Threat Actors Actively Using Remote Management Tools to Deploy Ransomware

The threat actors have been spotted increasingly depending on Remote Management and Monitoring (RMM) tools, which resulted in a relatively botched Hive ransomware distribution. 

The original payload consisted of an executable file disguised as a legitimate document. 

According to Huntress, this campaign was most likely distributed by email, with a link that, when clicked, downloaded the executable.

The DFIR reports that the initial access method needed the end user to be a local Administrator, as less privileged users would cause the installation to fail.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

How the Attack is Carried Out?

The threat actor launched discovery commands through ScreenConnect around an hour after execution, utilizing basic Windows tools such as system info, ipconfig, and net. 

After a few minutes, the threat actor executed a BITS transfer task to deploy a Cobalt Strike beacon.

The threat actor utilized ScreenConnect to download additional binary after being idle for an hour. This new file contained a trojanized ApacheBench executable with Metasploit shellcode hidden inside it. 

The shellcode would start a Meterpreter command and control channel when it was run. The threat actor launched a new command and control channel and then transitioned to lateral movement by launching PowerShell and MSI installers for Atera and Splashtop on a server via remote services. 

The Execution Process

More BITS transfers were seen to create more Cobalt Strike footholds. Reports say the threat actor executed a batch file that used PowerShell’s built-in tools to retrieve Active Directory data.  The threat actor examined file shares and backups on the network using these RDP connections.

The threat actor launched the Hive ransomware as the first step in their ultimate operation. They altered the administrator’s password before manually running the ransomware on many important servers. 

To perform domain-wide encryption, the threat actor placed the ransomware binary on a network share. Then he built a new domain-wide GPO with a scheduled job to execute the ransomware binary on each domain-joined machine.

Deploy a Group Policy Object

Also, the threat actor then tried to encrypt the whole domain after these manual ransomware operations.

Researchers say the time to ransomware (TTR) from initial access was 61 hours. The threat actor erased beneficial artifacts during their attack to hide their presence. According to the research, attackers used remote services for lateral movement.

Managed endpoint solutions enable organizations to scan for threats manage, resolve, and prevent data breaches. Try for Free Today!

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…

1 day ago

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…

3 days ago

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…

4 days ago

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…

4 days ago

Google Chrome Security, Critical Vulnerabilities Patched

Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…

4 days ago

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…

4 days ago