Read the original article: Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser
Throughout 2020, ransomware activity has become increasingly
prolific, relying on an ecosystem of distinct but co-enabling
operations to gain access to targets of interest before conducting
extortion. Mandiant Threat Intelligence has tracked several loader and
backdoor campaigns that lead to the post-compromise deployment of
ransomware, sometimes within 24
hours of initial compromise. Effective and fast detection of
these campaigns is key to mitigating this threat.
The malware families enabling these attacks previously reported by
Mandiant to intelligence subscribers include KEGTAP/BEERBOT,
SINGLEMALT/STILLBOT and WINEKEY/CORKBOT. While these malware families
communicate with the same command and control infrastructure (C2) and
are close to functional parity, there are minimal code overlaps across
them. Other security researchers have tracked these malware families
under the names BazarLoader and BazarBackdoor
or Team9.
The operators conducting these campaigns have actively targeted
hospitals, retirement communities, and medical centers, even in the
midst of a global health crisis, demonstrating a clear disregard for
human life.
Email Campaign TTPs
Campaigns distributing KEGTAP, SINGLEMALT and WINEKEY have been sent
to individuals at organizations across a broad range of industries and
geographies using a series of shifting delivery tactics, techniques
and procedures (TTPs). Despite the frequent changes seen across these
campaigns, the following has remained consistent across recent activity:
- Emails contain an in-line link to an actor-controlled Google
Docs document, typically a PDF file. - This document contains
an in-line link to a URL hosting a malware payload. - Emails
masquerade as generic corporate communications, including follow-ups
about documents and phone calls or emails crafted to appear related
to complaints, terminations, bonuses, contracts, working schedules,
surveys or queries about business hours. - Some email
communications have included the recipient’s name or employer name
in the subject line and/or email body.
Despite this uniformity, the associated TTPs have otherwise changed
regularly—both between campaigns and across multiple spam runs seen in
the same day. Notable ways that these campaigns have varied over time include:
- Early campaigns were delivered via Sendgrid and included
in-line links to Sendgrid URLs that would redirect users to
attacker-created Google documents. In contrast, recent campaigns
have been delivered via attacker-controlled or compromised email
infrastructure and have commonly contained in-line links to
attacker-created Google documents, although they have also used
links associated with the Constant Contact service. - The
documents loaded by these in-line links are crafted to appear
somewhat relevant to the theme of the email campaign and contain
additional links along with instructions directing users to click on
them. When clicked, these links download malware binaries with file
names masquerading as document files. Across earlier campaigns these
malware binaries were hosted on compromised infrastructure, however,
the attackers have shifted to hosting their malware on legitimate
web services, including Google Drive, Basecamp, Slack, Trello,
Yougile, and JetBrains. - In recent campaigns, the malware
payloads have been hosted on numerous URLs associated with one or
more of these legitimate services. In cases where the payloads have
been taken down, the actors have sometimes updated their Google
documents to contain new, working links. - Some campaigns
have also incorporated customization, including emails with internal
references to the recipients’ organizations (Figure 1) and
organizations’ logos embedded into the Google Docs documents (Figure
2).
Figure 1: Email containing internal
references to target an organization’s name
Figure 2: Google Docs PDF document
containing a target organization’s logo
Hiding the final payload behind multiple links is a simple yet
effective way to bypass some email filtering technologies. Various
technologies have the ability to follow links in an email to try to
identify malware or malicious domains; however, the number of links
followed can vary. Additionally, embedding links within a PDF document
further makes automated detection and link-following difficult.
Post-Compromise TTPs
Given the possibility that accesses obtained from these campaigns
may be provided to various operators to monetize, the latter-stage
TTPs, including ransomware family deployed, may vary across
intrusions. A notable majority of cases where Mandiant has had
visibility into these post-compromise TTPs have been attributable to
UNC1878, a financially motivated actor that monetizes network access
via the deployment of RYUK ransomware.
