The threat actor used the PowerSploit PowerShell module to discover file servers on the network that may contain sensitive data for exfiltration:Īfter discovering potential file servers, typically a threat actor will begin enumerating available shares. In identifying any potential exfiltration activity, the BlackBerry Incident Response Team searched across a number of forensic artifacts to identify common exfiltration tools, or enumeration of sensitive folders or file shares. The REvil group is known to exfiltrate data prior to deploying ransomware. Upon execution, the Beacon was configured to spawn the legitimate Microsoft gpupdate.exe binary with injected code, which was configured to reach out to the following IP over port 443: The JavaScript loader was used to decode the registry key and retrieve the Cobalt Strike Beacon details. Decoding the registry key was possible using another equivalent JavaScript loader: js implementations by the REvil group were available that use the same technique and means of execution. As such, it did not appear to be decodable as-is. Unfortunately, the PowerShell code executed on the system contained undefined variables, such as pdqnas. The contents of the registry key were extracted for further analysis. The attack paths looked similar to the following: A path to Domain Admin was found via three “ Kerberoastable” accounts. The first hands-on-keyboard activity related to the threat actor was a BloodHound output file within the infected user’s profile directory, named _BloodHound zip, where was the time the data was captured.īlackBerry researchers retrieved a copy of the BloodHound output file and began enumerating attack paths that the threat actor may have abused. Instead, the group waited three days before connecting and beginning the initial enumeration. BloodHound and Kerberoastingįollowing the Gootkit installation, REvil didn’t immediately make use of the persistent access to this system. Threat intelligence was used to find similar code, but the exact code was unavailable. While the general layout of the loader was analyzed, BlackBerry was unable to obtain a copy of the exact JavaScript that would have been downloaded in this particular example of the final phase. Initially the JavaScript file contained obfuscated code within a variable labeled “ knew”: If the GET request was successful, the downloaded content is then executed as additional codeĪ full analysis of the Gootkit loader and additional actions taken following its execution are included below.Checks the GET request response for a 200 (“OK”) value.Performs an HTTP GET request to each domain, using a format string including a “search.php” endpoint, a static value (redacted here), and the randomly generated number.For each domain, generates a random string to be used as part of a download URL.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |