Muddying the Tracks: The State-Sponsored Shadow Behind Chaos Ransomware

MITRE Techniques

• [T1566 ] Phishing (Spearphishing via Service) – Initial access was gained through Microsoft Teams messages and targeted social engineering (‘the TA engaged employees through external chat requests’).
• [T1059 ] Command and Scripting Interpreter – The attacker ran discovery and control commands such as ipconfig, whoami, and curl (‘executed basic discovery commands’).
• [T1082 ] System Information Discovery – Host details were gathered from infected systems (‘collecting basic host information, including computer name, username, and domain’).
• [T1016 ] System Network Configuration Discovery – Network configuration was enumerated using commands like ipconfig (‘accessed files related to the victim’s VPN configuration’).
• [T1078 ] Valid Accounts – Harvested credentials were reused to authenticate to internal systems (‘authenticated to internal systems, including a Domain Controller, using multiple compromised accounts’).
• [T1056 ] Input Capture – Victims were instructed to enter credentials into attacker-created text files (‘enter credentials into locally created text files’).
• [T1556 ] Modify Authentication Process – MFA settings were altered to include attacker-controlled devices (‘modify MFA configurations to include attacker-controlled devices’).
• [T1021.001 ] Remote Services: RDP – Remote Desktop was used for access and movement (‘established persistent remote access through RDP sessions’).
• [T1219 ] Remote Access Tools – DWAgent and AnyDesk were deployed for persistence and control (‘establish persistence using remote access tools such as DWAgent and AnyDesk’).
• [T1543 ] Create or Modify System Process – DWAgent was installed as a service (‘dwagsvc.exe – DWAgent serviced’).
• [T1055 ] Process Injection – A renamed python binary was used to inject code into suspended processes (‘the group’s signature use of pythonw.exe to inject code into suspended processes’).
• [T1105 ] Ingress Tool Transfer – Additional payloads were downloaded with curl (‘download additional payloads using curl’).
• [T1041 ] Exfiltration Over C2 Channel – Data was exfiltrated to external infrastructure (‘the TA exfiltrated data from the compromised environment’).
• [T1027 ] Obfuscated Files or Information – The RAT used XOR encoding and encrypted configuration data (‘XOR encoding … to hide specific anti-analysis strings’).
• [T1497 ] Virtualization/Sandbox Evasion – Game.exe checked for sandbox and VM artifacts (‘search for known analysis-related DLLs’).
• [T1622 ] Debugger Evasion – The malware included anti-analysis checks to avoid inspection (‘anti analysis techniques’).
• [T1071 ] Application Layer Protocol – C2 traffic used web-style endpoints over HTTP/S (‘polling /index.php every 60 seconds’).
• [T1573 ] Encrypted Channel – The RAT used encrypted C2 communication (‘decrypts its configuration using AES-256-GCM’).
• [T1133 ] External Remote Services – Compromised accounts were used to access VPN/external remote services (‘using compromised accounts’).
• [T1087 ] Account Discovery – User/account information was enumerated (‘gathering host information, including computer name, username’).
• [T1018 ] Remote System Discovery – Multiple systems were enumerated and moved through (‘move between systems’).