Establish Foothold
Once the loader and backdoor have been executed on the initial
victim host, the actors have used this initial backdoor to download
POWERTRICK and/or Cobalt Strike BEACON payloads to establish a
foothold. Notably, the respective loader and backdoor as well as
POWERTRICK have typically been installed on a small number of hosts in
observed incidents, suggesting these payloads may be reserved for
establishing a foothold and performing initial network and host
reconnaissance. However, BEACON is frequently found on a larger number
of hosts and used throughout various stages of the attack lifecycle.
Maintain Presence
Beyond the preliminary phases of each intrusion, we have seen
variations in how these attackers have maintained presence after
establishing an initial foothold or moving laterally within a network.
In addition to the use of common post-exploitation frameworks such as
Cobalt Strike, Metasploit and EMPIRE, we have observed the use of
other backdoors, including ANCHOR, that we also believe to be under
control of the actors behind TrickBot.
- The loaders associated with this activity can maintain
persistence through reboot by using at least four different
techniques, including creating a scheduled task, adding itself to
the startup folder as a shortcut, creating a scheduled Microsoft
BITS job using /setnotifycmdline, and adding itself to the Userinit
value under the following registry key:- HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon.
- HKLM\SOFTWARE\Microsoft\Windows
- Actors have
downloaded POWERTRICK, Metasploit Meterpreter, and Cobalt Strike
BEACON payloads following the initial compromise. BEACON payloads
have commonly been executed after moving laterally to new hosts
within the victim network. The attackers have employed Cobalt Strike
payloads crafted to maintain persistence through reboot
via a scheduled task on critical systems in victim
environments. Notably, BEACON is the backdoor observed most
frequently across these incidents. - We have observed actors
executing encoded PowerShell commands that ultimately executed
instances of the PowerShell EMPIRE backdoor. - The actors
were observed using BEACON to execute PowerLurk’s
Register-MaliciousWmiEvent cmdlet to register WMI events used to
kill processes related to security tools and utilities, including
Task Manager, WireShark, TCPView, ProcDump, Process Explorer,
Process Monitor, NetStat, PSLoggedOn, LogonSessions, Process Hacker,
Autoruns, AutorunsSC, RegEdit, and RegShot. - In at least
once case, attackers have maintained access to a victim environment
using stolen credentials to access corporate VPN infrastructure
configured to require only single-factor authentication.
Escalate Privileges
The most commonly observed methods for escalating privileges in
these incidents have involved the use of valid credentials. The actors
used a variety of techniques for accessing credentials stored in
memory or on disk to access privileged accounts.
- The actors used valid credentials obtained using MimiKatz
variants to escalate privileges. We’ve observed Mimikatz being
executed both from the file system of victim hosts and via
PowerShell cmdlets executed via Cobalt Strike BEACON. - Actors have gained access to credentials via exported copies
of the ntds.dit Active Directory database and SYSTEM and
SECURITY registry hives from a Domain Controller. - In
multiple instances, the actors have launched attacks against
Kerberos, including the use of RUBEUS, the MimiKatz Kerberos module,
and the Invoke-Kerberoast cmdlet.
Reconnaissance
The approaches taken to perform host and network reconnaissance
across these incidents varied; however, a significant portion of
observed reconnaissance activity has revolved around Activity
Directory enumeration using publicly available utilities such as
BLOODHOUND, SHARPHOUND or ADFind, as well as the execution of
PowerShell cmdlets using Cobalt Strike BEACON.
