Found 17 bookmarks
Custom sorting
The Curious Case of an Egg-Cellent Resume
The Curious Case of an Egg-Cellent Resume
  • Initial access was via a resume lure as part of a TA4557/FIN6 campaign. The threat actor abused LOLbins like ie4uinit.exe and msxsl.exe to run the more_eggs malware. Cobalt Strike and python-based C2 Pyramid were employed by the threat actor for post-exploitation activity. The threat actor abused CVE-2023-27532 to exploit a Veeam server and facilitate lateral movement and privilege escalation activities. The threat actor installed Cloudflared to assist in tunneling RDP traffic. This case was first published as a Private Threat Brief for customers in April of 2024. Eight new rules were created from this report and added to our Private Detection Ruleset.
#thedfirreport#EN#2024#Egg-Cellent#Resume#lure#CV#Cloudflared
·thedfirreport.com·
The Curious Case of an Egg-Cellent Resume
Inside the Open Directory of the “You Dun” Threat Group
Inside the Open Directory of the “You Dun” Threat Group
  • Analysis of an open directory found a Chinese speaking threat actor’s toolkit and history of activity. The threat actor displayed extensive scanning and exploitation using WebLogicScan, Vulmap, and Xray, targeting organizations in South Korea, China, Thailand, Taiwan, and Iran. The Viper C2 framework was present as well as a Cobalt Strike kit which included TaoWu and Ladon extensions. * The Leaked LockBit 3 builder was used to create a LockBit payload with a custom ransom note that included reference to a Telegram group which we investigated further in the report.
#thedfirreport#EN#2024#Analysis#open-directory#LockBit#operational#You-Dun#group#China#tools#scan
·thedfirreport.com·
Inside the Open Directory of the “You Dun” Threat Group
Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware
Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware
In November 2023, we identified a BlackCat ransomware intrusion started by Nitrogen malware hosted on a website impersonating Advanced IP Scanner. Nitrogen was leveraged to deploy Sliver and Cobalt Strike beacons on the beachhead host and perform further malicious actions. The two post-exploitation frameworks were loaded in memory through Python scripts. After obtaining initial access and establishing further command and control connections, the threat actor enumerated the compromised network with the use of PowerSploit, SharpHound, and native Windows utilities. Impacket was employed to move laterally, after harvesting domain credentials. The threat actor deployed an opensource backup tool call Restic on a file server to exfiltrate share data to a remote server. Eight days after initial access the threat actor modified a privileged user password and deployed BlackCat ransomware across the domain using PsExec to execute a batch script. Six rules were added to our Private Ruleset related to this intrusion.
#thedfirreport#EN#2024#BlackCat#ransomware#Advanced-IP-Scanner
·thedfirreport.com·
Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware
BlackSuit Ransomware
BlackSuit Ransomware
  • In December 2023, we observed an intrusion that started with the execution of a Cobalt Strike beacon and ended in the deployment of BlackSuit ransomware. The threat actor leveraged various tools, including Sharphound, Rubeus, SystemBC, Get-DataInfo.ps1, Cobalt Strike, and ADFind, along with built-in system tools. Command and control traffic was proxied through CloudFlare to conceal their Cobalt Strike server. Fifteen days after initial access, BlackSuit ransomware was deployed by copying files over SMB to admin shares and executing them through RDP sessions. Three rules were added to our private ruleset related to this case.
