In some cases, the deployment of ransomware occurred within 24 hours of the breach.
FireEye reported on a number of ransomware malware distribution campaigns that used the new KEGTAP (also known as BEERBOT), SINGLEMALT (also known as STILLBOT) and WINEKEY (also known as CORKBOT) downloaders. In some cases, the deployment of ransomware occurred within 24 hours of the breach.
Although these malware families interact with the same C&C server and have common functional features, the similarity in the code between them is minimal. Malicious campaign operators are actively targeting hospitals, retirement communities and healthcare centers even in the midst of a global health crisis.
As part of the KEGTAP, SINGLEMALT and WINEKEY distribution campaigns, letters were sent to individuals in organizations from various industries and geographic regions. The emails contained a link to a Google Docs document with an embedded link to a URL containing the malware payload. Criminals disguise emails using common corporate topics, including complaints, layoffs, bonuses, contracts, work schedules, or surveys.
Early campaigns were run through Sendgrid and included embedded Sendgrid URL links that redirected users to Google Docs. Clicking on the links downloaded malware binaries with filenames disguised as documents. Previously, malware binaries were hosted on compromised infrastructure, but attackers soon switched to hosting their malware on legitimate web services, including Google Drive, Basecamp, Slack, Trello, Yougile, and JetBrains.
After launching the bootloader and backdoor on the victim's system, the attackers downloaded POWERTRICK and / or Cobalt Strike beacons. In addition to using common post-production frameworks such as Cobalt Strike, Metasploit and EMPIRE, experts have observed the use of other backdoors, including ANCHOR, which is allegedly under the control of TrickBot.
Boot loaders can maintain persistence through reboots using at least four different methods, including creating a scheduled task, adding yourself to the startup folder as a shortcut, creating a Microsoft BITS scheduled task using / setnotifycmdline, and adding yourself to the Userinit value in the HKLM \ SOFTWARE registry key \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon.
In at least one case, attackers maintained access to the victim's environment using stolen credentials to access a corporate VPN infrastructure configured to require only one-factor authentication. The criminals used stolen credentials from MimiKatz to escalate privileges.
The approaches used to perform network reconnaissance in these incidents varied, however much of the reconnaissance observed was related to listing the Activity Directory using publicly available utilities such as BLOODHOUND, SHARPHOUND, or ADFind, and executing PowerShell commands using Cobalt Strike beacons.
Moving around the network was most often done using valid credentials for regular users and administrators, combined with Cobalt Strike, RDP and SMB beacons, or using the same backdoors used to anchor victims on networks.
Experts also documented incidents related to KEGTAP, which included the deployment of Ryuk ransomware after a hack. There have also been instances where the installation of the ANCHOR backdoor preceded the deployment of Conti or Maze.
FireEye reported on a number of ransomware malware distribution campaigns that used the new KEGTAP (also known as BEERBOT), SINGLEMALT (also known as STILLBOT) and WINEKEY (also known as CORKBOT) downloaders. In some cases, the deployment of ransomware occurred within 24 hours of the breach.
Although these malware families interact with the same C&C server and have common functional features, the similarity in the code between them is minimal. Malicious campaign operators are actively targeting hospitals, retirement communities and healthcare centers even in the midst of a global health crisis.
As part of the KEGTAP, SINGLEMALT and WINEKEY distribution campaigns, letters were sent to individuals in organizations from various industries and geographic regions. The emails contained a link to a Google Docs document with an embedded link to a URL containing the malware payload. Criminals disguise emails using common corporate topics, including complaints, layoffs, bonuses, contracts, work schedules, or surveys.
Early campaigns were run through Sendgrid and included embedded Sendgrid URL links that redirected users to Google Docs. Clicking on the links downloaded malware binaries with filenames disguised as documents. Previously, malware binaries were hosted on compromised infrastructure, but attackers soon switched to hosting their malware on legitimate web services, including Google Drive, Basecamp, Slack, Trello, Yougile, and JetBrains.
After launching the bootloader and backdoor on the victim's system, the attackers downloaded POWERTRICK and / or Cobalt Strike beacons. In addition to using common post-production frameworks such as Cobalt Strike, Metasploit and EMPIRE, experts have observed the use of other backdoors, including ANCHOR, which is allegedly under the control of TrickBot.
Boot loaders can maintain persistence through reboots using at least four different methods, including creating a scheduled task, adding yourself to the startup folder as a shortcut, creating a Microsoft BITS scheduled task using / setnotifycmdline, and adding yourself to the Userinit value in the HKLM \ SOFTWARE registry key \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon.
In at least one case, attackers maintained access to the victim's environment using stolen credentials to access a corporate VPN infrastructure configured to require only one-factor authentication. The criminals used stolen credentials from MimiKatz to escalate privileges.
The approaches used to perform network reconnaissance in these incidents varied, however much of the reconnaissance observed was related to listing the Activity Directory using publicly available utilities such as BLOODHOUND, SHARPHOUND, or ADFind, and executing PowerShell commands using Cobalt Strike beacons.
Moving around the network was most often done using valid credentials for regular users and administrators, combined with Cobalt Strike, RDP and SMB beacons, or using the same backdoors used to anchor victims on networks.
Experts also documented incidents related to KEGTAP, which included the deployment of Ryuk ransomware after a hack. There have also been instances where the installation of the ANCHOR backdoor preceded the deployment of Conti or Maze.