Blurring the Lines: Intrusion Shows Connection with Three Major Ransomware Gangs

A user-executed malicious EarthTime installer led to deployment of SectopRAT, SystemBC, and later the Betruger backdoor, enabling reconnaissance, credential theft (including DCSync and Veeam credential dumping), lateral movement via RDP/Impacket, and cleartext exfiltration to an FTP host. Artifacts and tooling link the intrusion to multiple ransomware operations—Play, RansomHub, and DragonForce—suggesting a ransomware affiliate operator. #SectopRAT #SystemBC #Betruger #Grixba #Play #RansomHub #DragonForce

Keypoints

Initial access via a trojanized EarthTime executable that executed SectopRAT and used MSBuild injection to retrieve C2 configuration from Pastebin.
SystemBC (WakeWordEngine.dll / conhost.dll) provided proxy/tunneling for RDP-based lateral movement across domain controllers, backup servers, and file servers.
Extensive environment discovery using Grixba (GT_NET.exe / GRB_NET.exe), SharpHound, AdFind, SoftPerfect NetScan, and PowerShell AD queries.
Credential access accomplished via information stealers (SectopRAT), DCSync against a domain controller, Veeam database credential dumping, and LSASS access via Betruger.
Persistence achieved through BITS file copies, Startup folder shortcuts, and creation of a local administrative account (“Admon”); defense evasion included timestomping, process injection, and disabling Defender via registry edits.
Data staging and automated collection used WinRAR and FS64.exe, with exfiltration over unencrypted FTP (144.202.61.209) via WinSCP, exposing credentials in transit.
Tooling, metadata impersonation, and leftover netscan outputs link the operator to multiple ransomware groups (Play, RansomHub, DragonForce), indicating affiliate activity rather than a single group.

