: Create Account
T1136.001: Local Account
T1543.003: Windows Service
Command and Control
T1071.001: Web Protocols
T1071.004: DNS
T1095: Non-Application Layer Protocol
T1105: Ingress Tool Transfer
T1573.002: Asymmetric Cryptography
Resource Development
T1583.003: Virtual Private Server
T1587.003: Digital Certificates
T1588.003: Code Signing Certificates
T1608.001: Upload Malware
T1608.002: Upload Tool
T1608.003: Install Digital Certificate
T1608.005: Link Target
Execution
T1053: Scheduled Task/Job
T1059: Command and Scripting Interpreter
T1059.001: PowerShell
T1129: Shared Modules
T1569.002: Service Execution
Lateral Movement
T1021.001: Remote Desktop Protocol
T1021.004: SSH
Credential Access
T1555.003: Credentials from Web Browsers
MANDIANT SECURITY VALIDATION
In addition to previously released Actions, the Mandiant Security Validation
(Validation) Behavior Research Team (BRT) has created VHR20220223, which will
also be released today, for tactics associated with UNC2596.
A102-561, Malicious File Transfer - TERMITE, Download, Variant #3
A102-560, Malicious File Transfer - TERMITE, Download, Variant #4
A102-559, Command and Control - TERMITE, DNS Query, Variant #1
A102-558, Malicious File Transfer - WEDGECUT, Download, Variant #1
A102-557, Malicious File Transfer - TERMITE, Download, Variant #2
A102-556, Malicious File Transfer - TERMITE, Download, Variant #1
A102-555, Malicious File Transfer - BURNTCIGAR, Download, Variant #4
A102-554, Malicious File Transfer - BURNTCIGAR, Download, Variant #3
A102-553, Malicious File Transfer - BURNTCIGAR, Download, Variant #2
A102-552, Malicious File Transfer - BURNTCIGAR, Download, Variant #1
A102-572, Malicious File Transfer - BUGHATCH, Download, Variant #4
A102-551, Malicious File Transfer - BUGHATCH, Download, Variant #3
A102-550, Malicious File Transfer - BUGHATCH, Download, Variant #2
A102-549, Malicious File Transfer - BUGHATCH, Download, Variant #1
A101-830 Command and Control - COLDDRAW, DNS Query
A101-831 Malicious File Transfer - COLDDRAW, Download, Variant #2
A101-832 Malicious File Transfer - COLDDRAW, Download, Variant #3
A101-833 Malicious File Transfer - COLDDRAW, Download, Variant #4
A101-834 Malicious File Transfer - COLDDRAW, Download, Variant #5
A101-835 Malicious File Transfer - COLDDRAW, Download, Variant #6
A104-800 Protected Theater - COLDDRAW, Execution
A151-079 Malicious File Transfer - COLDDRAW, Download, Variant #1
A100-308 Malicious File Transfer - CHANITOR, Download
A100-309 Command and Control - CHANITOR, Post System Info
A150-008 Command and Control - CHANITOR, Check-in and Response
A150-047 Malicious File Transfer - CHANITOR, Download, Variant #2
A150-306 Malicious File Transfer - CHANITOR, Download, Variant #1
YARA SIGNATURES
The following YARA rules are not intended to be used on production systems or to
inform blocking rules without first being validated through an organization's
own internal testing processes to ensure appropriate performance and limit the
risk of false positives. These rules are intended to serve as a starting point
for hunting efforts to identify samples, however, they may need adjustment over
time if the malware family changes.
rule TERMITE
{
meta:
author = "Mandiant"
strings:
$sb1 = { E8 [4] 3D 5? E3 B6 00 7? }
$sb2 = { 6B ?? 0A [3] 83 E9 30 }
$si1 = "VirtualAlloc" fullword
$ss1 = "AUTO" fullword
condition:
(uint16(0) == 0x5A4D) and (uint32(uint32(0x3C)) == 0x00004550) and
(uint16(uint32(0x3C)+0x18) == 0x010B) and all of them
}
rule FDFWJTORFQVNXQHFAH
{
meta:
author = "Mandiant"
description = "Detecting packer or cert."
md5 = "939ab3c9a4f8eab524053e5c98d39ec9"
strings:
$cert = "FDFWJTORFQVNXQHFAH"
$s1 = "VLstuTmAlanc"
$s2 = { 54 68 F5 73 20 70 00 00 00 00 00 00 00 BE 66 67 72 BD 68 20 63
BD 69 6E 6F C0 1F 62 65 EC 72 75 6E FC 6D 6E 20 50 46 53 20 B9 66 64 65 }
$s3 = "ViGuua!Gre"
$s4 = "6seaIdFiYdA"
condition:
(uint16(0) == 0x5A4D) and filesize < 2MB and ( $cert or 2 of ($s*) )
}
INDICATORS
MALWARE FAMILY
Indicator
TERMITE/BEACON
irrislaha[.]com
BEACON
leptengthinete[.]com
BEACON
siagevewilin[.]com
BEACON
surnbuithe[.]com
TERMITE
64.235.39[.]82
BEACON
64.52.169[.]174
Suspect certificate
144.172.83[.]13
BEACON
190.114.254[.]116
BEACON
185.153.199[.]164
TERMITE
45.32.229[.]66
BEACON
23.227.197[.]229
Packer imphash
2322896bcde6c37bf4a87361b576de02
Packer cert CN
FDFWJTORFQVNXQHFAH
Packer cert md5
5c00466f092b19c85873848dcd472d6f
MALWARE FAMILY
MD5
SHA1
SHA256
BUGHATCH
72a60d799ae9e4f0a3443a2f96fb4896
a304497ff076348e098310f530779002a326c264
6d5ca42906c60caa7d3e0564b011d20b87b175cbd9d44a96673b46a82b07df68
BUGHATCH
bda33efc53c202c99c1e5afb3a13b30c
e6ea0765b9a8cd255d587b92b2a80f96fab95f15
101b3147d404150b3c0c882ab869a18eb6eeb79e8b7b2df81fb4be1a8b58f1bf
BUGHATCH
e78ed117f74fd7441cadc3ea18814b3e
6da8a4a32a4410742f626376cbec38986d307d5a
9ab05651daf9e8bf3c84b14613cd98e8479018bbcf3543521e94458012eba96e
BUGHATCH
ba83831700a73661f99d38d7505b5646
209ffbc8ba1e93167bca9b67e0ad3561c065595d
79d6b1b6b1ecb446b0f49772bf4da63fcec6f6bfc7c2e1f4924cb7acbb3b4f53
WEDGECUT
c47372b368c0039a9085e2ed437ec720
4f6ee84f59984ff11147bfff67ab6e40cd7c8525
c443df1ddf8fd8a47af6fbfd0b597c4eb30d82efd1941692ba9bb9c4d6874e14
BURNTCIGAR
c5e3b725080712c175840c59a37a5daa
f347fa07f13c3809e4d2d390e1d16ff91f6dc959
f68cea99e6887739cd82865f9b973664117af14c1a25d4917eec25ce4b26a381
BURNTCIGAR
c9d3b29e0b7662dafc6a1839ad54a6fb
d0bbbc1866062f9a772776be6b7ef135d6c5e002
4306c5d152cdd86f3506f91633ef3ae7d8cf0dd25f3e37bec43423c4742f4c42
BURNTCIGAR
9ca2579117916ded7ac8272b7b47bb98
d1ef60835127e35154a04d0c7f65beee6e790e44
aeb044d310801d546d10b247164c78afde638a90b6ef2f04e1f40170e54dec03
BURNTCIGAR (launcher)
26c09228e76764a2002ba643afeb9415
8247880a1bad73caaeed25f670fc3dad1be0954a
6ce206a1e1224e0a9d296d5fabffee7fe5ab45ef00299a21e8df66e8c6ba5a27
TERMITE
98a2e05f4aa648b02540d2e17946da7e
e328b5e26a04a13e80e60b4a0405512c99ddb74e
811bb84e1e9f59279f844a040bf68d25ad29a756fbc07cffd7308f8490a15329
TERMITE
ddf2e657a89ae38f634c4a271345808b
b73763c98523e544c0ce0da7db7142f1e039c0a2
