Threat Research

No Bad Luck for Darktrace: Combatting ALPHV BlackCat Ransomware | Darktrace Blog

DarkTrace

A Darktrace customer was compromised via malvertising that redirected a user to a fake Wireshark site, leading to the installation of the Nitrogen Python backdoor and subsequent deployment of Cobalt Strike beacons which enabled lateral movement and eventual ALPHV (BlackCat) ransomware detonation. Darktrace DETECT and Cyber AI Analyst linked the unusual SMB/WMI activity and C2 connections, but RESPOND was not fully configured to stop the attack before VMware vCenter and VMs were encrypted. #ALPHV #Nitrogen

Keypoints

  • Initial access via malvertising: sponsored search ads redirected a user to a spoofed Wireshark site (wireshhark[.]com) that served the Nitrogen Python dropper.
  • Nitrogen acted as a backdoor/dropper, installing C2 implants such as Cobalt Strike and Sliver, evidenced by DNS and SSL C2 activity.
  • An IT team member’s device was used to distribute Python payloads across the network via SMB and WMI and to deploy PsExec for lateral movement.
  • Darktrace DETECT flagged anomalous SMB writes and masqueraded executables; Cyber AI Analyst autonomously linked these events into a single incident timeline.
  • Attackers used SSL (ports 443/8443) to contact C2 servers (e.g., 194.169.175[.]132, 194.180.48[.]169), performed reconnaissance (port and IP scans), exfiltrated data, and pulled a payload from GitHub.
  • Ransomware (ALPHV/BlackCat) was detonated against the VMware environment ~24 hours after initial access, encrypting vCenter and VMs; RESPOND was not configured to act on servers, limiting automated containment.

MITRE Techniques

  • [T1583.008] Acquire Infrastructure – Malvertising was used to provision infrastructure and lure victims (‘malvertising’ to deliver a Python-based backdoor-dropper known as ‘Nitrogen’).
  • [T1189] Drive-by Compromise – Users were redirected by sponsored search results to a spoofed download site, resulting in an unintended malware download (‘redirected to the website, wireshhark[.]com … users unintentionally installed a malware sample’).
  • [T1204.002] User Execution: Malicious File – The attack relied on user-initiated downloads/execution of malicious installers from an impersonation site (‘Users’ attempts to download software … resulted in the delivery of a backdoor-dropping malware sample dubbed ‘Nitrogen”).
  • [T1569.002] System Services: Service Execution – The adversary used service/execution mechanisms to run delivered payloads and tools across systems (‘distributing the Windows Sys-Internals tool, PsExec, likely in an attempt to facilitate their lateral movement’).
  • [T1047] Windows Management Instrumentation – WMI was used to distribute Python payloads and execute actions remotely (‘abuse the privileged account credentials to spread Python payloads across the network via SMB and the Windows Management Instrumentation (WMI) service’).
  • [T1036.005] Masquerading: Match Legitimate Name or Location – Executables were disguised to resemble legitimate files to evade detection (‘executable files being distributed were attempting to masquerade as a different file type’).
  • [T1018] Remote System Discovery – The attacker performed discovery of remote systems to identify targets for lateral movement (‘identified the attacker moving laterally to an internal SQL server and an internal domain controller’).
  • [T1046] Network Service Discovery – The adversary conducted network/port scanning to map services (‘conduct network reconnaissance (primarily port scanning)’).
  • [T1021.002] Remote Services: SMB/Windows Admin Shares – SMB was used to transfer payloads and propagate across the environment (‘spread Python payloads across the network via SMB’).
  • [T1570] Lateral Tool Transfer – Tools and payloads (Python executables, PsExec) were transferred between hosts to enable lateral movement (‘distributing the Windows Sys-Internals tool, PsExec … distribute Python payloads to an internal domain controller’).
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 communication occurred over HTTPS/SSL to web endpoints (‘C2 connections were made over SSL on ports 443 and 8443’).
  • [T1573.002] Encrypted Channel: Asymmetric Cryptography – Encrypted C2 channels were used for command and control communications (C2 over SSL and likely asymmetric crypto was referenced in MITRE mapping).
  • [T1571] Non-Standard Port – C2 used ports beyond typical expectations (noted use of 8443 alongside 443 for SSL C2 connections).
  • [T1105] Ingress Tool Transfer – The attacker transferred additional payloads from external sources into the network (transfer of a payload from GitHub to the domain controller: ‘transfer a payload from GitHub to the domain controller’).
  • [T1041] Exfiltration Over C2 Channel – Data was exfiltrated to the attacker over established C2 connections (‘exfiltrate data from the domain controller’).
  • [T1486] Data Encrypted for Impact – The adversary detonated ransomware to encrypt VMware vCenter and virtual machines (‘detonating ransomware with the organization’s VMware environment … encryption of the customer’s VMware vCenter server and VMware virtual machines’).

Indicators of Compromise

  • [Domain] Malicious/impersonation domains used in initial access – wireshhark[.]com, allpcsoftware[.]com
  • [Domain/C2] C2 and redirect infrastructure – pse[.]ac (associated with C2 DNS responses to 194.169.175[.]132)
  • [IP] Cobalt Strike C2 and other endpoints – 194.169.175[.]132, 194.180.48[.]169 (and 193.42.33[.]14, 141.98.6[.]195)
  • [File/Tool] Payloads and lateral movement tools – Python-based executables (Nitrogen payloads), PsExec
  • [Hostname/Service] Spoofed software distribution names – references to wireshark[.]org vs wireshhark[.]com used to bait victims

In this incident the intrusion chain began with malvertising: sponsored search ads redirected a user attempting to download Wireshark to a spoofed site (wireshhark[.]com) which delivered the Nitrogen Python dropper. Nitrogen dropped C2-capable implants (Cobalt Strike/Sliver) as evidenced by DNS lookups and subsequent SSL connections to external C2 servers (pse[.]ac resolving to 194.169.175[.]132 and later 194.180.48[.]169), with C2 traffic observed over SSL on ports 443 and 8443.

Once the attacker obtained hands-on-keyboard access via the compromised IT desktop, they abused privileged credentials to propagate Python payloads across the network using SMB and WMI, deployed PsExec to assist lateral movement, and executed discovery (port/IP scanning) and privilege escalation. Internal hosts that received the Python payloads immediately reached out to Cobalt Strike C2, and the adversary used those footholds to exfiltrate data to C2 and to fetch additional payloads from GitHub.

After roughly 24 hours from initial access, the attacker detonated ALPHV (BlackCat) ransomware against the VMware environment, encrypting the vCenter server and virtual machines. Detection-wise, Darktrace DETECT flagged anomalous SMB writes and masqueraded executables while Cyber AI Analyst automatically correlated SMB writes, C2 connections, and lateral movement into a coherent incident timeline; however, automated containment via RESPOND was not fully configured for servers, which allowed the attack to progress to ransomware detonation.

Read more: https://darktrace.com/blog/no-bad-luck-for-darktrace-combatting-alphv-blackcat-ransomware