Saturday, June 15, 2024

ALPHV Ransomware Deployment Started With RDP Access And ScreenConnect Installations

Ransomware is used by hackers to abuse victims’ data, locking it until a ransom is paid.

This method of cyber attack is profitable as it takes advantage of data’s proximity and vitality to individuals and companies, so they have no choice but to pay for quick returns.

An invasion started with an email containing a forked IcedID variant that emphasized payload delivery.

After gaining initial access, the intruder installed ScreenConnect on the computer for remote control, abusively utilized Cobalt Strike beacons, and deployed CSharp Streamer RAT to gain credentials and move laterally within domain controllers and servers.

During the identification phase, sensitive information was placed in ‘confucius_cpp,’ a special program of which rclone showed the extraction.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

For eight days, they performed a systematic deployment of ScreenConnect installers across hosts using WMI before finally delivering ALPHV ransomware payloads after deleting backups.

ALPHV Ransomware Deployment

The malicious spam electronic mail, which tricked the prey into downloading and unzipping a folder with a readme and Visual Basic Script (VBS), served as the initial access vector.

Activating VBS executed an embedded, obfuscated IcedID loader DLL that dropped and ran another IcedID DLL payload, completing the infection chain, reads the DFIR report.

This is consistent with a known malicious activity where the same technique was employed to distribute an IcedID fork that deals with payload deployment instead of banking activities.

The threat actor deployed ScreenConnect remote access tools using disguised installation programs that operated through wmiexec and RDP sessions.

Several techniques were employed to extract Cobalt Strike beacons, including bitsadmin, certutil, and PowerShell.

CSharp Streamer RAT kept persistence via scheduled tasks in LSASS credential dumping, lateral movement, and C2 communications.

IcedID ensured its persistence by using scheduled tasks, while ScreenConnect was made persistent across reboots.

During lateral movement into winlogon.exe and rundll32.exe, process injection was observed. Renamed installers were deleted by the actor.

Lateral movement (Source – The Fire Report)

Key activities involved LSASS credential dumping, which was validated through memory analysis, and dcsync was performed from the beachhead to a domain controller for credential harvesting.

This was followed by the threat actor conducting initial recognition using native Windows utilities launched through IcedID and subsequently exploiting ScreenConnect for more reconnaissance commands.

SoftPerfect netscan for network scanning took place on different days, targeting IP ranges plus ports of RPC, SMB, RDP, and Veeam backups.

ScreenConnect installers were then laterally copied via SMB and became deployed with to get remote control. The attacker extensively used RDP for lateral movement including proxying through CSharp Streamer.

Before exfiltration, a custom tool called confucius_cpp enumerated systems by LDAP query, accessed shares based on keywords, and compressed sensitive information. The attacker also opened documents using the Firefox installation.

C&C (Source – The Fire Report)

The threat actor leveraged multiple tools during the intrusion:- 

  • IcedID for initial access communicating with modalefastnow[.]com
  • Cobalt Strike beacons across hosts connecting to tracked C2 infrastructure
  • CSharp Streamer RAT at using WebSockets over rotating ports
  • ScreenConnect remote access tools deployed via renamed binaries executed through

While Firefox was used for document preview and downloading rclone, which was executed through a VBS script for data exfiltration. 

The final payload was ALPHV ransomware, staged on the backup server then deployed across hosts via xcopy and WMI-initiated execution after deleting backups. 

Note (Source – The Fire Report)

A ransom note referencing the group’s Twitter was left post-encryption.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles