📢 Private report | WS_FTP Exploit Activity Leads to Sliver

We are sharing this private report to highlight the TTPs used in an intrusion related to the recent WS_FTP vulnerability. This report became available to our paid customers a couple of weeks ago.

Report: https://thedfirreport.com/wp-content/uploads/2023/11/WS_FTP-Exploit-Activity-leads-to-Sliver.pdf

📅 Initial Access (Oct 2, 2023):
Threat actors exploited WS_FTP CVE-2023-40044. They established a foothold using Sliver beacons, specifically with executable files cl.exe and sl.exe. Command and control traced back to 45[.]93[.]138[.]44:3131.

🕵️ Reconnaissance (Oct 13, 2023):
Over a 6-hour span:
• Used WinPeas for system recon
• Attempted credential access via Mimikatz but failed.
• Ran SharpHound, likely for Active Directory enumeration.

🛠️ Further Actions (Oct 18, 2023):
Threat Actors returned:
• Checked for network shares with PowerView
• Searched through Sticky Notes and event logs
• Utilized C:\temp as a staging area, moving confidential documents there using PowerShell
• Used PsMapExec for various tasks

🔑 Elevated Privileges & Collection:
• Accessed the domain controller & dumped the ntds.dit database.
• Exported Security & System registry hives from DC
• Accessed Security Insurance documents and staged them for exfil
• Attempted AdminSDHolder abuse and ran GodPotato

⚠️ Defense Evasion:
Throughout the intrusion, the threat actors:
• Removed payloads post-execution
• Deleted specific PowerShell Transcript Logs
• HOK lead to a lot of spelling errors when executing commands
• Only used sliver throughout the intrusion

➡️This is an example of a private report that we make available to our customers on a weekly basis. If you are not a customer and would like to get access to these reports, please contact us - https://thedfirreport.com/contact/ #AllIntel

------------------------------------------------------------------------------------

➡️Customers with access to our private ruleset benefit from our curated collection of Sigma rules, based on observed intrusions. Below is one of the many rules we created for this intrusion.

https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/rules/windows/process_creation/proc_creation_win_conhost_headless.yml
------------------------------------------------------------------------------------

➡️Interested in our Mentoring & Coaching Program? Both our mentoring and coaching programs aim to offer you the right mix of personalized guidance, industry knowledge, and practical skills.

https://thedfirreport.com/services/mentoring-coaching-program/

🔍 Intrusion Analysis From Our Private Reports | IcedID to DagonLocker

🚨Overview:

We observed an intrusion that started with an IcedID infection and continued with Cobalt Strike beacons. Days later, and after files were exfiltrated to AWS, it led to the deployment of Dagon Locker ransomware.

1️⃣ Initial Compromise:

We recently observed an intrusion that began with an IcedID infection from PrometheusTDS URLs in malspam, gaining an entry point through a JavaScript file. IcedID communicated initially with the domain: oopscokir\.com and later with the C2 143[.]110[.]245[.]38|443.

2️⃣ Persistence:

The IcedID malware created a scheduled task to maintain persistence on the infected host, and after some initial network discovery commands, it went dark.

3️⃣ Privilege Escalation:

To elevate their privileges, they used Named Pipe impersonation, likely from a GetSystem command issued via the injected beacon process followed by access to the LSASS.

4️⃣ Reconnaissance:

When threat actors returned, they launched a Cobalt Strike DLL beacon. They then began their discovery, first with simple commands and then with BloodHound, ShareFinder and a custom PowerShell script that connected to an S3 bucket to upload the results.

5️⃣ Lateral Movement:

After inspecting the results of their discovery efforts, we saw them pivoting to a domain controller over SMB using cobalt strike execution techniques.

6️⃣ Data Exfiltration:

On the domain controller, the threat actor set up AWSCLI and connected to a S3 bucket. They began exfiltrating data from a network file share to the S3 bucket. They also used the service file[.]io as an additional exfiltration destination.

7️⃣ Impact:

After ~2days of silence, they returned with some additional discovery commands, but this time, they also started staging the ransomware. Three hours after staging, they executed the ransomware.

The execution happened first on a workstation, using a remote service and then on the rest of the systems, using the same method. All hosts displayed the DRAGON LOCKER extortion note.

➡ If you are already a customer, more info such as commands, tasks, files, behaviors, IOCs, etc. can be found under eventID 23825.

➡➡If you are not a customer and would like to get access to these reports, please contact us - https://thedfirreport.com/contact/ #AllIntel

➡Customers with access to our private ruleset benefit from our curated collection of Sigma rules, based on observed intrusions. Below is one of the many rules we created for this intrusion.

https://thedfirreport.com/contact

———————————————

➡Interested in our Mentoring & Coaching Program? Check it out!

https://thedfirreport.com/services/mentoring-coaching-program/

———————————————

➡Merchandise: T-shirts, stickers, hoodies, polos and more available at

https://thedfirreport.com/merchandise/

➡➡First 5 people to spend $15 or more will receive $5 off your purchase by entering discount code RKQVDTBTTT7F at check out.

🔍 Intrusion Analysis Thread from our private reports | DarkGate, Cobalt Strike, and BianLian:

1/ 🚨 Overview:

We observed a suspicious MSI file executed, leading to the deployment of DarkGate, Cobalt Strike, and BianLian malware. Let us dive deeper.

