The DFIR Reportπ Intrusion Analysis Thread from our private reports | DarkGate, Cobalt Strike, and BianLian:
1/ π¨ Overview:
We observed a suspicious MSI file executed, leading to the deployment of DarkGate, Cobalt Strike, and BianLian malware. Let us dive deeper.
2/ π DarkGate Deployment:
Shortly after the execution of the MSI file, a CAB file was automatically decompressed using expand.exe. They then used an AutoIT script, which resulted in the process injection of malicious code into TabTip32.exe.
3/ π DarkGate C&C Ties:
DarkGate was seen making connections to IP 80.66.88.145 on ports 9999 & 7891. Two days later, DarkGate injected a Cobalt Strike beacon into a notepad.exe process on the host, which communicated to a different IP 155.138.129.122|35297.
4/ π€ Deep Recon:
The actor was thorough. They fired off a series of commands targeting various user groups. They checked user profiles, groups, and domain admin details. Later on, Netscan and AdFind were executed to map out the network and AD environment.
5/ π‘οΈ AV Evasion:
The threat actor added exclusions to bypass Windows Defender. After they queried the registry for any existent exclusion paths, they added the C:\Windows directory using PowerShell.
powershell.exe Add-MpPreference -ExclusionPath C:\windows
6/ π Persistence:
DarkGate established persistence via an LNK file in the user's Startup folder.
Later in the intrusion, the threat actor setup further persistence via a scheduled task to execute a script that executed a malicious DLL that called out to 162.33.179.116|443 (BianLian).
7/ πͺ Backdoor User Creation:
A local administrator account was briefly added and then mysteriously deleted just 30 mins later. We also detected DCSync activity as part of the post-exploitation efforts.
8/ π οΈ Privilege Escalation:
The threat actors brought PsExec to the environment to escalate their privileges. PsExec was run in memory, which was used to open a session remotely on the domain controller and run several commands over that session.
9/ π΅οΈββοΈ Profiling the Network:
The threat actor then moved to connect to the domain controller using RDP. Once connected, they continued discovery with the GUI interface checking server administration utilities.
10/ π Backup's Breached:
A PowerShell script was remotely executed on a backup server, attempting to access credentials stored in the database.
11/ If you are already a customer, more info such as commands, tasks, files, behaviors, IOCs, etc. can be found under eventID 22967.
If you are not already a customer and would like to get access to these reports, please contact us - https://thedfirreport.com/contact/ #AllIntel
12/ Customers with access to our private ruleset benefit from our curated collection of Sigma rules, based on observed intrusions. Below is one of the many rules we created for this intrusion.