d1e14b5f02fb020db4e215cb5c3abc6a7b1589443bccd6f03b77ee124ca72b5c
TERMITE
95820d16da2d9c4fbb07130639be2143
0a3ac9b182d8f14d9bc368d0c923270eed29b950
a722615c2ee101cde88c7f44fb214eccfe2d06752be751db066018a3244bce62
TERMITE
896376ce1bbca1ed73a70341896023e0
f1be87ee03a2fb59d51cb4ba1fe2ece8ddfb5192
671e049f3e2f6b7851ca4e8eed28ba5c9bf209eb4ad44aab081a9871b06f2833
TERMITE
f51c4b21445a0ece50b1f920648ed726
7c88207ff1afe8674ba32bc20b597d833d8b594a
ea5de5558396f66af8382afd98f2a7118a6bcabf8f9612c7e35b121a8d1f230c
TERMITE
7d4307d310ad151359b025fc5a7fca1a
49cfcecd50fcfcd3961b9d3f8fa896212b7a9527
ad12f38308a85c8792f2f7e1e46afc3d9f1a9017edc2cbfbb28ae0191477ab3a
TERMITE
b62eec21d9443f8f66b87dd92ba34e85
172f28f61a35716762169d63f207071adf21a54c
9cec82bebe1637c50877ff11de5bd4db1db4999d1bd764a772a5620388843c5f
TERMITE
df0e5d91d0986fde9bc02db38eef5010
922ca12c04b064b35fd01daadf5266b8a2764c32
6cd25067316f8fe013792697f2f5da298318e2047ea4c5da525955799f66726f
TERMITE
46b977a0838f4317425df0f2e1076451
39381976485fbe4719e4585f082a5252feedbcfd
13d333d5e3c1dd6c33dfa8fc76def6109b5187d4ce6bb82a34a8bf311b027d79
TERMITE
8c4341a4bde2b6faa76405f57e00fc48
4f3a1e917f67293578b7e823bca35c4dff923386
df89d3d1f795a77eefc14f0356816d8b40934e40697f8190f76e0f5664f33fd3
TERMITE
d5679f47d22c7c0647038ce6f54352e4
d9030bdbd0cb451788eaa176a032aa83cf7604c0
728a2d5dd2bf9c707431ff68e94c0d7a7ace9508241051c02344d9e9c556e015
TERMITE
e77af544cc9d163d81e78b3c4da2eee5
3ead9dd8c31d8cfb6cc53e96ec37bdcfdbbcce78
7f357ab4ac225e14a6967f89f20926e9e0db15dca5b8fe058c120a365570b783
TERMITE
98b2fff45a9474d61c1bd71b7a60712b
3b0ec4b6ad3cf558cac6b2c6e7d8024c438cfbc5
7b2144f2b5d722a1a8a0c47a43ecaf029b434bfb34a5cffe651fda2adf401131
TERMITE
9a0a2f1dc7686983843ee38d3cab448f
363dc3cf956ab2a7188cf0e44bffd9fba766097d
03249bf622c3ae1dbed8b14cfaa8332442a41c4592d325ad93b6a8cb6d4b29f8
TERMITE
fb6da2aa2aca0ce2e0af22b2c3ba2668
55b89bad1765bbf97158070fd5cbf9ea7d449e2a
1842ddc55b4bf9c71606451d404a21f7f3da8e54c56318010c80ba4f571bd8f5
COLDDRAW
3e96efd37777cc01cabb3401485297aa
f008e568c313b6f41406658a77313f89df07017e
bcf0f202db47ca671ed6146040795e3c8315b7fb4f886161c675d4ddf5fdd0c4
COLDDRAW
73c0f0904105b4c220c25f64506ea986
7ef1f5946b25f56a97e824602c58076e4b1c10b6
e35593fab92606448ac4cac6cd2bd6b4df5d7ab3b733ba4b9472994cf0e3d87d
COLDDRAW
20a04e7fc12259dfd4172f5232ed5ccf
82f194e6baeef6eefb42f0685c49c1e6143ec850
482b160ee2e8d94fa6e4749f77e87da89c9658e7567459bc633d697430e3ad9a
Exchange Payload test.hta
becdcaa3a4d933c13427bb40f9c1cfbb
