Stolen Images Campaign Ends in Conti Ransomware

Upon execution of the IcedID DLL, a connection to a C2 server was established.
This was followed by the creation of a scheduled task on the beachhead host to establish persistence.
The task executed the IcedID payload every one 1 hour.
The IcedID malware then used Windows utilities such as net, chcp, nltest, and wmic, to perform discovery activity on the host.

After a gap of almost an hour, a Cobalt Strike beacon was dropped and executed on the beachhead host.
Soon after, another round of discovery was performed from the Cobalt Strike beacon focusing on the Windows domain.
Nltest and net group were utilized to look for sensitive groups such as Domain Admins and Enterprise Admins.
Process injection into explorer.exe was then observed from the Cobalt Strike Beacon.

The threat actors proceeded to install remote management tools such as Atera Agent and Splashtop.
Use of these 3rd party administrative tools allow the threat actors another “legitimate” means of persistence and access if they were to lose their malware connection.
In this intrusion, The DFIR Report observed usage of gmail[.]com and outlook[.]com email accounts for Atera agent registration.
Soon after, one of the injected Cobalt Strike processes accessed LSASS memory to dump credentials from the beachhead.

On the sixth day of the intrusion, the beachhead host saw new discovery activity with a quick nltest followed by the PowerView script Invoke-ShareFinder.
On the following day, the seventh day of the intrusion, the threat actors made their next move.
On that day, a new Cobalt Strike server was observed, in fact over the course of the intrusion, four different Cobalt Strike servers were used.
From the beachhead host, a DLL was transferred to a domain controller over SMB and then a remote service was created on the domain controller to execute the Cobalt Strike DLL.

After getting a foothold on the domain controller, The DFIR Report saw more process injection followed by the same pattern of installing Atera for additional persistent access.
From the domain controller, the threat actors proceeded with more discovery tasks including AdFind and Invoke-ShareFinder again.
After this, the threat actors went quiet.

On day nine of the intrusion, the next Cobalt Strike server, which would ultimately be used until the end of the intrusion, was observed for the first time.
On the tenth day, little activity was observed but the threat actors connected to the beachhead host via the Atera agent and executed another Cobalt Strike DLL.
A little discovery check-in was observed on the 14th day, but little else.

On the 19th day, the threat actors moved towards their final objectives.
They reviewed the directory structure of several hosts including domain controllers and backup servers.
They then dropped their final ransomware payload on the beachhead host and attempted to execute it using a batch file named backup.bat.
However, they found that their execution failed.

They left for a few hours, and then returned, and attempted to exploit a couple of CVE’s in an attempt to escalate privileges.
The threat actors had already secured domain admin access but it’s possible the operator may have thought they lacked permissions when their first ransomware execution failed.

While these exploits appear to have failed the threat actors found their previously captured domain admin credentials and launched two new Cobalt Strike beacons on the domain controllers.
Finally, twenty minutes after accessing the domain controllers, the threat actors dropped the ransomware DLL and the batch script and executed it from the domain controller.
This time the execution worked as intended and resulted in domain wide ransomware.

Sign Up For Threat Alerts

Loading...
Threats Icon

Aug 16, 2022

LockBit Ransomware Abuses Legitimate Windows Defender Utility

The LockBit ransomware-as-a-service was identified using a legitimate Windows Defender command line utility to decrypt...

Threats Icon

Aug 14, 2022

US Cert Alert – Zeppelin Ransomware

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are...

Threats Icon

Aug 11, 2022

Cisco Talos shares insights related to recent...

Initial access to the Cisco VPN was achieved via the successful compromise of a Cisco...

Threats Icon

Aug 11, 2022

Andariel deploys DTrack and Maui ransomware

The CISA published an alert, entitled, "North Korean State-Sponsored Cyber Actors Use Maui Ransomware To...

Threats Icon

Aug 09, 2022

Albanian Government Organizations Targeted By Possible Iranian...

Mandiant identified the ROADSWEEP ransomware family and a Telegram persona which targeted the Albanian government...

Threats Icon

Aug 08, 2022

BumbleBee Roasts Its Way to Domain Admin

Threat actors used BumbleBee as the initial access vector. BumbleBee is a malware loader that...

Threats Icon

Aug 08, 2022

RapperBot – new evolving malware

FortiGuard Labs has been tracking a rapidly evolving IoT malware family known as "RapperBot". This...

Threats Icon

Aug 04, 2022

Google Drive And Dropbox Used By APT29...

Cloaked Ursa (aka: APT29) has been targeting governmental entities in several countries with spear-phishing campaigns...

Threats Icon

Aug 03, 2022

Manjusaka: A Chinese sibling of Sliver and...

Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild...

Threats Icon

Aug 03, 2022

macOS Targeted With The CloudMensis Multi-Staged Malware

ESET researchers discovered a previously unknown macOS backdoor that spies on users of the compromised...

Threats Icon

Aug 01, 2022

Attackers Target Ukraine With GoMet Backdoor

Since the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage...

Threats Icon

Jul 31, 2022

Untangling KNOTWEED: European private-sector offensive actor using...

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a...

Threats Icon

Jul 31, 2022

Untangling KNOTWEED: European private-sector offensive actor using...

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a...

Threats Icon

Jul 26, 2022

EvilNum Targets Cryptocurrency, Forex, Commodities

Proofpoint Threat Research observed the group Proofpoint calls TA4563 targeting various European financial and investment...

Threats Icon

Jul 25, 2022

Lightning Framework: New Undetected “Swiss Army Knife”...

Lightning is a previously undocumented and undetected Linux threat. Lightning is a modular framework we...