Threat Research

Hardening of HardBit

Cybereason

HardBit Ransomware version 4.0 shows enhanced obfuscation, passphrase protection, and CLI/GUI delivery variants, with Neshta-driven delivery and a focus on bypassing defenses. The threat actors employ credential dumping, RDP-based lateral movement, and optional wiper mode, highlighting evolving TTPs and defense considerations. #HardBit #Neshta

Keypoints

  • HardBit 4.0 adds passphrase-protected runtime and stronger binary obfuscation to hinder analysis.
  • Two delivery flavors are offered: a CLI version and an intuitive GUI version, broadening operator skill-set applicability.
  • Neshta acts as the delivery/dropper, packing HardBit with Ryan-_-Borland_Protector Cracked v1.0 (likely a ConfuserEx-based packer).
  • Initial access is suspected to be via brute-forcing open RDP/SMB services, with observed login failures from brute-forcing IPs.
  • Credential access leverages Mimikatz (via a BAT script) and NLBrute, with auxiliary tools LaZagne and NirSoft mentioned but not deployed in observed incidents.
  • Lateral movement and discovery rely on RDP, NLBrute, and port scanners like KPortScan 3.0; actors download tools from picofile to enable discovery.
  • Impact includes encryption by HardBit with optional wiper mode in the GUI, plus defensive evasion such as Windows Defender tampering.

MITRE Techniques

  • [T1047] Windows Management Instrumentation – ‘HardBit Ransomware inhibits system recovery by deleting backup catalogs via WMIC’
  • [T1059.001] Command and Scripting Interpreter: PowerShell – ‘spawns PowerShell to disable Windows Defender’
  • [T1059.003] Command and Scripting Interpreter: Windows Command Shell – ‘spawns CMD to disable recovery options via BCEdit’
  • [T1562.001] Impair Defenses: Disable or Modify Tools – ‘HardBit Ransomware disables Windows Defender to ensure in successful encryption’
  • [T1003.001] OS Credential Dumping: LSASS Memory – ‘Mimikatz to conduct credential dumping’
  • [T1110] Brute Force – ‘NLBrute to conduct RDP brute force attack’
  • [T1046] Network Service Discovery – ‘Advanced Port Scanner and KPortScan 3.0 to conduct network discovery within the corporate network’

Indicators of Compromise

  • [Domain] – picofile[.]com – Threat actors visited this domain to download NLBrute
  • [File] – Help_me_for_Decrypt.hta – Ransomware dumps message files and decryptor prompts
  • [File] – How To Restore Your Files.txt – Ransomware note/instruction artifact
  • [File] – id_authorization.txt – Decoded authorization ID used to run HardBit
  • [File] – 111.zip – ZIP containing BAT script and Mimikatz binaries
  • [File] – Result.txt – Output from Mimikatz parsed by miparser.vbs
  • [File] – 5-NS new.exe – Malicious network-share scanner used by operators
  • [IP] – {ATTACKER_IP_ADDRESS} – SMB/RDP brute-force activity observed in logs (brute-force proxy evidence)

Read more: https://blogs.blackberry.com/en/2019/10/threat-spotlight-neshta-file-infector-endures

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint