Threat Research

MERCURY and DEV-1084: Destructive attack on hybrid environment | Microsoft Security Blog

Securonix

Microsoft Threat Intelligence ties a destructive operation to MERCURY (also known as Mango Sandstorm) and to DEV-1084 (Storm-1084), detailing how they compromised hybrid on-premises and cloud environments and pursued irreversible disruption rather than ransom. The reveal covers initial access through exposed vulnerabilities, extensive persistence and discovery, cloud pivot via Azure AD, and mass destruction of resources with a suite of detections and mitigations.
#MangoSandstorm #Storm-1084 #DarkBit #AzureADConnect

Keypoints

  • Mercury (Iran-linked) and DEV-1084 activity combined to conduct a destructive, rather than purely ransomware, campaign across on-premises and cloud environments.
  • Initial access was facilitated by exploiting unpatched Log4j 2 vulnerabilities, followed by handing off operations to DEV-1084 for persistence and lateral movement.
  • Persistence was established via web shells, new local user accounts, remote access tools (RPort, Ligolo, eHorus), a customized PowerShell backdoor, and credential theft.
  • Discovery and lateral movement used native Windows tools (netstat, nltest, WMI) and techniques like remote services and remote scheduled tasks.
  • Cloud pivot involved compromising Azure AD Connect, extracting plaintext credentials with AADInternals, and expanding into cloud admin contexts (including MFA-exploiting RDP scenarios).
  • Destructive actions in the cloud included mass deletion of server farms, VMs, storage, and networks; abuse of Exchange/Web OAuth permissions enabled mailbox access and email impersonation.
  • Defensive guidance and detections spanned Microsoft 365 Defender, Defender for Cloud Apps, Defender for Identity/Antivirus/Endpoint, and specific IOCs and hunting queries.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Exploited known vulnerabilities in unpatched Log4j 2 to gain initial access. “…continuing to exploit Log4j 2 vulnerabilities in unpatched systems…”
  • [T1505.003] Web Shell – Installed web shells to maintain persistence and access. “…Installing web shells”
  • [T1136] Create Account – Added a local user account and elevated privileges to local administrator. “…Adding a local user account and elevating privileges to local administrator”
  • [T1021] Remote Services – Used remote access tools to maintain access and move laterally (RPort, Ligolo, eHorus; and remote services to run encoded PowerShell).
  • [T1059.001] PowerShell – Customized PowerShell script backdoor used for execution and persistence. “…customized PowerShell script backdoor”
  • [T1003] Credential Dumping – Stole credentials to enable later steps. “…Stealing credentials”
  • [T1047] Windows Management Instrumentation – Used WMI to launch commands on devices during discovery.
  • [T1053.005] Scheduled Task: Windows – Remote scheduled tasks used to launch the PowerShell backdoor and other components. “…Remote scheduled tasks to launch their customized PowerShell backdoor”
  • [T1018] Remote System Discovery – nltest used to gather information about domain/ trusts and environment.
  • [T1049] System Network Connections Discovery – netstat used for discovery of network connections.
  • [T1572] Protocol Tunneling – Leveraged tunneling tools like Ligolo and OpenSSH to stay under detection during C2 communications.
  • [T1021] Remote Services (RDP) – Cloud pivot involved RDP access to a privileged account, bypassing MFA in practice. “…leverage RDP for access into the account. Even though this account had MFA in place, the threat actors accessed it through RDP…”
  • [T1606] Cloud App Permissions (Abuse of OAuth Apps) – Abused an OAuth application with full_access_as_app permission to access mailboxes and perform broad operations; token-based auth to cloud resources.
  • [T1486] Data Encrypted for Impact – Mass encryption of files on targeted devices (DarkBit) within NETLOGON/Active Directory context.
  • [T1485] Data Destruction – Mass deletion of Azure resources (server farms, VMs, storage, networks) as the destructive objective expanded to cloud.n
  • [T1562] Impair Defenses – Used Group Policy Objects to interfere with security tooling in the on-prem environment. “…interfered with security tools using Group Policy Objects (GPO)…”

Indicators of Compromise

  • [File hash] DEV-1084 ransom payload – 9107be160f7b639d68fe3670de58ed254d81de6aec9a41ad58d91aa814a247ff, 80bd00c0f6d5e39b542ee6e9b67b1eef97b2dbc6ec6cae87bf5148f1cf18c260, and 2 more hashes
  • [File hash] DEV-1084 batch scripts – 8dd9773c24703e803903e7a5faa088c2df9a4b509549e768f29276ef86ef96ae, 486eb80171c086f4d184423ed7e79303ad7276834e5e5529b199f8ae5fc661f2, and other hashes
  • [File hash] Customized Script Backdoor (db.ps1) – 6485a68ba1d335d16a1d158976e0cbfad7ab15b51de00c381d240e8b0c479f77
  • [File hash] Customized Obfuscated Script Backdoor (db.sqlite) – b155c5b3a8f4c89ba74c5c5c03d029e4202510d0cbb5e152995ab91e6809bcd7
  • [IP address] Command and control – 194.61.121.86, 141.95.22.153, and 11+ more IPs
  • [URL] C2/Download sources – hxxps://pairing[.]rport[.]io/qMLc2Wx, and 2+ more URLs
  • [Domain] Actor-owned C2 domain – vatacloud[.]com, webstore4tech[.]uaenorth.cloudapp.azure[.]com, and 2+ more domains
  • [File name] rport.exe – Rport Legit remote access tool, and 1 more file name
  • [File name] db.ps1 – Customized Script Backdoor, and 1 more script
  • [File name] db.sqlite – Customized Obfuscated Script Backdoor, and 1 more script
  • [Domain] 146.70.106[.]89 – used for threatening emails (IP previously linked to MERCURY)
  • [Domain] vatacloud[.]com – domain used for C2

NOTE: These indicators should not be considered exhaustive for this observed activity.

Read more: https://www.microsoft.com/en-us/security/blog/2023/04/07/mercury-and-dev-1084-destructive-attack-on-hybrid-environment/