Threat Research

Retail Under Fire: Inside the DragonForce Ransomware Attacks on Industry Giants

Picussecurity
Retail Under Fire: Inside the DragonForce Ransomware Attacks on Industry Giants
EXTRACT IOC
DragonForce is a new Ransomware-as-a-Service (RaaS) group that emerged in 2023, known for recruiting affiliates and executing ransomware attacks, particularly targeting UK retailers. They utilize various sophisticated tactics, including social engineering and advanced malware techniques, to maximize financial gain and disrupt services.
Affected: Retail sector, UK retailers

Keypoints :

  • DragonForce operates as a Ransomware-as-a-Service (RaaS) cartel since late 2023, recruiting affiliate hackers.
  • The group is financially motivated, claiming to follow a moral code regarding certain targets.
  • Recent attacks targeted prominent UK retailers, including Marks & Spencer, Co-op Group, and Harrods.
  • DragonForce uses social engineering and credential theft for initial access to victim networks.
  • They leverage advanced tactics and tools, such as PowerShell, Cobalt Strike, and credential dumping to facilitate attacks.
  • The group employs packaged malware and evasion techniques to bypass defenses and maintain persistence.
  • Data exfiltration and encryption are crucial aspects of their attacks, crippling vital operations for victims.

MITRE Techniques :

  • Initial Access (TA0001): Utilizing social engineering and phishing (T1566) to gain entry.
  • Valid Accounts (T1078): Utilizing legitimate account credentials for unauthorized access.
  • Execution (TA0002): Executing malware using PowerShell scripts (T1059.001) and user execution techniques (T1204.002).
  • Persistence: Leveraging registry run keys (T1547.001) and scheduled tasks (T1053.005) for persistence.
  • Defense Evasion: Disabling security tools (T1562.001) and clearing event logs (T1070.001).
  • Credential Access: Credential dumping from LSASS memory (T1003.001).
  • Discovery: Network discovery (T1016), active directory querying (T1482), and file/directory discovery (T1083).
  • Lateral Movement: Abusing Remote Desktop Protocol (T1021.001) and SMB/Windows Admin Shares (T1021.002) for internal traversal.
  • Command and Control: Using C2 over web protocols (T1071.001) for communication.
  • Exfiltration: Data exfiltration techniques, including using cloud services or command-line tools for data leakage.
  • Impact: File encryption for impact (T1486) and inhibiting system recovery (T1490).

Indicator of Compromise :

  • [Domain] dragonforce[.]com
  • [IP Address] 185[.]73[.]125[.]8
  • [Hash] hxxp://185[.]73[.]125[.]8[:]80/a67
  • [Email Address] attacker@example[.]com
  • [URL] hxxp://malicious[. ]com/path

Full Story: https://www.picussecurity.com/resource/blog/dragonforce-ransomware-attacks-retail-giants

Views: 109

Tags: SOCIAL ENGINEERING, PASSWORD, LINUX, VIRUS, PRIVILEGE, EXFILTRATION, TOOL, IMPACT