Mastodawn

New bullies on the block: They don’t PLAY nice.

In mid-November 2022, #Sophos X-Ops responded to an incident where PLAY #ransomware, also known as #PlayCrypt, was found in an under-protected environment.

PLAY is a relatively new ransomware variant, first reported in mid-July of 2022. It deploys a variety of commonly abused tools, similar to other Ransomware-as-a-Service (RaaS) deployments such as Hive or Nokoyawa. In this thread we’ll walk through what Sophos X-Ops researchers @bencrypted and @th3_protoCOL saw in their analysis – a process our Rapid Response team observed in reverse, starting their work with this customer when they were called in at the 14-day mark.

The IoCs provided in this writeup are available on our Github: https://github.com/sophoslabs/IoCs.

#threatintel #infosec #ioc #SophosXOps

GitHub - sophoslabs/IoCs: Sophos-originated indicators-of-compromise from published reports

Sophos-originated indicators-of-compromise from published reports - sophoslabs/IoCs

GitHub

Show thread

Sophos X-Ops Jan 12, 2023

**// Day 1**

The earliest identifiable access in this case stemmed from remote web authentication into a compromised account.

First, a series of reconnaissance commands such as `whoami`, `whoami /groups`, and `ipconfig` were issued. The malware then wrote two ZIP archives to disk, along with two executable binaries – Bloodhound (https://github.com/BloodHoundAD/BloodHound) and the commonly abused remote access tool known as AnyDesk.

We saw other notable process executions, mostly concerning reconnaissance but also involving PowerShell’s coding tools:

- `C:\Users\redacted.user.example\Downloads\Advanced_IP_Scanner_2.5.4594.1.exe`

- `quser.exe`

- `net.exe user /domain`

- `net.exe user redacted.user.example /domain`

- `whoami.exe /groups`

- `systeminfo.exe`

- `nltest.exe /domain_trusts`

- `net.exe group "domain computers" /domain`

- `powershell_ise.exe`

The use of commonly abused tools among malware families is known across the industry. TrendMicro has documented commonalities among attack indicators of Hive, Nokoyawa, and now PLAY, and their findings match what we’ve outlined here.

https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html

GitHub - BloodHoundAD/BloodHound: Six Degrees of Domain Admin

Six Degrees of Domain Admin. Contribute to BloodHoundAD/BloodHound development by creating an account on GitHub.

GitHub

Show thread

Sophos X-Ops Jan 12, 2023

**// Day 2**

The threat actor attempted to pivot to different systems via RDP, and once again fired up PowerShell. The following files were written to disk:

- `av_scan.rar`

- `\av_scan\av_scan.exe`

Notable process executions on the second day included:

- `"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\redacted.user.example\Downloads\av_scan\" -ad -an -ai#7zMap20119:92:7zEvent27658`

- `nltest /domain_trusts /all_trusts`

- `nltest /dclist:<redact.domain>`

(The nltest command ran multiple times for different domains, as the attacker learned more about the environment.)

- `NOTEPAD.EXE C:\Users\redacted.user.example\AppData\Local\Temp\67\log.txt`

- `PowerShell.exe -noexit -command Set-Location -literalPath 'C:\\Users\\redacted.user.example\\AppData\\Local\\Temp\\67'`

- `powershell_ise.exe`

We saw an AMSI bypass attempt via powershell_ise.exe. A number of `ping`, `whoami`, `net user`, & `nltest` reconnaissance commands were also issued, and the attacker made some attempt to remove artifacts of lateral movement and generally clean up the day’s history:

- `Remove-Item (Get-PSReadLineOption).HistorySavePath`

- `remove-item $docs -Force 2>&1 | Out-Null`

- `Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Terminal Server Client\Default' 'MR*' 2>&1 | Out-Null`

- `Remove-Item -Path 'HKCU:\Software\Microsoft\Terminal Server Client\servers' -Recurse 2>&1 | Out-Null`

Show thread

Sophos X-Ops Jan 12, 2023

**// Day 4**

After a day’s layoff, the attackers resumed their connection via RDP and undertook further counter-detection measures, including attempts to remove EDR protections when they found them.

- Process executions included:

- `cmd.exe systeminfo`

- `cmd.exe net group "Domain Admins" /domain`

We observed BloodHound execution, including retrieval of additional tooling.

- `Sendspace[.]com` is used to download BloodHound tooling in the archive named `pussy.rar`

- `"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\redacted.user.example\Downloads\Pussy\" -ad -an -ai#7zMap29044:88:7zEvent15469`

- `nltest /domain_trusts /all_trusts`

- `Pussy[.]exe -c all -d domain.local`

- `\Downloads\Pussy\1.zip` (BloodHound results)

The threat actor performed discovery via ping and leveraged notepad++ to view NETLOGON script. Further lateral movement was observed via RDP over the course of the day.

