Securonix Threat Labs Security Advisory: Threat Actors Target MSSQL Servers in DB#JAMMER to Deliver FreeWorld Ransomware

MITRE Techniques

• [T1110] Brute Force – Gained access to the victim host by brute forcing an MSSQL login. Quote: “The threat actors gained access to the victim host by brute forcing an MSSQL login.”
• [T1046] Network Service Discovery – Enumeration used wmic.exe, net.exe and ipconfig.exe to map the environment. Quote: “Enumeration was carried out using a few basic commands. Most of these included wmic.exe, net.exe and ipconfig.exe.”
• [T1112] Modify Registry – Registry changes were used to impair defenses and enable persistence. Quote: “The attackers enumerated the current state of the RDP environment by making the following registry changes to ensure connection success:”
• [T1562.001] Impair Defenses: Disable or Modify Tools – Registry and configuration changes were used to disable protections and facilitate access. Quote: “To avoid detection, the following command was executed… This registry modification prevents the last user who authenticated with the system to appear in the login screen.”
• [T1098] Account Manipulation – Creation of new user accounts and adding them to remote desktop/administrators groups. Quote: “Three new users were created on the victim host … Each user was added to the ‘remote desktop users’, ‘administrators’.”
• [T1505.001] Server Software Component: SQL Stored Procedures – Abuse of SQL Server components to maintain persistence. Quote: “T1505.001: Server Software Component: SQL Stored Procedures”
• [T1003] OS Credential Dumping – Mimikatz was used to dump credentials. Quote: “The batch file then executed mimikatz.exe to dump credentials.”
• [T1021.001] Remote Services: Remote Desktop Protocol – RDP was used for network access and persistence. Quote: “The attackers preferred using RDP to connect to the victim machine.”
• [T1105] Ingress Tool Transfer – Files/tools were transferred via a remote SMB share. Quote: “The network share allowed the attacker to transfer files to and from the victim system as well as install malicious tools.”
• [T1219] Remote Access Software – AnyDesk was used as a RAT-like remote access tool. Quote: “AnyDesk is a legitimate service that functions like a RAT.”
• [T1572] Encrypted Channel: Symmetric Cryptography – C2 communications implied by the C2 infrastructure configuration (Gelsd) and tool usage. Quote: “svr.exe appears to be a Cobalt Strike command and control payload. We observed it making DNS connections to gelsd[.]com.”
• [T1486] Data Encrypted for Impact – FreeWorld ransomware encryption of files. Quote: “The ransomware began encrypting the victim host and generated encrypted files using the ‘.FreeWorldEncryption’ extension.”