Monday, December 9, 2024
HomeBackdoorSMOKEDHAM Backdoor Mimic As Legitimate Tools Leveraging Google Drive & Dropbox

SMOKEDHAM Backdoor Mimic As Legitimate Tools Leveraging Google Drive & Dropbox

Published on

SIEM as a Service

UNC2465, a financially motivated threat actor, leverages the SMOKEDHAM backdoor to gain initial access to target networks, which are often delivered via phishing emails, trojanized software, or supply chain attacks, enabling persistence and lateral movement. 

Once in the network, UNC2465 utilizes tools like Advanced IP Scanner and BloodHound for reconnaissance, RDP for lateral movement, and Mimikatz for credential harvesting. 

The group has historically deployed DARKSIDE and LOCKBIT ransomware, but future operations may involve other ransomware families, as recent campaigns have focused on distributing SMOKEDHAM through malvertising and compromised software.

- Advertisement - SIEM as a Service
Infection Chain

The attacker used an NSIS script to establish persistence and download malicious files, where the script first checks for a specific file and registry values to avoid redundant execution.

Analyze cyber threats with ANYRUN's powerful sandbox. Black Friday Deals : Get up to 3 Free Licenses.

It then creates folders, downloads an archive with a password, and extracts legitimate tools (Angry IP Scanner) and malicious ones (Microsoft.AnyKey.lnk, Microsoft.AnyKey.exe, Wiaphoh7um.t, LogUpdate.bat). 

By modifying registry keys, it ensures the malicious shortcut runs on startup and configures the MSDTC service to run with high privileges for potential DLL side-loading. 

Finally, a batch script leverages PowerShell obfuscation to download and execute a malicious .NET payload from the C2 server, initiating communication for further commands.  

Content of WindowsUpdate.bat script

The kautix2aeX payload, written in .NET, uses a C2 server for communication, which registers itself with the C2 server upon initial infection, sending the victim’s computer name and user information. 

The C2 server can then send commands like “whoami” or “systeminfo” for reconnaissance or arbitrary commands for further actions, as the payload uses RC4 encryption and a random alphanumeric string appended to each message for obfuscation. 

According to TRAC Labs, it can also take screenshots and upload/download files, while the PowerShell version of the payload injects its C# code into memory for execution. 

PowerShell payload

Malicious actors are using EV certificates to sign executables containing additional files, which include aclui-2.dll and aclui.dll, both malicious DLLs containing PowerShell commands to execute hidden scripts (Wiaphoh7um.t and kautix2aeX.t). oleview.exe, a legitimate binary, is used to side-load the malicious aclui.dll. 

The NSIS script checks for domain membership and, if not joined, queries a specific Amazon EC2 instance, possibly as a diversion, while persistence is achieved by copying oleview.exe and the renamed aclui.dll along with a registry run key entry.  

Snippet of the code that is responsible for executing the PowerShell script

The SMOKEDHAM actor used systeminfo and directory listing commands to gather information about the system and then downloaded a PowerShell script containing malicious instructions via a Dropbox link. 

The script created a directory in the ProgramData folder and downloaded additional files likely containing a modified winlogon.exe and a VNC configuration (UltraVNC.ini), also from Dropbox URLs. 

Finally, it launched the modified winlogon.exe, establishing a remote connection with an attacker-controlled server using UltraVNC over port 443, which suggests the attacker aimed for remote access and potential privilege escalation.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Latest articles

Google Announces Vanir, A Open-Source Security Patch Validation Tool

Google has officially launched Vanir, an open-source security patch validation tool designed to streamline and...

New Transaction-Relay Jamming Vulnerability Let Attackers Exploits Bitcoin Nodes

A newly disclosed transaction-relay jamming vulnerability has raised concerns about the security of Bitcoin...

Raspberry Pi 500 & Monitor, Complete Desktop Setup at $190

Raspberry Pi, a pioneer in affordable and programmable computing, has once again elevated its...

Qlik Sense for Windows Vulnerability Allows Remote Code Execution

Qlik has identified critical vulnerabilities in its Qlik Sense Enterprise for Windows software that...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Google Announces Vanir, A Open-Source Security Patch Validation Tool

Google has officially launched Vanir, an open-source security patch validation tool designed to streamline and...

New Transaction-Relay Jamming Vulnerability Let Attackers Exploits Bitcoin Nodes

A newly disclosed transaction-relay jamming vulnerability has raised concerns about the security of Bitcoin...

Raspberry Pi 500 & Monitor, Complete Desktop Setup at $190

Raspberry Pi, a pioneer in affordable and programmable computing, has once again elevated its...