Trend Micro Analyzes BlackCat Ransomware

Industry: N/A | Level: Tactical | Source: Trend Micro

Trend Micro shares details of an incident involving BlackCat ransomware to provide an insight into the infection sequence. The attack began with the identification of suspicious web shells on Microsoft Exchange Servers having exploited ProxyLogon and ProxyShell vulnerabilities. Activity following involved PowerShell having been spawned from Internet Information Services (IIS) worker process (w3wp.exe) to download a Cobalt Strike Beacon and a DLL file that was executed with rundll32.exe. Through process injection of Windows error reporting process, WerFault.exe the attackers initiated commands for discovery, credentials access with CrackMapExec dumping NTDS.dit and spreading laterally in the environment through SMB. Prior to ransomware execution, the attackers launched batch scripts however, the script was not captured by Trend Micro for analysis.

• Anvilogic Scenario: BlackCat Ransomware: Post-Exploitation of Exchange
• Anvilogic Use Cases:
• Exchange New Export Request
• Potential Web Shell
• Potential ProxyShell
• IIS Worker (W3WP) Spawn Command Line
• Suspicious File written to Disk
• Rundll32 Command Line
• Common Active Directory Commands
• SharpHound Enumeration
• SharpHound Keywords
• Python Execution
• Rare Remote Thread
• NTDSUtil.exe execution
• Potential Lateral Movement via SMB
• Executable Create Script Process
• Encoded Powershell Command