- BEACON has been installed on a large number of systems across
these intrusions and has been used to execute various reconnaissance
commands including both built-in host commands and PowerShell
cmdlets. Observed PowerShell cmdlets include:- Get-GPPPassword
- Invoke-AllChecks
- Invoke-BloodHound
- Invoke-EternalBlue
- Invoke-FileFinder
- Invoke-HostRecon
- Invoke-Inveigh
- Invoke-Kerberoast
- Invoke-LoginPrompt
- Invoke-mimikittenz
- Invoke-ShareFinder
- Invoke-UserHunter
- Mandiant has observed actors using POWERTRICK to execute
built-in system commands on the initial victim host,
including ipconfig, findstr, and cmd.exe. - The actors leveraged publicly available utilities Adfind,
BLOODHOUND, SHARPHOUND, and KERBRUTE on victim networks to collect
Active Directory information and credentials. - WMIC
commands have been used to perform host reconnaissance, including
listing installed software, listing running processes, and
identifying operating system and system architecture. - The
actors have used a batch script to ping all servers identified
during Active Directory enumeration and output the results
to res.txt. - The actors used the Nltest command
to list domain controllers.
Lateral Movement
Lateral movement was most commonly accomplished using valid
credentials in combination with Cobalt Strike BEACON, RDP and SMB, or
using the same backdoors used to establish a foothold in victim networks.
- The actors have regularly leveraged Cobalt Strike BEACON and
Metasploit Meterpreter to move laterally within victim
environments. - The actors commonly moved laterally within
victim environments using compromised accounts—both those belonging
to regular users and accounts with administrative privileges. In
addition to the use of common post-exploitation frameworks, lateral
movement has also been achieved using WMIC commands and the Windows
RDP and SMB protocols. - The actors used the Windows net
use command to connect to Windows admin shares to move
laterally.
Complete Mission
Mandiant is directly aware of incidents involving KEGTAP that
included the post-compromise deployment of RYUK ransomware. We have
also observed instances where ANCHOR infections, another backdoor
associated with the same actors, preceded CONTI or MAZE deployment.
- In at least one case, an executable was observed that was
designed to exfiltrate files via SFTP to an attacker-controlled
server. - The actors have used Cobalt Strike BEACON to
exfiltrate data created through network reconnaissance activities as
well as user files. - The actors were observed deleting their
tools from victim hosts in an attempt to remove indicators of
compromise. - The actors have used their access to the victim
network to deploy ransomware payloads. There is evidence to suggest
that RYUK ransomware was likely deployed via PsExec, but other
scripts or artifacts related to the distribution process were not
available for forensic analysis.
Hunting Strategies
If an organization identifies a host with an active infection
believed to be an instance of KEGTAP or a parallel malware family, the
following containment actions are recommended. Note that due to the
velocity of this intrusion activity, these actions should be taken in parallel.
- Isolate and perform a forensic review of any impacted
systems. - Review incoming emails to the user that owns the
impacted device for emails matching the distribution campaigns, and
take action to remove the messages from all mailboxes. - Identify the URLs used by the phishing campaign and block them
using proxy or network security devices. - Reset credentials
for any user accounts associated with execution of the malware. - Perform an enterprise wide review for lateral movement
authentication from the impacted systems. - Check
authentication logs from any single-factor remote access solutions
that may exist (VPN, VDI, etc) and move towards multi-factor
authentication (MFA) as soon as possible.
An enterprise-wide effort should be made to identify host-based
artifacts related to the execution of first-stage malware and all
post-intrusion activity associated with this activity. Some baseline
approaches to this have been captured as follows.
Activity associated with the KEGTAP loader can often be identified
via a review of system startup folders and Userinit values under the
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry key.
|
%APPDATA%\Microsoft\Windows\Start |
Figure 3: Example LNK file associated with
KEGTAP persistence within a system’s startup folders
SINGLEMALT employs BITS to maintain persistence through reboot and
can often be identified via a review of anomalous BITS jobs.
SINGLEMALT uses a well-documented BITS persistence mechanism that
intentionally creates a job to download a non-existent URL, which will
trigger a failure event. The job is set to retry on a regular
interval, thus ensuring the malware continues to run. To review the
BITS job on a host run the command bitsadmin /list.
- Display name may be “Adobe Update”, “System autoupdate” or
another generic value. - Notify state may be set to Fail
(Status 2). - FileList URL value may be set to the local host
or a URL th
[…]
Read the original article: Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser