Nitrogen Campaign Concludes with BlackCat Ransomware After Targeting Sliver

MITRE Techniques

• [T1189] Drive-by Compromise – Malicious version of Advanced IP Scanner downloaded via a fraudulent website. – “Malicious version of Advanced IP Scanner downloaded via a fraudulent website.”
• [T1562.001] Impair Defenses – Bypassing AMSI, WLDP, and ETW. – “Bypassing AMSI, WLDP, and ETW.”
• [T1574.002] DLL Side-Loading – Nitrogen loads a hidden Python DLL to execute code. – “The hidden python311.dll was loaded (DLL sideloading) and the Nitrogen code was launched.”
• [T1059.001] PowerShell – PowerShell-based discovery using PowerView during initial access. – “PowerView was loaded in memory to perform further discovery activities. This action was identified through PowerShell Script Block Logging.”
• [T1069.001] Local Groups – Discover local admins via PowerView. – “PowerView was used to: Gather the local admins.”
• [T1018] Remote System Discovery – Discovery of network resources and user accounts using various tools. – “Discovery of network resources and user accounts using various tools.”
• [T1047] Windows Management Instrumentation – Lateral movement using Impacket’s wmiexec. – “Lateral movement using Impacket’s wmiexec.”
• [T1021.001] Remote Desktop Protocol – Interacting with other systems via a Cobalt Strike beacon injected into winlogon.exe. – “Remote Desktop Protocol … interacting with other systems such as a file server through a Cobalt Strike beacon which was injected into winlogon.exe.”
• [T1021.002] SMB/Windows Admin Shares – Lateral movement and file/tool transfer via SMB/Windows Admin Shares. – “SMB and Windows copy utility” and “distributing the BlackCat ransomware binary across the network using SMB and the Windows copy utility.”
• [T1053.005] Scheduled Task – Creation of scheduled tasks for persistence on compromised hosts. – “Creation of scheduled tasks for persistence on compromised hosts.”
• [T1547.001] Registry Run Keys/Startup Folder – Registry-based persistence via UserInit/Run keys. – “registry run key to launch the ransomware binary upon reboot.”
• [T1562.009] Safe Mode Boot – Safe Mode with Networking to facilitate ransomware execution. – “set all hosts to restart in safe mode with networking.”
• [T1003.001] LSASS Memory – Dumping credentials from LSASS for lateral movement. – “dump domain credentials from LSASS.”
• [T1055] Process Injection – Sliver and Cobalt Strike beacons injected into memory. – “Injection of Sliver and Cobalt Strike beacons into memory.”
• [T1070.001] Clear Windows Event Logs – Ransomware execution included log clearing. – “clearing of various event logs while the hosts were in safe mode.”
• [T1569.002] Service Execution/Remote Services – PsExec used to execute on remote hosts. – “distributed the BlackCat ransomware binary across the network using SMB and the Windows copy utility” (PSExec-based execution observed elsewhere).
• [T1059.003] Windows Command Shell – Use of cmd.exe to run batch scripts and commands. – Various references to batch scripts and cmd execution throughout the activity.
• [T1059.001] PowerShell (repeat) – PowerShell-based discovery and loading PowerView for domain enumeration. – (covered above under T1059.001).
• [T1087.001] Local Groups – BloodHound/PowerView discovery of domain admin paths. – (BloodHound collection to identify paths to escalate privileges to domain admin).