MITRE Techniques

[T1566.002 ] Malicious File – User executed a trojanized EarthTime installer that dropped SectopRAT and initiated MSBuild injection (“EarthTime.exe spawned cmd.exe … MSBuild.exe … injected into MSBuild.exe”).
[T1204.002 ] Execution via Malicious File – The malicious EarthTime binary executed and wrote SectopRAT to %AppData%LocalTemp then injected into MSBuild.exe (“SectopRAT binary was written to %AppData%… then injected into the MSBuild.exe process”).
[T1127.001 ] MSBuild – MSBuild.exe was used as a host for injected SectopRAT to retrieve C2 configuration from Pastebin (“MSBuild.exe communicated with 45.141.87.55 … reached out to Pastebin to retrieve its C2 configuration”).
[T1090 ] Proxy – SystemBC (WakeWordEngine.dll/conhost.dll) provided proxy tunneling enabling RDP connections over the established tunnel (“SystemBC was used to establish a tunnel, enabling Remote Desktop Protocol (RDP) access via proxy connections”).
[T1021.001 ] Remote Desktop Protocol – RDP was the primary lateral movement method, with observed logon type patterns and RDP client hostnames used by the adversary (“adversary primarily relied on Remote Desktop Protocol (RDP) for lateral movement … client names … DESKTOP-A1HRTMJ”).
[T1047 ] Windows Management Instrumentation – Grixba and other tooling used WMI/WinRM for network discovery (“Grixba … uses WMI and WinRM to discover users and systems across the network”).
[T1046 ] Network Service Discovery – Network scanning with Grixba, NetScan, and GRB_NET produced DNS queries and connections to RPC/LDAP/RDP ports for discovery (“GT_NET.exe generated 3,861 internal DNS queries … targeted destination port 135 (Microsoft RPC) … 389 (LDAP)”).
[T1083 ] File and Directory Discovery – The threat actor enumerated and opened files on file shares (using wordpad and other binaries) to identify high-value documents for collection (“accessing the contents of multiple files using wordpad.exe … insurance policy document”).
[T1119 ] Automated Collection – FS64.exe automated file collection and produced lists of collected files for staging (“FS64.exe … outputs a .txt file containing the list of collected files … copied multiple .xls, .docx, .pdf files to C:UsersPublicMusic”).
[T1560.001 ] Archive via Utility – WinRAR was used to archive targeted shares prior to exfiltration (“used WinRAR.exe to zip victim files on the file share prior to exfiltration”).
[T1048 ] Exfiltration Over Alternative Protocol – Data exfiltrated over unencrypted FTP to 144.202.61.209 using WinSCP (“transferred the resulting archives to a U.S. based cloud host over unencrypted FTP using WinSCP”).
[T1003.006 ] DCSync – A DCSync attack was performed against a domain controller to obtain credential material (“threat actor completed a DCSync attack against a domain controller”).
[T1555 ] Credentials from Password Stores – PowerShell script queried VeeamBackup DB and used Veeam.Backup.Common.ProtectedStorage to decrypt stored credentials (“script … retrieve Veeam credentials … uses Veeam.Backup.Common.ProtectedStorage to decrypt the encoded passwords”).
[T1059.003 ] Windows Command Shell – Extensive use of cmd.exe for executing tools and scripts during discovery and tool execution (“GT_NET.exe was executed through a cmd.exe parent process … netscan.exe executed from …”).
[T1059.001 ] PowerShell – PowerShell used for Veeam credential extraction and AD discovery commands (“PowerShell script … extract credentials from a Veeam database”, “Import-Module ActiveDirectory; Get-ADComputer …”).
[T1136 ] Create Account – The adversary created a local account ‘Admon’ and added it to Administrators for persistence (“created a local user account called ‘Admon’ … added this newly created account to the local Administrators group”).
[T1547.001 ] Registry Run Keys / Startup Folder – Persistence via copied executable and a Startup folder shortcut created with BITS to execute renamed EarthTime binary (“created a shortcut file ChromeAlt_dbg.lnk … placed it in … Startup … to execute ChromeAlt_dbg.exe”).
[T1070.006 ] Timestomp – The adversary modified file timestamps (ExportData.db) to hinder forensic timelines (“timestomping occurred immediately after GT_NET.exe created the ExportData.db file … choice of a future date (2037)”).
[T1562.001 ] Disable or Modify Tools – Modified Defender policy registry keys to disable Microsoft Defender protections (“attempting to disable Windows Defender’s security features by modifying critical registry keys … HKLMSOFTWAREPoliciesMicrosoftWindows Defender”).
[T1572 ] Protocol Tunneling – Use of SystemBC for tunneling RDP through proxies facilitating remote access (“SystemBC was used to establish a tunnel, enabling Remote Desktop Protocol (RDP) access via proxy connections”).
[T1036 ] Masquerading – Binaries and metadata forged to impersonate legitimate security products (SentinelOne, Avast) to evade detection (“GT_NET.exe … metadata crafted to impersonate SentinelOne … ccs.exe … metadata mimicking Avast Antivirus”).

Indicators of Compromise

[IP Address ] C2 and infrastructure – 45.141.87.55 (SectopRAT MSBuild C2), 149.28.101.219 (SystemBC C2)
[Domain ] Betruger C2 / phishing domain – 504e1c95.host.njalla[.]net; additional host 80.78.28.149 linked to ccs.exe
[IP Address ] Exfiltration target – 144.202.61.209 (attacker FTP server receiving WinRAR archives)
[File Name ] Malicious installers / payloads – EarthTime.exe (trojanized installer), WakeWordEngine.dll / conhost.dll (SystemBC DLL), ccs.exe (Betruger backdoor)
[File Hashes ] Sample malware hashes – earthtime.exe (71f703024c3d3bfc409f66bb61f971a0), wakewordengine.dll (e963d598a86c5ee428a2eefa34d1ffbb), ccs.exe (5675a7773f6d3224bfefdc01745f8411) and many others (see computed list for additional hashes)
[Filenames / Tools ] Recon and tooling artifacts – GT_NET.exe / GRB_NET.exe (Grixba), netscan.exe (SoftPerfect NetScan), sh.exe (renamed SharpHound), adfind.exe, fs64.exe
[Network Behavior ] Suspicious network patterns – outbound RDP over non-standard tunnel ports (e.g., rundll32.exe connecting to internal RDP hosts), high volumes of internal DNS A queries from Grixba/SharpHound