Ransomware Attack Techniques

May 03, 2022

Ransomware Attack Techniques

Industry: N/A | Level: Tactical | Source: Symantec

Symantec’s analysis of ransomware groups Hive, Conti, and Avoslocker, have identified frequently utilized tools, tactics, and procedures (TTPs). During the initial access stage of the attack, the ransomware operators leverage exploits, RDP from weak or compromised credentials, and malware deployment through phishing emails involving IcedID, Emotet, QakBot, or TrickBot. Persistence involved the use of third-party remote software such as AnyDesk and ConnectWise Control along with modifications to the firewall and registry. Tools used for system discovery include ADRecon and Netscan. Credential access is achieved with a vast array of techniques involving Mimikatz, comsvcs.dll, extracting credentials from the registry, and using task manager to dump LSASS memory. Tools used for lateral movement includes PsExec, WMI, BITSAdmin, and Mimikatz. The tampering of Windows logs helped cover the attacker’s tracks. Data recovery is inhibited by deleting shadow copies. Lastly, for data exfiltration, actors relied on RClone and FileZilla to transfer data.

  • Anvilogic Use Cases:
    • Registry key added with reg.exe
    • Windows Firewall Rule Creation
    • Mimikatz
    • Invoke-Expression Command
    • comsvcs.dll Lsass Memory Dump
    • Rundll32 Command Line
    • Task Manager lsass Dump
    • Credentials in Registry
    • Remote Admin Tools
    • WinRM Tools
    • BITSadmin Execution
    • Clear Windows Event Logs
    • Inhibit System Recovery Commands
    • Suspicious Registry Key Deleted
    • Rclone Execution

Wizard Spider’s Naver Phishing Campaign

March 22, 2022

Wizard Spider’s Naver Phishing Campaign

Industry: N/A | Level: Tactical | Source: Prevailion

Analysis of a large-scale phishing campaign was observed by Prevailion’s Adversarial Counterintelligence Team (PACT), took place in late January 2022, with the goal to collect Naver credentials. Naver services are operated in South Korea, providing a variety of services for search, email, news, etc. and is a comparable service to  Google and Yahoo. From investigating the threat campaign’s infrastructure, an overlap was identified with threat group “WIZARD SPIDER [a.k.a. TrickBot] infrastructure.” The infrastructure used is very large as from PACT’s review “542 unique domains had been identified as part of this malicious cluster of web infrastructure, 532 of which were assessed with high confidence to be part of the ongoing phishing campaign targeting Naver logins; the oldest domain identified by PACT was registered in August of 2021, other registrations are as recent as February of 2022.” A particular phishing domain has a strong association to TrickBot, as the IP used for the Naver phishing campaign was also tied to a Cobalt Strike beacon sample that had been analyzed on VirusTotal. The Cobalt Strike sample was used in a threat campaign that abused CVE-2021-40444 to ultimately deploy Conti ransomware.

  • Anvilogic Use Case: Malicious Document Execution

CISA Update on Conti Ransomware

March 15, 2022

CISA Update on Conti Ransomware

Industry: N/A | Level: Tactical | Source: CISA

The Cybersecurity & Infrastructure Security Agency (CISA), updates alert AA21-265A, tracking Conti ransomware providing new indicators of compromise (IOC) associated with the group. The most prevalent attack vectors, the agency warns for Conti, include the use of Trickbot and Cobalt Stike. The Conti Group has impacted over 1,000 organizations against the U.S and internationally. A variety of techniques has been observed by the ransomware group, with initial access obtained typically through phishing emails or stolen accounts. A variety of post-compromise techniques are provided by CISA including RDP brute force attack, Kerberos attacks, running discovery command to enumerate the network, spread via SMB, stop services and deleting shadow copies.

  • Anvilogic Use Cases:
    • RDP Brute-force Detection
    • Kerberos RC4 Encrypted Tickets
    • Common Reconnaissance Commands
    • Windows Share Multiple File Access
    • Service Stop Commands
    • Inhibit System Recovery Commands

Trickbot Mystery

March 01, 2022

Trickbot Mystery

Industry: N/A | Level: Strategic | Source: Intel471

Corresponding with AdvIntel’s reports of fading Trickbot activity, Intel471 also reports the noticeably dormant activity from the notorious malware, as no new Trickbot campaigns have been observed in the 2022 year. Tracking of Trickbot campaigns has only identified three during the month of December 2021 with the latest campaign occurring on December 28th, 2021. The activity from December is lower than the eight identified in November 2021. In addition, Intel471 observes a lack of updates to “onboard malware configuration files (mcconf), which contain a list of controller addresses the bot can connect to.” The drop in Trickbot activity is theorized to be due to a shift in operations in favor of Emotet. The lack of Trickbot activity is not a sign the malware operations are dead as its command and control infrastructure remains active. Associated malware to Trickbot such as Emotet, Bazar and Bokbot should be closely monitored especially as they are closely tied to ransomware deployments such as Conti.

Trickbot Fading and Conti Rises

February 22, 2022

Notorious malware, Trickbot appears to be losing relevance, seeming to be no longer as stealthy as it once was and Conti absorbing its key developers.

Why the Emotet Resurgence by AdvIntel

November 21, 2021

Why the Emotet Resurgence by AdvIntel

Industry: N/A | Level: Strategic | Source: AdvIntel

Researchers at AdvIntel observed November 14th, 2021, a resurgence of Emotet and postulates it being the result of, “unfulfilled loader commodity demand, decline of the decentralized RaaS (Ransomware-as-a-Service) model, and the return of the monopoly of organized crime syndicates such as Conti.” Based on AdvIntel’s intelligence tracking, the resurgence appears to have been initiated by a former Ryuk member who convinced a former Emotet operator to rebuild and set up the malware builder. Given the effectiveness of Emotet providing initial access, the prediction is a potential rise/dominance of Conti ransomware. All appear to be motivated by previous successes of an alliance between Emotet, TrickBot, and Ryuk in 2018.