Remote Desktop

ALPHV Ransomware Deployment Started With RDP Access And ScreenConnect Installations

Ransomware is used by hackers to abuse victims’ data, locking it until a ransom is paid.

This method of cyber attack is profitable as it takes advantage of data’s proximity and vitality to individuals and companies, so they have no choice but to pay for quick returns.

An invasion started with an email containing a forked IcedID variant that emphasized payload delivery.

After gaining initial access, the intruder installed ScreenConnect on the computer for remote control, abusively utilized Cobalt Strike beacons, and deployed CSharp Streamer RAT to gain credentials and move laterally within domain controllers and servers.

During the identification phase, sensitive information was placed in ‘confucius_cpp,’ a special program of which rclone showed the extraction.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

For eight days, they performed a systematic deployment of ScreenConnect installers across hosts using WMI before finally delivering ALPHV ransomware payloads after deleting backups.

ALPHV Ransomware Deployment

The malicious spam electronic mail, which tricked the prey into downloading and unzipping a folder with a readme and Visual Basic Script (VBS), served as the initial access vector.

Activating VBS executed an embedded, obfuscated IcedID loader DLL that dropped and ran another IcedID DLL payload, completing the infection chain, reads the DFIR report.

This is consistent with a known malicious activity where the same technique was employed to distribute an IcedID fork that deals with payload deployment instead of banking activities.

The threat actor deployed ScreenConnect remote access tools using disguised installation programs that operated through wmiexec and RDP sessions.

Several techniques were employed to extract Cobalt Strike beacons, including bitsadmin, certutil, and PowerShell.

CSharp Streamer RAT kept persistence via scheduled tasks in LSASS credential dumping, lateral movement, and C2 communications.

IcedID ensured its persistence by using scheduled tasks, while ScreenConnect was made persistent across reboots.

During lateral movement into winlogon.exe and rundll32.exe, process injection was observed. Renamed installers were deleted by the actor.

Lateral movement (Source – The Fire Report)

Key activities involved LSASS credential dumping, which was validated through memory analysis, and dcsync was performed from the beachhead to a domain controller for credential harvesting.

This was followed by the threat actor conducting initial recognition using native Windows utilities launched through IcedID and subsequently exploiting ScreenConnect for more reconnaissance commands.

SoftPerfect netscan for network scanning took place on different days, targeting IP ranges plus ports of RPC, SMB, RDP, and Veeam backups.

ScreenConnect installers were then laterally copied via SMB and became deployed with wmiexec.py to get remote control. The attacker extensively used RDP for lateral movement including proxying through CSharp Streamer.

Before exfiltration, a custom tool called confucius_cpp enumerated systems by LDAP query, accessed shares based on keywords, and compressed sensitive information. The attacker also opened documents using the Firefox installation.

C&C (Source – The Fire Report)

The threat actor leveraged multiple tools during the intrusion:- 

  • IcedID for initial access communicating with modalefastnow[.]com
  • Cobalt Strike beacons across hosts connecting to tracked C2 infrastructure
  • CSharp Streamer RAT at 109.236.80.191 using WebSockets over rotating ports
  • ScreenConnect remote access tools deployed via renamed binaries executed through wmiexec.py

While Firefox was used for document preview and downloading rclone, which was executed through a VBS script for data exfiltration. 

The final payload was ALPHV ransomware, staged on the backup server then deployed across hosts via xcopy and WMI-initiated execution after deleting backups. 

Note (Source – The Fire Report)

A ransom note referencing the group’s Twitter was left post-encryption.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,' who claims to have compromised the…

2 days ago

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users, leading to widespread reports of Blue…

2 days ago

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have drained billions from victims' wallets. This…

2 days ago

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which link to a variety of systems…

3 days ago

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and often have extensive community support, making…

3 days ago

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are largely employed for communication and collaboration,…

3 days ago