2/ 📂 DarkGate Deployment:

Shortly after the execution of the MSI file, a CAB file was automatically decompressed using expand.exe. They then used an AutoIT script, which resulted in the process injection of malicious code into TabTip32.exe.

3/ 🌍 DarkGate C&C Ties:

DarkGate was seen making connections to IP 80.66.88.145 on ports 9999 & 7891. Two days later, DarkGate injected a Cobalt Strike beacon into a notepad.exe process on the host, which communicated to a different IP 155.138.129.122|35297.

4/ 👤 Deep Recon:

The actor was thorough. They fired off a series of commands targeting various user groups. They checked user profiles, groups, and domain admin details. Later on, Netscan and AdFind were executed to map out the network and AD environment.

5/ 🛡️ AV Evasion:

The threat actor added exclusions to bypass Windows Defender. After they queried the registry for any existent exclusion paths, they added the C:\Windows directory using PowerShell.

powershell.exe Add-MpPreference -ExclusionPath C:\windows

6/ 🔄 Persistence:

DarkGate established persistence via an LNK file in the user's Startup folder.

Later in the intrusion, the threat actor setup further persistence via a scheduled task to execute a script that executed a malicious DLL that called out to 162.33.179.116|443 (BianLian).

7/ 🚪 Backdoor User Creation:

A local administrator account was briefly added and then mysteriously deleted just 30 mins later. We also detected DCSync activity as part of the post-exploitation efforts.

8/ 🛠️ Privilege Escalation:

The threat actors brought PsExec to the environment to escalate their privileges. PsExec was run in memory, which was used to open a session remotely on the domain controller and run several commands over that session.

9/ 🕵️‍♂️ Profiling the Network:

The threat actor then moved to connect to the domain controller using RDP. Once connected, they continued discovery with the GUI interface checking server administration utilities.

10/ 🔄 Backup's Breached:

A PowerShell script was remotely executed on a backup server, attempting to access credentials stored in the database.

11/ If you are already a customer, more info such as commands, tasks, files, behaviors, IOCs, etc. can be found under eventID 22967.

If you are not already a customer and would like to get access to these reports, please contact us - https://thedfirreport.com/contact/ #AllIntel

12/ Customers with access to our private ruleset benefit from our curated collection of Sigma rules, based on observed intrusions. Below is one of the many rules we created for this intrusion.

https://thedfirreport.com/contact/ #PrivateRuleset

We'll be releasing a private report to our #AllIntel customers on Monday 8/7 in relation to #DarkGate, #CobaltStrike, & #BianLian.

https://thedfirreport.com/services/

On an unrelated note, we'll also have a public report out later this month after a brief summer hiatus. 🌞 🎉

We've got quite a few reports in the pipeline:

-Hive
-Nokoyawa
-Netsupport + NIM tooling
-And more!

Shout out to all our analysts working on these reports!!

In May, we observed a threat actor (TA) exploit PaperCut NG (CVE-2023-27350) to download and execute a Havoc C2 binary.

➡️The TA then reviewed tasklist before dumping credentials using mimikatz.
➡️Next, the TA downloaded numerous RMM tools.
➡️After installing Level Agent using Havoc, the TA
then proceeded to download AnyDesk, DWagent, Netscan, Putty and Advanced IP Scanner.
➡️After profiling the network, the TA started pivoting to domain controllers, file shares and backup servers...

If you are not already a customer and would like to get access to our private reports, please contact us - https://thedfirreport.com/contact/

IOCs and report were made available to our #AllIntel customers back in May. Customers can find this information under EventID 21436.

Interesting #CobaltStrike server:

➡️dash[.]cloudflareo[.]club
➡️➡️45.92.158.220
➡️Trevor profile (#trevorforget)
➡️URI: us/ky/louisville/312-s-fourth-st.html
➡️URI: OrderEntryService.asmx/AddOrderLine
➡️Spawn: gpupdate.exe

Full list available @ http://thedfirreport.com/services
#AllIntel

Here's some newer #CobaltStrike servers we're tracking with Freenom domains:

➡️lemon[.]mmmllkps[.]tk
➡️searchme[.]360niubiclass[.]tk
➡️www[.]tercent[.]tk
➡️no-cs[.]cf
➡️www[.]qax666[.]tk

Full list @ http://thedfirreport.com/services

#AllIntel

Some newer #CobaltStrike servers with Freenom domains:

➡️no-cs[.]cf
➡️cs[.]dimples7331[.]ml
➡️lin[.]buyshipping[.]ml
➡️www[.]qax666[.]tk
➡️n3w[.]n3wf1nd3r[.]ga
➡️managers[.]pabotelidely[.]tk

Full list available @ http://thedfirreport.com/services
#AllIntel

Interesting #CobaltStrike server:

➡️gupd[.]g00gle[.]ga
➡️➡️107.189.31.184
➡️URI: /jquery-3.3.2.min.js
➡️URI: /jquery-3.3.1.min.js
➡️Sleep: 45000
➡️Spawn: dllhost.exe
➡️License: 987654321

Full list available @ http://thedfirreport.com/services
#AllIntel