The rapid rise and sophistication of ransomware enable threat actors to launch attacks more frequently and disrupt businesses and organizations that are lacking adequate preparation.
The researchers at Microsoft Incident Response recently investigated an intrusion in which it’s been the threat actor’s rapid attack progression, caused major disruptions for the victim organization in just five days.
To accomplish their goals, a wide range of tools and techniques were used by the threat actor during those five days to deploy BlackByte 2.0 ransomware.
TTPs Used
Here below we have mentioned all the TTPs used by the threat actor:-
- Taking advantage of unsecured Microsoft Exchange Servers that are accessible online.
- Enabling remote access by deploying a web shell.
- Using existing tools to persist and gather information covertly.
- For command and control (C2), setting up Cobalt Strike beacons.
- Combining process hollowing with the utilization of vulnerable drivers to evade defensive mechanisms.
- To enable long-term persistence, deployment of the backdoors that are custom-developed.
- Deploying custom-developed tools to collect and exfiltrate data.
Attack chain
Exploiting the following ProxyShell vulnerabilities, the threat actor gained initial access to the victim’s environment through Microsoft Exchange Servers that are unpatched:-
By exploiting these vulnerabilities, the threat actor achieved the following abilities:-
- Gain administrative access to the compromised Exchange host.
- Retrieve user LegacyDN and SID data through Autodiscover requests.
- To access the Exchange PowerShell backend, build a valid authentication token.
- Using the New-MailboxExportRequest cmdlet to create a web shell and mimic domain admin users.
Upon device access, the threat actor established registry run keys to execute payloads upon user login each time. Here below we have mentioned those registry run keys:-
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
- HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
Here, to achieve persistence the threat actor used Cobalt Strike, and the Microsoft Defender Antivirus flagged sys.exe as Trojan:Win64/CobaltStrike!MSR, downloaded from temp[.]sh (hxxps://temp[.]sh/szAyn/sys.exe) which was detected as Cobalt Strike Beacon.
Threat actors use legit remote access tools to blend in, and in this instance, for persistence and lateral movement, AnyDesk was utilized.
This tool was installed as a service that ran from the following paths:-
- C:systemtestanydeskAnyDesk.exe
- C:Program Files (x86)AnyDeskAnyDesk.exe
- C:ScriptsAnyDesk.exe
AnyDesk log file ad_svc.trace revealed successful connections with anonymizer service IP addresses associated with:-
- TOR
- MULLVAD VPN
It’s been used by threat actors commonly to hide their source IP ranges. Moreover, security analysts detected the utilization of NetScan, a network discovery tool, by the threat actor to conduct network enumeration.
Using the following command the attacker disabled Microsoft Defender Antivirus, allowing them to execute Trojan:Win64/WinGoObfusc.LK!MT file:-
- explorer.exe P@$$w0rd
Analysts found that explorer.exe is ExByte, a GoLang-based tool used in BlackByte ransomware attacks to collect and steal files from victim networks after reverse engineering it.
Capabilities of BlackByte 2.0 ransomware
Here below, we have mentioned the capabilities of BlackByte 2.0 ransomware:-
- Antivirus bypass
- Process hollowing
- Modification/disabling of Windows Firewall
- Modification of volume shadow copies
- Modification of registry keys/values
- Additional functionality
Recommendations
- Prioritize patching for internet-exposed devices and establish a robust patch management process.
- Deploy Microsoft Defender for Endpoint, an EDR solution, for real-time visibility into malicious activity across your network.
- Enable cloud-based protection and configure your antivirus solution to block threats by ensuring regular updates for antivirus protection.
- To safeguard against the disabling of Microsoft Defender Antivirus components, make sure to activate tamper protection.
- Make sure to block all the traffic from the IPs that are listed in the IoC.
- Make sure to block access from unauthorized public VPN services and incoming traffic from TOR exit nodes.
- Limit administrative privileges to prevent authorized alterations to the system.