ee883ec4b7b7c1eba7200ee2f9f3678f67257217
6c4b57fc995a037a0d60166deadfb869a07b4bb382651b9c4ea9e59fb347c3d1
BEACON
c0e88dee5427aae6ce628b48a6d310a7
fd4c478f1561db6a9a0d7753741486b9075986d0
44a4ce7b5d2e154ec802a67ef14c613298cafc00b1ca3a15b302195f2686a186
BEACON
bb2a2818e2e4514507462aadea01b3d7
8fec34209f79debcd9c03e6a3015a8e3d26336bb
6e66caaa12c3cafd1dc3f8c6305354fcbb958ed7f9a4e5e5bf3a2dc2216b5915
BEACON
48f8cd5e42cdf06d5a520ab66a5ae576
0d0ac944b9c4589a998b5032d208a16e63db5817
d8df1a4d59a0382b367fd6936cce538201e9b93a2850dbc66a4dd575fbeb8c42
* Follow us
*
*
*
*
FOOTER
* Mandiant Advantage Platform
* Platform Overview
* Automated Defense
* Security Validation
* Ransomware Defense Validation
* Attack Surface Management
* Threat Intelligence
* Digital Threat Monitoring
* Managed Defense
* Solutions
* Ransomware
* Industrial Controls & OT
* Cyber Risk Management
* Digital Risk Protection
* Insider Threats
* Cyber Security Skills Gap
* Election Security
* Cyber Threat Intelligence
* Attack Surface Visibility
* Cyber Preparedness
* Detection and Response
* Services
* Services Overview
* Incident Response
* Strategic Readiness
* Cyber Defense Transformation
* Technical Assurance
* View All Services
* Expertise on Demand
* Mandiant Academy
* Overview
* Education Formats
* Upcoming Courses
* On-Demand Courses
* Certifications
* ThreatSpace Cyber Range
* Free Course Sneak Peaks
* Resources
* Resource Center
* Mandiant Blog
* Podcasts
* Customer Stories
* Reports
* Webinars
* Insights
* Infographics
* Datasheets
* Company
* About Us
* Careers
* Events
* Media Center
* Leadership
* Investor Relations
* Partners
* Partners Overview
* Service Partners
* Cyber Risk Partners
* Technology Partners
* Partner Portal
* Connect with Mandiant
* Contact Us
* Report an Incident
* Customer Support
* Email Preferences
* Customer Success
* Media Inquiries
© Copyright 2022 Mandiant. All rights reserved.
BOTTOM
* Privacy & Cookies Policy
* Terms & Conditions
* Compliance
* Site Map
WIR SCHÄTZEN IHRE PRIVATSPHÄRE SEHR
Diese Website nutzt Cookies und verwandte Technologien gemäß der Beschreibung in
unserer Datenschutzrichtlinie zu Zwecken, zu denen unter anderem der Betrieb der
Website, Analyse, verbessertes Nutzererlebnis und Werbung zählen. Sie können
unserer Nutzung dieser Technologien zustimmen oder Ihre eigenen Präferenzen
verwalten.
AUSWAHL VERWALTEN ZUSTIMMEN UND FORTFAHREN ALLE ABLEHNEN
Datenschutzerklärung
Powered by:
Cookie-Präferenzen