Thursday, October 10, 2024
HomeCyber Security NewsALPHV Ransomware Deployment Started With RDP Access And ScreenConnect Installations

ALPHV Ransomware Deployment Started With RDP Access And ScreenConnect Installations

Published on

Ransomware is used by hackers to abuse victims’ data, locking it until a ransom is paid.

This method of cyber attack is profitable as it takes advantage of data’s proximity and vitality to individuals and companies, so they have no choice but to pay for quick returns.

An invasion started with an email containing a forked IcedID variant that emphasized payload delivery.

- Advertisement - EHA

After gaining initial access, the intruder installed ScreenConnect on the computer for remote control, abusively utilized Cobalt Strike beacons, and deployed CSharp Streamer RAT to gain credentials and move laterally within domain controllers and servers.

During the identification phase, sensitive information was placed in ‘confucius_cpp,’ a special program of which rclone showed the extraction.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

For eight days, they performed a systematic deployment of ScreenConnect installers across hosts using WMI before finally delivering ALPHV ransomware payloads after deleting backups.

ALPHV Ransomware Deployment

The malicious spam electronic mail, which tricked the prey into downloading and unzipping a folder with a readme and Visual Basic Script (VBS), served as the initial access vector.

Activating VBS executed an embedded, obfuscated IcedID loader DLL that dropped and ran another IcedID DLL payload, completing the infection chain, reads the DFIR report.

This is consistent with a known malicious activity where the same technique was employed to distribute an IcedID fork that deals with payload deployment instead of banking activities.

The threat actor deployed ScreenConnect remote access tools using disguised installation programs that operated through wmiexec and RDP sessions.

Several techniques were employed to extract Cobalt Strike beacons, including bitsadmin, certutil, and PowerShell.

CSharp Streamer RAT kept persistence via scheduled tasks in LSASS credential dumping, lateral movement, and C2 communications.

IcedID ensured its persistence by using scheduled tasks, while ScreenConnect was made persistent across reboots.

During lateral movement into winlogon.exe and rundll32.exe, process injection was observed. Renamed installers were deleted by the actor.

Lateral movement (Source – The Fire Report)

Key activities involved LSASS credential dumping, which was validated through memory analysis, and dcsync was performed from the beachhead to a domain controller for credential harvesting.

This was followed by the threat actor conducting initial recognition using native Windows utilities launched through IcedID and subsequently exploiting ScreenConnect for more reconnaissance commands.

SoftPerfect netscan for network scanning took place on different days, targeting IP ranges plus ports of RPC, SMB, RDP, and Veeam backups.

ScreenConnect installers were then laterally copied via SMB and became deployed with wmiexec.py to get remote control. The attacker extensively used RDP for lateral movement including proxying through CSharp Streamer.

Before exfiltration, a custom tool called confucius_cpp enumerated systems by LDAP query, accessed shares based on keywords, and compressed sensitive information. The attacker also opened documents using the Firefox installation.

C&C (Source – The Fire Report)

The threat actor leveraged multiple tools during the intrusion:- 

  • IcedID for initial access communicating with modalefastnow[.]com
  • Cobalt Strike beacons across hosts connecting to tracked C2 infrastructure
  • CSharp Streamer RAT at 109.236.80.191 using WebSockets over rotating ports
  • ScreenConnect remote access tools deployed via renamed binaries executed through wmiexec.py

While Firefox was used for document preview and downloading rclone, which was executed through a VBS script for data exfiltration. 

The final payload was ALPHV ransomware, staged on the backup server then deployed across hosts via xcopy and WMI-initiated execution after deleting backups. 

Note (Source – The Fire Report)

A ransom note referencing the group’s Twitter was left post-encryption.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability...