In December 2023, a threat actor used Cobalt Strike beacons and multiple tools like Sharphound and Rubeus to gain access, conduct reconnaissance, and move laterally before deploying BlackSuit ransomware across network shares via SMB and RDP, disrupting the environment over 15 days. (Affected: Enterprise networks, IT infrastructure, Domain Controllers)
Keypoints :
- Initial intrusion used a large Cobalt Strike beacon (RtWin64.exe) to establish persistence.
- Threat actor performed system and domain enumeration using Windows utilities, Sharphound, and ADFind.
- Credential theft through AS-REP Roasting, Kerberoasting, and LSASS memory access with Rubeus.
- Lateral movement executed via SMB Admin$ shares, RDP sessions, and pass-the-hash attacks.
- Command and control traffic proxied through CloudFlare and later AWS to mask Cobalt Strike servers.
- SystemBC malware deployed for proxy and persistence functions on file servers.
- Final payload was BlackSuit ransomware (qwe.exe), distributed via SMB C$ shares and executed manually over RDP.
- Ransomware disabled shadow copies before encrypting files, leaving ransom notes on systems.
- Several Sigma detection rules were created to identify attacker tools and behaviors.
- Extensive use of process injection, encoded PowerShell commands, and registry modifications evaded detection and enabled RDP access.
MITRE Techniques :
- Abuse Elevation Control Mechanism (T1548) β Using Cobalt Strikeβs psexec features for remote service creation and execution.
- Archive Collected Data (T1560) β Using 7z compression on data output from Get-DataInfo.ps1.
- AS-REP Roasting (T1558.004) β Rubeus used to request AS-REP authentication tickets without pre-authentication.
- Data Encrypted for Impact (T1486) β Deployment and execution of BlackSuit ransomware that encrypts files and deletes shadow copies.
- Domain Groups (T1069.002) β Sharphound enumerating groups via LDAP and SAM database queries.
- Domain Trust Discovery (T1482) β Commands such as nltest used to list domain controllers and trust relationships.
- Inhibit System Recovery (T1490) β Ransomware deletes shadow copies using vssadmin.
- Kerberoasting (T1558.003) β Rubeus used to request Kerberos service tickets with weak RC4 encryption.
- LSASS Memory (T1003.001) β Attackers accessed LSASS memory via injected processes for credential harvesting.
- Malicious File (T1204.002) β Execution of malicious binaries including Cobalt Strike beacons and ransomware.
- Modify Registry (T1112) β Registry keys altered to enable RDP access and persist SystemBC backdoor.
- PowerShell (T1059.001) β Encoded and base64-encoded PowerShell scripts executed for reconnaissance and payload execution.
- Process Injection (T1055) β Use of Cobalt Strike to inject code into legitimate processes like mstsc.exe.
- Proxy (T1090) β Command and control traffic proxied through CloudFlare and SystemBC.
- Registry Run Keys / Startup Folder (T1547.001) β Run key βsocks5β used for persistence with SystemBC.
- Remote Desktop Protocol (T1021.001) β Manual RDP sessions for lateral movement and ransomware execution.
- Remote System Discovery (T1018) β Discovery commands executed via system utilities and scripts.
- Security Software Discovery (T1518.001) β Reconnaissance with Sharphound and ADFind for security group info.
- Service Execution (T1569.002) β Cobalt Strike used to install and execute services remotely.
- SMB/Windows Admin Shares (T1021.002) β Lateral movement and ransomware distribution via SMB Admin$ and C$ shares.
- Software Discovery (T1518) β Query system and AD environment for reconnaissance.
- System Information Discovery (T1082) β Commands like systeminfo executed to gather host details.
- Web Protocols (T1071.001) β Cobalt Strike C2 over HTTPS and HTTP.
- Windows Command Shell (T1059.003) β Bat files and cmd used to execute tools like ADFind.
- Pass the Hash (T1550.002) β Use of NTLM hashes for lateral authentication and movement.
Indicator of Compromise :
- The article includes malware hashes for multiple Cobalt Strike beacons, SystemBC implants, AdFind, Sharphound, and BlackSuit ransomware.
- Domain names and IP addresses used for Cobalt Strike command and control servers, such as svchorst[.]com (15.197.130.221) and regsvcast[.]com domains (147.78.47.178).
- SystemBC C2 IP 137.220.61[.]94 is identified as a proxy server controlled by threat actors.
- Sysmon event IDs (e.g., 1, 10, 11, 13, 22, 24) and Windows Security event IDs (e.g., 4624, 4768, 4769, 4778, 4779, 5145) logs are referenced to identify lateral movement, credential access, RDP, and SMB usage.
- Network-based IOCs include SMB share access logs, RDP logon events, and DNS queries to malicious domains.
- PowerShell commands, encoded scripts, and registry keys named βsocks5β used for persistence serve as behavioral IOCs.
- Sample IOC hashes: RtWin64.exe (md5:b5266cd35d1b3770b05ad6870c0c4bde), qwe.exe ransomware (md5:0bb61c0cff022e73b7c29dd6f1ccf0e2).
Read more: https://thedfirreport.com/2024/08/26/blacksuit-ransomware/