Threat Research

A Truly Graceful Wipe Out

TheDFIR

Keypoints

  • Initial access came via an email campaign utilizing a 404 TDS drive-by download, redirecting victims through a chain of URLs before a final payload download.
  • Truebot was dropped first, then loaded FlawedGrace and Cobalt Strike, with data exfiltration beginning early and continuing during the intrusion.
  • FlawedGrace established persistence and privilege escalation through registry modifications, Print Spooler abuse, and creating temporary scheduled tasks that inject into msiexec.exe and svchost.exe.
  • A temporary user and RDP tunneling were attempted; the attacker retried the RDP approach but ultimately removed the user after multiple attempts.
  • Post-compromise activity included LSASS memory access, pass-the-hash lateral movement, remote execution via Impacket’s atexec, and Cobalt Strike’s jump PsExec for lateral movement.
  • MBR Killer wiper was deployed ~29 hours after initial access, overwriting MBR/MFT/VBR/EBR and rendering many hosts inoperable, with exfiltration already completed.

MITRE Techniques

  • [T1566.002] Phishing – Initial access via email campaign. Quote: “initial access was obtained through an email campaign.”
  • [T1204.002] User Execution – Payload masqueraded as a PDF; user executed it. Quote: “The payload, Document_may_24_16654.exe, imitated a PDF document by using an icon of an Adobe Acrobat document.”
  • [T1059.001] PowerShell – Obfuscated PowerShell usage to create tasks and load components. Quote: “in obfuscated PowerShell, where the Schedule.Service COM Object was used to create a new task.”
  • [T1053.005] Scheduled Task – Multiple methods to create persistence tasks; random task names. Quote: “three different methods to create new scheduled tasks.”
  • [T1055] Process Injection – Beacon DLL injection and signs of injection in various processes (cmd.exe, svchost.exe, msiexec.exe). Quote: “injected module beacon.dll” and “memory of cmd.exe clearly indicated signs of injection.”
  • [T1021.002] Remote Services – Lateral movement using PsExec/JUMP; Cobalt Strike module used for movement. Quote: “Cobalt Strike’s jump psexec module to move to new hosts.”
  • [T1003.001] OS Credential Dumping – LSASS memory accessed for credential dumping. Quote: “accessed LSASS memory on the beachhead host.”
  • [T1550.002] Pass the Hash – Lateral movement using a local administrator hash. Quote: “used a local administrator hash to perform pass-the-hash lateral movement.”
  • [T1047] Windows Management Instrumentation – Remote execution/collection via WMIC utilities; remote process queries. Quote: “wmic /node: process get executablepath.”
  • [T1069.001/T1069.002] Domain/Local Group Discovery – Discovery of domain admins/domain controllers and local groups; adminr user added to groups. Quote: “adminr… added to the Local Administrators group and Remote Desktop Users group.”
  • [T1083/T1087] File and Directory/Account Discovery – Discovery commands (dir, net view, AdFind) and domain user attributes. Quote: “AdFind was used… to collect operating system information and specific attributes from the domain user objects.”
  • [T1561.002] Disk Structure Wipe – MBR Killer overwrites MBR/MFT/VBR/EBR and triggers reboot. Quote: “overwrote the MBR (Master Boot Record) and triggered a reboot, rendering the hosts unusable.”
  • [T1562.001] Impair Defenses – Disable Windows Defender Real-Time monitoring and add exclusions. Quote: “disable Windows Defender Real-Time monitoring and added exclusions.”
  • [T1041] Exfiltration – Data exfiltration occurred in two periods via non-TLS TCP channels. Quote: “two distinct exfiltration periods were observed taking place.” and “The network traffic was not sent over a TLS connection but just the TCP protocol.”

Indicators of Compromise

  • [IP] beachhead/C2 IPs – 45.182.189.71, 5.188.86.18, 92.118.36.199, 81.19.135.30, 139.60.160.166 (examples from the report)
  • [Domain] C2 and download domains – essadonio.com, essadonio[.]com, ecorfan.org
  • [URL] drive-by/downloader URLs – https://ecorfan.org/base/sj/Document_may_24_16654.exe
  • [Domain] C2/TLS fingerprints – JA3: a0e9f5d64349fb13191bc781f81f42e1; JA3s: f14f2862ee2df5d0f63a88b60c8eee56
  • [JA3/JARMs] Truebot TLS fingerprint – JA3: 28d28d28d00028d00042d42d0000005a3e96c1dfa4bdb24b8b3c04cae18cc3
  • [Hash] Truebot Document_may_24_16654.exe – MD5: 6164e9d297d29aa8682971259da06848; SHA1: 96b95edc1a917912a3181d5105fd5bfad1344de0; SHA256: 717beedcd2431785a0f59d194e47970e9544fbf398d462a305f6ad9a1b1100cb
  • [Hash] AdFind.exe – MD5: 12011c44955fd6631113f68a99447515; SHA256: c92c158d7c37fea795114fa6491fe5f145ad2f8c08776b18ae79db811e8e36a3
  • [Hash] MBR Killer (chrome.exe) – MD5: 2dc57a3836e4393d4d16c4eb04bf9c7e; SHA256: 121a1f64fff22c4bfcef3f11a23956ed403cdeb9bdb803f9c42763087bd6d94e
  • [Hash] Legitimate NSIS System plugin System.dll – MD5: fbe295e5a1acfbd0a6271898f885fe6a; SHA256: a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
  • [File] Truebot path/C2 file – C:IntelRuntimeBroker.exe; 45.182.189.71 C2 contact
  • [Certificate] TLS certificate details for essadonio.com – Not Before/Not After dates and issuer fields listed (certificate block included in report)
  • [Certificate] TLS fingerprint for Cobalt Strike C2 server – Certificate: 6e:ce:5e:ce:41:92:68:3d:2d:84:e2:5b:0b:a7:e0:4f:9c:b7:eb:7c

Read more: https://thedfirreport.com/2023/06/12/a-truly-graceful-wipe-out/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint