Typical end user perspective after opening the ISO file: When mounted, the ISO contained two files: We were able to determine the user mounted the ISO using the Event ID 12 in Microsoft-Windows-VHDMP-Operational.evtx as shown below: Shout out to for making these ISOs available.
The payload was delivered within an ISO file, docs_invoice_173.iso, via email, where a user opened and executed the malware. The threat actor gained initial access through the common malware, IcedID.
%200.18.14.png "ed cobalt strike")
Report Lead: Contributing Analysts: Initial Access We also have artifacts and IOCs available from this case such as pcaps, memory captures, files, event logs including Sysmon, Kape packages, and more, under our Security Researcher and Organization services. More information on this service and others can be found here. We offer multiple services including a Threat Feed service which tracks Command and Control frameworks such as Cobalt Strike, BazarLoader, Covenant, Metasploit, Empire, PoshC2, etc. While the ransom note indicated the threat actor stole data, we did not observe any overt exfiltration of data however, it is possible that the threat actors used IcedID or Cobalt Strike to transmit sensitive data. This ransomware deployment concluded less than four hours from the initial IcedID execution. They used two methods of remote execution to detonate the ransomware binary, WMI and PsExec. Once the threat actor had a handle on the layout of the domain, they prepared to deploy the ransomware by copying the ransomware (named ttsel.exe) to each host through the C$ share folder. This Beacon was successful in connecting to the same command and control server observed on the beachhead host.įor the next hour, the threat actor proceeded to make RDP connections to other servers in the environment.
This appeared to fail so the threat actor then opened cmd and proceeded to execute a PowerShell Cobalt Strike Beacon. After confirming their credentials worked with the WMI actions, the threat actor proceeded to RDP into that server, and attempted to drop and execute a Cobalt Strike DLL beacon on that server. The Cobalt Strike process then proceeded to access LSASS memory to extract credentials, which a few minutes later were tested to run remote WMI discovery tasks on a server. The threat actors gathered host based network information by running a batch script named ns.bat, which ran nslookup for each host in the environment. This activity included using AdFind through a batch script called adfind.bat to perform discovery of the target organizations active directory structure. This marked the start of “hands-on-keyboard” activity by the threat actors. The IcedID malware also created a scheduled task as a means of persistence on the beachhead host.Īround two hours later, Cobalt Strike was deployed using process hollowing and injection techniques.
ED COBALT STRIKE WINDOWS
Upon this execution of the IcedID DLL, a battery of discovery tasks were executed using built-in Windows utilities like ipconfig, systeminfo, nltest, net, and chcp. When the user clicks on the LNK file, the IcedID DLL is executed. The end user after clicking into the ISO file, could see just a single file named “document”, which is a LNK shortcut to a hidden DLL packaged in the ISO. The ISO contained a DLL file (IcedID malware) and a LNK shortcut to execute it. We have high confidence this payload was delivered via email, however we were not able to identify the delivery email. The threat actor was able to enter the network when a user endpoint was compromised by an IcedID payload contained within an ISO image. This case exemplified an extremely short Time-to-Ransom (TTR) of 3 hours and 44 minutes. Cobalt Strike and RDP were used to move across the network before using WMI and PsExec to deploy the Quantum ransomware. Once the initial IcedID payload was executed, approximately 2 hours after initial infection, the threat actors appeared to begin hands-on-keyboard activity. REvil – Sodinokibi (aka REvil) Ransomware.Conti – Stolen Images Campaign Ends in Conti Ransomware and Conti Ransomware.XingLocker – IcedID to XingLocker Ransomware in 24 hours.Examples from some of our previous cases include: We have observed IcedID malware being utilized as the initial access by various ransomware groups. The initial access vector for this case was an IcedID payload delivered via email. In one of the fastest ransomware cases we have observed, in under four hours the threat actors went from initial access, to domain wide ransomware.
0 kommentar(er)