#thedfirreport#EN#2024#BlackSuit#Ransomware
·thedfirreport.com·
BlackSuit Ransomware
Threat Actors’ Toolkit: Leveraging Sliver, PoshC2 & Batch Scripts
Threat Actors’ Toolkit: Leveraging Sliver, PoshC2 & Batch Scripts
  • In early December of 2023, we discovered an open directory filled with batch scripts, primarily designed for defense evasion and executing command and control payloads. These scripts execute various actions, including disabling antivirus processes and stopping services related to SQL, Hyper-V, security tools, and Exchange servers. This report also highlights scripts responsible for erasing backups, wiping event logs, and managing the installation or removal of remote monitoring tools like Atera. Our investigation uncovered the use of additional tools, including Ngrok for proxy services, SystemBC, and two well-known command and control frameworks: Sliver and PoshC2. The observed servers show long term usage by the threat actors, appearing in The DFIR Report Threat Feeds as far back as September 2023. They have been active intermittently since then, with the most recent activity detected in August 2024. Ten new sigma rules were created from this report and added to our private sigma ruleset
#thedfirreport#EN#2024#Toolkit#investigation#open-directory#PoshC2#Batch-Scripts
·thedfirreport.com·
Threat Actors’ Toolkit: Leveraging Sliver, PoshC2 & Batch Scripts
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment – The DFIR Report
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment – The DFIR Report
Key Takeaways In October 2023, we observed an intrusion that began with a spam campaign, distributing a forked IcedID loader. The threat actor used Impacket’s wmiexec and RDP to install Scree…
#thedfirreport#EN#2024#analysis#IceID#ScreenConnect#incident#ALPHV#Ransomware
·thedfirreport.com·
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment – The DFIR Report
From IcedID to Dagon Locker Ransomware in 29 Days
From IcedID to Dagon Locker Ransomware in 29 Days
  • In late August 2023, we observed an intrusion that started with a phishing campaign using PrometheusTDS to distribute IcedID. IcedID dropped and executed a Cobalt Strike beacon, which was then used through-out the intrusion. The threat actor leveraged a bespoke PowerShell tool known as AWScollector to facilitate a range of malicious activities including discovery, lateral movement, data exfiltration, and ransomware deployment. Group Policy was used to distribute Cobalt Strike beacons at login to a specific privileged user group. The threat actor utilized a suite of tools to support their activities, deploying Rclone, Netscan, Nbtscan, AnyDesk, Seatbelt, Sharefinder, and AdFind. * This case had a TTR (time to ransomware) of 29 days.
#thedfirreport#EN#2024#PrometheusTDS#TTR#IcedID#report
·thedfirreport.com·
From IcedID to Dagon Locker Ransomware in 29 Days
From OneNote to RansomNote: An Ice Cold Intrusion - The DFIR Report
From OneNote to RansomNote: An Ice Cold Intrusion - The DFIR Report
  • In late February 2023, threat actors rode a wave of initial access using Microsoft OneNote files. In this case, we observed a threat actor deliver IcedID using this method. After loading IcedID and establishing persistence, there was no further actions, other than beaconing for over 30 days. The threat actor used Cobalt Strike and AnyDesk to target a file server and a backup server. * The threat actor used FileZilla to exfiltrate data from the network before deploying Nokoyawa ransomware.
#thedfirreport#EN#2024#2023#incident#incident-analysis#IcedID#OneNote#FileZilla#Nokoyawa#ransomware
·thedfirreport.com·
From OneNote to RansomNote: An Ice Cold Intrusion - The DFIR Report
BumbleBee Zeros in on Meterpreter
BumbleBee Zeros in on Meterpreter
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign. We have previously reported on two BumbleBee intrusions (1, 2), and this report is a continuation of a series of reports uncovering multiple TTPs seen by BumbleBee post exploitation operators. The intrusion began with the delivery of an ISO file that contained an LNK and a DLL. The threat actors leveraged BumbleBee to load a Meterpreter agent and Cobalt Strike Beacons. They then performed reconnaissance, used two different UAC bypass techniques, dumped credentials, escalated privileges using a ZeroLogon exploit, and moved laterally through the environment.
#thedfirreport#EN#2022#bumblebee#case#analysis
·thedfirreport.com·
BumbleBee Zeros in on Meterpreter
BumbleBee Zeros in on Meterpreter
BumbleBee Zeros in on Meterpreter
In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign. We have previously reported on two BumbleBee intrusions (1, 2), and this report is a continuation of a series of reports uncovering multiple TTPs seen by BumbleBee post exploitation operators. The intrusion began with the delivery of an ISO file that contained an LNK and a DLL. The threat actors leveraged BumbleBee to load a Meterpreter agent and Cobalt Strike Beacons. They then performed reconnaissance, used two different UAC bypass techniques, dumped credentials, escalated privileges using a ZeroLogon exploit, and moved laterally through the environment.
#thedfirreport#EN#2022#bumblebee#case#analysis
·thedfirreport.com·
BumbleBee Zeros in on Meterpreter