HTML Smuggling Leads to Domain Wide Ransomware

MITRE Techniques

• [T1027.006] HTML Smuggling – Used to deliver a password-protected ZIP and ISO payload via an HTML file labeled as an Adobe lure. [ ‘This HTML file was using a technique known as HTML smuggling.’ ]
• [T1036] Masquerading – The LNK file masqueraded as a document to trick the user into execution. [ ‘The only visible file to the user was a LNK file masquerading as a document.’ ]
• [T1218.011] Rundll32 – The initial loader renamed rundll32.exe to entails.exe and used rundll32 to load the IcedID DLL. [ ‘the initial access package used the Windows xcopy utility to rename rundll32.exe to entails.exe.’ ]
• [T1055] Process Injection – IcedID DLL loaded via entails.exe and injected into cmd.exe; later, beacon.dll injected into cmd.exe. [ ‘entails.exe, which loaded the IcedID DLL, was then observed injecting into a cmd.exe process’ ]
• [T1003.001] LSASS Memory – Cobalt Strike accessed LSASS memory to extract credentials. [ ‘accesses LSASS, likely to access credentials.’ ]
• [T1021.001] Remote Desktop Protocol – RDP session used to move laterally to a domain controller. [ ‘initiated an RDP session to move laterally to a domain controller.’ ]
• [T1053.005] Scheduled Task – IcedID persistence established via a scheduled task running hourly. [ ‘persistence was established via a scheduled task on the beachhead host. This task was set to run the IcedID malware every hour on the host.’ ]
• [T1082] System Information Discovery – Discovery commands included net, ipconfig, systeminfo, nltest. [ ‘standard utilities like net, ipconfig, systeminfo, and nltest.’ ]
• [T1069.002] Active Directory Discovery – AdFind used for discovery on a domain controller. [ ‘AdFind was used for discovery on a domain controller via a batch script named adfind.bat.’ ]
• [T1560.001] Archive Collected Data – Discovery results archived with 7-Zip. [ ‘the results of the discovery commands were archived using 7-Zip.’ ]
• [T1059.001] PowerShell – SessionGopher encoded PowerShell command used to find/decrypt session data for remote access tools. [ ‘an encoded PowerShell command which was SessionGopher.’ ]
• [T1059.003] Windows Command Shell – Extensive use of cmd.exe for discovery and execution. [ ‘cmd.exe /c chcp >&2 ipconfig /all systeminfo net config workstation nltest /domain_trusts’ ]
• [T1047] Windows Management Instrumentation – WMI used to enumerate antivirus products. [ ‘WMIC /Node:localhost /Namespace:rootSecurityCenter2 Path AntiVirusProduct Get * /Format:List’ ]
• [T1018] Remote System Discovery – Net/nslookup/dns lookups for network-wide reconnaissance. [ ‘nslookup’ and other network lookup commands were used across hosts.’ ]
• [T1218] Rundll32 – Rundll32-based execution of IcedID via renamed loader. [ ‘rundll32.exe … –oyxo=”EdgeDecreaselicense.dat”‘ ]
• [T1560] Archive Collected Data – Archive of discovery results with 7-Zip. [ ‘archived using 7-Zip.’ ]
• [T1486] Data Encrypted for Impact – Nokoyawa ransomware encrypts the network and endpoints. [ ‘encryption of the network’ and ‘ransomware binary’ executed.’ ]
• [T1078] Valid Accounts – Domain-privilege escalation and use of domain administrator accounts during discovery and movement. [ ‘Domain Admins’ and ‘valid accounts’ context implied.]
• [T1021.002] SMB/Windows Admin Shares – PsExec/WMIC lateral movement across network hosts. [ ‘PsExec and WMIC were used to move files across systems in the network.’ ]
• [T1021.001] Remote Desktop Protocol – RDP-based lateral movement to domain controllers. [ ‘RDP session to move laterally to a domain controller.’ ]
• [T1036.005] Masquerading – LNK/file disguises and batch scripts used to disguise malicious components. [ ‘masquerading as a document’ ]
• [T1040] Network Service Scanning – Netscan and nslookup used to enumerate network and DNS before attack. [ ‘netscan’ and ‘nslookup’ usage described.]