Threat Research

Climbing Mount Everest: Black-Byte Bytes Back?

Securonix

NCC Group analyzes Everest ransomware operations and argues a link to Black-Byte, detailing how Everest-related activity deployed during an incident response used TTPs such as RDP-based lateral movement, credential dumping, and C2 via remote tools. The report also maps these actions to MITRE techniques and lists IOCs associated with the campaign. #Everest #BlackByte

Keypoints

  • Lateral movement observed via compromised user accounts and Remote Desktop Protocol (RDP).
  • Credential dumping performed with ProcDump to capture LSASS memory and NTDS.dit copies.
  • Defence evasion included routine deletion of tooling and reconnaissance data from hosts.
  • Network discovery conducted using netscan.exe, netscanpack.exe, and SoftPerfectNetworkScanner Portable, with outputs saved to public directories.
  • Data collection involved archiving data with WinRAR on a file server for exfiltration.
  • C2 used Cobalt Strike (HTTPS-based) and additional remote access tools (AnyDesk, Splashtop, Atera), with Splashtop used for data exfiltration.
  • Everest is attributed to Black-Byte (C# variant) rather than the Go-based version, with discussion on potential code reuse or re-emergence.

MITRE Techniques

  • [T1133] External Remote Services – Initial Access was through an insecure external service. “Initial Access was through an insecure external service”
  • [T1059.001] Command and Scripting Interpreter: PowerShell – “Threat actor utilised PowerShell to execute malicious commands”
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – “Threat actor utilised Windows Command Shell to execute malicious commands”
  • [T1021.001] Remote Services: Remote Desktop Protocol – “The threat actor was observed using legitimate compromised user accounts and Remote Desktop Protocol (RDP) for lateral movement.”
  • [T1543.003] Create or Modify System Process: Windows Service – “Threat actor installed remote desktop software tools as services for persistence”
  • [T1003.001] OS Credential Dumping: LSASS Memory – “The tool Procdump was used to create a copy of the LSASS process”
  • [T1003.003] OS Credential Dumping: NTDS – “The NTDS.dit was copied”
  • [T1070.004] Indicator Removal on Host: File deletion – “Threat actor routinely deleted tooling and output”
  • [T1046] Network Service Discovery – “Threat actor utilised numerous network discovery tools – Netscan and SoftPerfectNetworkScanner”
  • [T1560.001] Archive Collected Data: Archive via Utility – “Threat actor archived data using WinRAR”
  • [T1071.001] Application Layer Protocol: Web Protocols – “Cobalt Strike was implemented using HTTPS for C2 traffic”
  • [T1219] Remote Access Software – “Threat actor utilised remote access software – Anydesk, Splashtop and Atera”
  • [T1041] Exfiltration Over C2 Channel – “Data exfiltration was conducted using the Splashtop application”
  • [T1486] Data Encrypted for Impact – “Data was encrypted for impact”

Indicators of Compromise

  • [File name] – netscan.exe, netscanpack.exe, svcdsl.exe – Network discovery and portable scanner tools referenced as IOCs
  • [File name] – Winrar.exe – Archiving tool used to package data
  • [File name] – subnets.txt, trustdumps.txt – Network discovery output files
  • [File name] – l.exe – Metasploit payload
  • [URL] – hxxp://3.22.79[.]23:8080/ – Site hosting Cobalt Strike beacon
  • [URL] – hxxp://3.22.79[.]23:8080/a – Site hosting Cobalt Strike beacon
  • [URL] – hxxp://3.22.79[.]23:10443/ga.js – Cobalt Strike C2
  • [URL] – hxxp://18.193.71[.]144:10443/match – Cobalt Strike C2
  • [URL] – hxxp://45.84.0[.]164:10443/o6mJ – Meterpreter C2

Read more: https://research.nccgroup.com/2022/07/13/climbing-mount-everest-black-byte-bytes-back/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint