DragonForce-linked RaaS activity in a manufacturing case began with internal network scanning and brute-force attempts against administrator accounts, progressed through privileged Kerberos and SMB usage, and included SSH data exfiltration to 45.135.232[.]229 (ASN AS198953 Proton66 OOO) before culminating in SMB-based file encryption with a .df_win extension and a âreadme.txtâ ransom note. Darktrace observed OpenVAS user-agent strings, suspicious Windows Registry changes affecting WMI and scheduled tasks, and NetScan-associated âdelete.meâ files but the absence of Autonomous Response allowed the intrusion to advance. #DragonForce #Proton66
Keypoints
- Initial compromise progressed through internal network scanning and brute-force attempts targeting administrator-like accounts (e.g., âadministratorâ, âAdminâ, ârdpadminâ, âftpadminâ).
- OpenVAS user-agent (âOpenVAS-VTâ) and deletion of âdelete.meâ files indicated active vulnerability scanning/NetScan activity during reconnaissance.
- Suspicious Windows Registry operations targeted ScheduleTaskcacheTasks and ControlWMISecurity, consistent with attempts to establish persistence via scheduled tasks and WMI access changes.
- Privileged âadministratorâ credentials were used for the first time in Kerberos and SMB sessions, suggesting successful credential compromise and lateral movement.
- Data exfiltration occurred over SSH to IP 45.135.232[.]229 (AS198953 Proton66 OOO), which OSINT showed hosting an IIS Manager console and prior malicious activity.
- Ransomware payloads encrypted files with the â.df_winâ extension and dropped âreadme.txtâ ransom notes referencing DragonForce; Darktrace detected these through SMB Write/Move events.
MITRE Techniques
- [T1046 ] Network Service Scanning â Used to discover internal hosts and services during reconnaissance (âinternal network scanningâ).
- [T1110 ] Brute Force â Employed against administrator accounts to gain credentials (âbrute-force attempts targeting administrator credential, including âadministratorâ, âAdminâ, ârdpadminâ, âftpadminââ).
- [T1595 ] Active Scanning â Vulnerability scanning activity observed via an OpenVAS user agent indicating active scanning of devices (âuser agent string âOpenVAS-VTââ).
- [T1053 ] Scheduled Task/Job â Registry and Taskcache changes indicate creation or modification of scheduled tasks for persistence (âScheduleTaskcacheTasks contain subkeys for individual tasksâŚâ).
- [T1047 ] Windows Management Instrumentation â WMI-related registry modifications used to alter access controls and enable persistence (âControlWMISecurity holds security descriptors for WMI providersâ).
- [T1078 ] Valid Accounts â Use of legitimate privileged credentials for authentication and lateral movement (âdetected the device using a highly privileged credential, âadministratorâ, via a successful Kerberos loginâ).
- [T1021.002 ] SMB/Windows Admin Shares â SMB sessions used for lateral movement and to perform file operations during encryption (âdevices were later observed connecting to internal devices via SMB and performing⌠file encryptionâ).
- [T1486 ] Data Encrypted for Impact â Files were encrypted and renamed with a DragonForce-associated extension, and ransom notes were dropped (âfiles with the â.df_winâ extension⌠âreadme.txtâ ransom noteâ).
- [T1041 ] Exfiltration Over C2 Channel â Data exfiltration over SSH to an external malicious endpoint (45.135.232[.]229) prior to encryption (âexfiltrating data to the malicious IP 45.135.232[.]229 via SSH connectionsâ).
- [T1190 ] Exploit Public-Facing Application â Initial access likely included exploitation of public-facing applications and web shells as previously used by affiliates (âexploitation of public-facing applications with known vulnerabilities, web shellsâ).
Indicators of Compromise
- [IP Address ] Data exfiltration endpoint â 45.135.232[.]229 (SSH destination used for large outbound transfers).
- [ASN / Hosting ] Malicious hosting provider â AS198953 Proton66 OOO (associated with scanning, exploitation, and C2 activity linked to the endpoint).
- [File Name ] Ransom note and scanning artifacts â readme.txt (ransom note dropped to inetpub/wwwroot paths), delete.me (NetScan-associated file deleted over SMB).
- [File Extension ] Encryption marker â .df_win (file extension observed on encrypted files during SMB write/move operations).
- [User-Agent ] Vulnerability scanner identifier â âOpenVAS-VTâ (HTTP user agent observed, indicating OpenVAS scanning activity).