Monday, June 17, 2024

Threat Actors Actively Using Remote Management Tools to Deploy Ransomware

The threat actors have been spotted increasingly depending on Remote Management and Monitoring (RMM) tools, which resulted in a relatively botched Hive ransomware distribution. 

The original payload consisted of an executable file disguised as a legitimate document. 

According to Huntress, this campaign was most likely distributed by email, with a link that, when clicked, downloaded the executable.

The DFIR reports that the initial access method needed the end user to be a local Administrator, as less privileged users would cause the installation to fail.


Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

How the Attack is Carried Out?

The threat actor launched discovery commands through ScreenConnect around an hour after execution, utilizing basic Windows tools such as system info, ipconfig, and net. 

After a few minutes, the threat actor executed a BITS transfer task to deploy a Cobalt Strike beacon.

The threat actor utilized ScreenConnect to download additional binary after being idle for an hour. This new file contained a trojanized ApacheBench executable with Metasploit shellcode hidden inside it. 

The shellcode would start a Meterpreter command and control channel when it was run. The threat actor launched a new command and control channel and then transitioned to lateral movement by launching PowerShell and MSI installers for Atera and Splashtop on a server via remote services. 

The Execution Process

More BITS transfers were seen to create more Cobalt Strike footholds. Reports say the threat actor executed a batch file that used PowerShell’s built-in tools to retrieve Active Directory data.  The threat actor examined file shares and backups on the network using these RDP connections.

The threat actor launched the Hive ransomware as the first step in their ultimate operation. They altered the administrator’s password before manually running the ransomware on many important servers. 

To perform domain-wide encryption, the threat actor placed the ransomware binary on a network share. Then he built a new domain-wide GPO with a scheduled job to execute the ransomware binary on each domain-joined machine.

Deploy a Group Policy Object

Also, the threat actor then tried to encrypt the whole domain after these manual ransomware operations.

Researchers say the time to ransomware (TTR) from initial access was 61 hours. The threat actor erased beneficial artifacts during their attack to hide their presence. According to the research, attackers used remote services for lateral movement.

Managed endpoint solutions enable organizations to scan for threats manage, resolve, and prevent data breaches. Try for Free Today!


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles