We also observed that the threat actor used AccessChk64, a command-line tool developed by Sysinternals that is primarily used for checking the security permissions and access rights of objects in Windows. Get-ADUser -Filter * -Properties * | Select -Property EmailAddress,GivenName,Surname,DisplayName,sAMAccountName,Title,Department,OfficePhone,MobilePhone,Fax,Enabled,LastLogonDate | Export-CSV "C:\users\public\music\ADusers.csv" -NoTypeInformation -Encoding UTF8 The threat actor used the following PowerShell command to gather user information and to save it into a CSV file: The command specifies that it wants to retrieve the values of the name, common name (CN), operating system, and dNSHostName attributes for each computer object and output its result in a CSV format. In this case, the threat actor used it to fetch information on the operating system using the command adfind.exe -f objectcategory=computer -csv name cn OperatingSystem dNSHostName. In the hands of a threat actor, AdFind can be misused for enumeration of user accounts, privilege escalation, and even password hash extraction. First, they used AdFind, a tool designed to retrieve and display information from Active Directory (AD) environments. The threat actor used a few other tools for discovery in the customer's environment. Msi.dll: A delayed-loaded DLL (not loaded until a user’s code attempts to reference a symbol contained within the DLL) that will act as a dropper for a real WinSCP installer and a malicious Python execution environment responsible for downloading Cobalt Strike beacons.Setup.exe: A renamed msiexec.exe executable.We list the details of these two files here: Once the user mounts the ISO, it contains two files, setup.exe and msi.dll. On Twitter, user first spotted the same infection chain mimicking the AnyDesk application. Once the user selects the “Download” button, this begins the download of an ISO file to their system.Above the organic search results, the user finds a malvertisement for the WinSCP application that leads to a malicious website.In this example, the user wants to download the WinSCP application and enters the search term “WinSCP Download” on the Bing search bar. A user searches for an application by entering a search term in a search bar (such as Google or Bing).In summary, the malicious actor uses the following malvertising infection chain: The overall infection flow involves delivering the initial loader, fetching the bot core, and ultimately, dropping the payload, typically a backdoor. The following chart represents how the infection starts. It is highly likely that the enterprise would have been substantially affected by the attack if intervention had been sought later, especially since the threat actors had already succeeded in gaining initial access to domain administrator privileges and started establishing backdoors and persistence. Attempted to steal passwords and tried to access backup servers.Attempted to establish persistence and backdoor access to the customer environment using remote management tools like AnyDesk.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |