AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |
Back to Blog
Around that time, we observed signs of data exfiltration from the environment. Seventeen hours later, the threat actors returned to the network and issued enumeration commands to discover network shares. FlawedGrace and Cobalt Strike went dormant on all hosts except the beachhead system. Following each lateral movement action, Cobalt Strike loaded FlawedGrace in memory on all hosts accessed by the adversary.Īround five hours post initial access, the threat actors went silent. After these discovery commands, the threat actors used Cobalt Strike’s jump psexec module to further move between hosts. These discovery commands included the PowerShell, cmdlet Get-MpComputerStatus, and quser. The threat actors used Impacket’s atexec to execute discovery commands on remote hosts. Now, four hours into the intrusion the threat actors, through the Cobalt Strike beacon, started another round of discovery commands using net, nltest, tasklist and AdFind.exe.Īfter having accessed LSASS memory on the beachhead host, the threat actors leveraged a local administrator hash to perform pass-the-hash lateral movement through the environment. This ended the use of Truebot for the rest of the intrusion, with FlawedGrace and Cobalt Strike being leveraged for the rest of the threat actors activity. The FlawedGrace process then performed discovery surrounding the domain administrators and domain controllers.Īpproximately two hours after the initial execution, Truebot loaded Cobalt Strike into memory and then went dormant for the next two hours. After the second failed attempt, the threat actors removed the user and did not attempt further RDP communications. Seemingly without success, the threat actors removed the user after 15 minutes before repeating the procedure a second time. With this user, a tunneled RDP connection was attempted from FlawedGrace’s C2 servers. We later observed FlawedGrace creating a temporary user within the local Administrators and Remote Desktop Users groups. From there, FlawedGrace’s execution routine involved storing as well as extracting, encoded and encrypted payloads in registry the creation of temporary scheduled tasks and the injection of the final payload into msiexec.exe and svchost.exe.Īfter this execution, the threat actors proceeded to disable Windows Defender Real-Time monitoring and added exclusions for executable files on the host. While loading this malware, it used a series of modifications to the registry and Print Spooler service to both escalate privileges and establish persistence. Minutes later, Truebot loaded FlawedGrace onto the host. After executing the file, Truebot copied and renamed itself. The file download was a Truebot executable, which appeared as a fake Adobe Acrobat document. After clicking-through the link in an email, the victim would be redirected through a series of URLs before being presented a file download at the final landing page. This campaign, observed in May 2023, leveraged email for the initial delivery mechanism. In this case, Truebot was delivered through a Traffic Distribution System (TDS) reported by Proofpoint as “404 TDS”. The threat actors deployed the wiper within 29 hours of initial access. In this intrusion, dated May 2023, we observed Truebot being used to deploy Cobalt Strike and FlawedGrace (aka GraceWire & BARBWIRE) resulting in the exfiltration of data and the deployment of the MBR Killer wiper.
0 Comments
Read More
Leave a Reply. |