Threat Research

LV Ransomware Exploits ProxyShell in Attack on a Jordan-based Company

Securonix

Trend Micro analyzed an LV ransomware intrusion tied to ProxyShell and ProxyLogon exploits affecting a Jordan-based company, highlighting double-extortion and expanding affiliate activity. The report details the infection chain—from Exchange vulnerabilities and web shells to PowerShell backdoors, domain controller abuse, and data exfiltration via tunneling tools. #LVransomware #ProxyShell #ProxyLogon #REvil #Semikron #Mimikatz #Gost

Keypoints

  • LV ransomware operates as a RaaS program with ties to REvil/Sodinokibi origins, though the exact relationship remains unverified and the LV team likely repurposed REvil binaries with modified configurations.
  • Activity surrounding LV ransomware has surged since Q2 2022, with expanding affiliate programs and broader targeting across regions and industries.
  • Attacks commonly employ a double-extortion approach: encrypting data and threatening to leak stolen information.
  • The observed intrusion chain includes ProxyShell/ProxyLogon exploitation to gain initial access, dropping a web shell, and installing a PowerShell-based backdoor from a malicious host (185.82.219.201).
  • Credential access and discovery stages relied on Mimikatz, NetScan, and Advanced Port Scanner, followed by RDP-based domain administrator access and the creation of a malicious GPO to deploy ransomware.
  • Malware deployment involved a malicious scheduled task and batch files to disable security tools, with subsequent deletion of the scripts folder and ransom note deployment.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The ProxyShell/ProxyLogon vulnerabilities were exploited to target a targeted environment’s Exchange servers. Quote: “…proxy shell exploitation.”
  • [T1505.003] Web Shell – A web shell file was dropped in public access folders as part of the initial access. Quote: “…web shell file was dropped in the public access folders in early September 2022 via ProxyShell exploitation.”
  • [T1059.001] PowerShell – The attacker executed persistent malicious PowerShell code during the intrusion. Quote: “The attacker then executed a persistent malicious PowerShell code …”
  • [T1105] Ingress Tool Transfer – The PowerShell backdoor was downloaded/executed from a remote source (IP 185.82.219.201). Quote: “…download and execute another PowerShell backdoor file in the server from the malicious IP address 185[.]82[.]219[.]201.”
  • [T1041] Exfiltration Over C2 Channel – A tunneling tool hosted on the attacker infrastructure was used for data exfiltration. Quote: “the tunneling tool that we believe was used for data exfiltration.”
  • [T1003] Credential Dumping – Mimikatz was used to dump credentials. Quote: “the attackers used Mimikatz to dump credentials.”
  • [T1046] Network Service Scanning – NetScan and Advanced Port Scanner were used for discovery. Quote: “NetScan and Advanced Port Scanner were used for discovery.”
  • [T1021.001] Remote Desktop Protocol – Access to the domain controller via RDP using a compromised domain administrator account. Quote: “gained access to the domain controller via remote desktop protocol (RDP) using the compromised account of the domain administrator.”
  • [T1053.005] Scheduled Task – A malicious scheduled task was created to deploy ransomware. Quote: “malicious scheduled task … to execute ransomware from the shared folder hosted on the Domain Controller server.”
  • [T1562.001] Impair Defenses – The install.bat batch file disabled security agent services on targeted machines. Quote: “install.bat” file … to disable the security agent services found on the targeted machines.”
  • [T1070.004] File Deletion – After deploying ransomware, the attackers deleted the scripts folder to cover tracks. Quote: “the attacker deleted the scripts folder that contained the malicious file samples.”

Indicators of Compromise

  • [IP Address] context – 138.199.47.184, 195.242.213.155, and other Proxyshell-related hosts (e.g., 213.232.87.177, 91.132.138.213, 91.132.138.221)
  • [SHA-256] context – fc0d749c75ccd5bd8811b98dd055f9fa287286f7, B8FF09ABEAD5BAF707B40C84CAF58A3A46F1E05A, 2e02a6858b4e8dd8b4bb1691b87bc7d5545297bc (and other hashes listed in the table)
  • [Filename] context – enc_.exe, 2.txt, 3.txt, l7dm4566n-README.txt, 1.bat, no.txt, Shortcuts.xml, powershell code.txt, and backdoor PowerShell variants
  • [URL / IP] context – 182.82.219.201, 185.82.217.131 (and other IPs noted as probing/hosting components)

Read more: https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html