Show thread

Sophos X-Ops Jan 12, 2023

**// Day 5**

We observed further RDP connections, along with DLL sideloading, Cobalt Strike activity, local privilege escalation attempts, and SystemBC (multipurpose proxy malware that, among other things, leverages a SOCKS5 proxy and offers TORbackdooring functionality). The threat actor continued to initiate scans and attempted to place AnyDesk on various systems. Sensitive files were staged, and 7zip software was leveraged for exfiltration. At this point the presence of multiple C2 entities made the tracking especially exciting.

- The DLL `\Pictures\libvlc.dll` was loaded into the process MSDTC.exe (VLC.exe)

- Binary written to disk: `\Pictures\mstsc.exe`

Note: This was a VLC binary abused for sideloading. It appears to be named after a native Windows binary for evasion purposes.

- Cobalt Strike detected in `dllhost`

- C2 activity related to Cobalt Strike: `z3a1.ssndob.cn[.]com`

Various commands were again run via Cobalt Strike:

- `cmd.exe /C tasklist /svc`

- `cmd.exe /C whoami /groups`

- `cmd.exe /C systeminfo > systeminfo.txt`

- `cmd.exe /C dir`

- `cmd.exe /C type systeminfo.txt`

Other processes and detections:

- `\pictures\ps.exe`

- `cmd.exe /C ps.exe -h`

- `cmd.exe /C ps.exe -h 10.1.1.0/24 -nopn psinternal.txt`

- `\Pictures\ok.exe` (Windows local privilege escalation via WinPEAS)

- `cmd.exe /C ok.exe cmd fast`

- `\pictures\internal.txt`

- `'ATK/winPEAS-A' at '\Pictures\ok.exe'` (winPEAS attack tool used for local privilege escalation)

- `'ATK/winPEAS-B' at '\Pictures\ok.bat'` (winPEAS attack tool used for local privilege escalation)

- `'Exp/2140444-A' at '\Pictures\document.docx'` (winPEAS attack tool used for local privilege escalation)

- `\desktop\64-bit\netscan.exe`

- Threat Actor download via chrome: `45.227.252[.]247/download/svr.dll`

- `\documents\2.dll` (downloaded from `mail.proton[.]me`)

- `rundll32.exe 2.dll, alDeletePresetsSOFT`

- `C:\Users\Public\p.txt`

- `mail.proton.me` is used to download `1.dll` and `rin.dll` into the Documents folder

- `rundll32.exe rin.dll, DllRegisterServer`

- `rundll32.exe 1.dll, DllRegisterServer`

- `"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\redacted.user.example\Documents\scan.html`

- `45.227.252[.]247/download/win.exe`

- `45.227.252[.]247/download/22.dll`

- `rundll32.exe 22.dll, CheckUserConsent`

- C2 server related to `22.dll`:

- `45.63.86[.]203:443`

- hxxp://sendspace[.]com used to download `C:\Users\redacted.user.example\Desktop\local.ps1`

- `powershell -ex bypass -f local.ps1`

**// Time Unknown (pre-ransomware)**

- `C:\Users\redacted.user.example\Downloads\AnyDesk.exe`

We observed the IP address 5.255.103.142; this address is related to the SystemBC malware. We also observed the start of data collection of sensitive files via 7zip.

https://news.sophos.com/en-us/2020/12/16/systembc/

Ransomware operators use SystemBC RAT as off-the-shelf Tor backdoor

A commodity malware backdoor, SystemBC has evolved into a Tor proxy and remote control tool favored by actors behind the latest high-profile ransomware campaigns.

Sophos News

Show thread

Sophos X-Ops Jan 12, 2023

After a very busy Day 5, the action resumed just over a week later.

**// Day 14**

The default GPO policy was modified to include a scheduled task called “VeeamUpdate,” which utilized cmd.exe to execute the ransomware binary. (Veeam, the backup provider, is not implicated in this investigation; the attackers likely renamed the task to blend into the policy.) There were approximately 69 unique filenames associated with the ransomware binary at the time of this writing. A few examples of the ransomware file paths can be seen below:

- `C:\Users\Public\Music\xxx.exe`

- ` C:\Users\Public\Music\gvfgbfbhtgfb.exe`

- `C:\PerfLogs\xxx.exe`

- `C:\PerfLogs\vvv.exe`

- `C:\PerfLogs\uuu.exe`

- `C:\PerfLogs\jng.exe`

Show thread

Sophos X-Ops Jan 12, 2023

At this point, the X-Ops Rapid Response team began their work to evict the threat, sifting through forensic data to piece together a narrative of events that took place in the environment, noting the attempts against EDR protections along the way, and identifying the point of initial access leveraged by the threat actor. This process – Response working backwards from the crux of the incident to the roots – allowed MDR in turn to develop an analysis that can be used to further refine detections and IoCs.

/end

Show thread

lazarus7 Jan 12, 2023

@SophosXOps good 5 day thread .. thank you!