SOC Insights: Pre-Ransomware Threats and Obfuscated PowerShell 

Between October 30 to November 06, 2024, Blackpoint’s Security Operations Center (SOC) responded to 651 total incidents across on-premises, Microsoft 365, and Google Workspace protected environments. These incidents involved confirmed or likely threat actor use of:

• Obfuscated PowerShell with Onboarding Partner.
• Likely Pre-Ransomware Activity.

In this blog, we’ll dive into the details of three select incidents, why they matter for our partners, and possible mitigations using your existing tech stack alongside Blackpoint Cyber’s managed services.

Topline Takeaways

• Industry target: Legal Services
• Blackpoint SOC actions:
  • Isolated impacted devices
  • Contacted partner
• Attacker methods:
  • Obfuscated PowerShell
  • IP Address tied to SolarMarker
• Recommended mitigations:
  • Implement strict controls on the use of scripting languages.
  • Employ least-privilege access controls.

Incident Timeline for 2024-11-04

While onboarding a new legal services partner, Blackpoint’s MDR technology alerted to suspicious PowerShell running on a device. Blackpoint’s SOC isolated the device to prevent further unauthorized activity and contacted the partner to provide information about the incident.

Initial investigation identified the PowerShell was highly obfuscated, utilizing “CamelCase”, bxor encryption, and the use of variables to obscure the view as to what the PowerShell was executing. Investigation revealed that the PowerShell was launching a persistent payload from the directory C:\Users\$username\AppData\Roaming\, which is often used by malware for persistence.

Futher investigation identified that the observed PowerShell had made suspicious connections to several IP addresses, which had been previously tied to SolarMarker campaigns; however, the malware was not confirmed as SolarMarker in this case.

More About Obfuscated PowerShell

Obfuscated PowerShell is a method used to make analysis more difficult and harder to detect. Threat actors likely find this technique attractive because it allows them to deploy malware and avoid detection. Obfuscated PowerShell has been used to deploy information stealing malware, such as Lumma Stealer; ransomware variants; persistent malware, such as SolarMarker.

APG Threat Analysis for Obfuscated PowerShell

Blackpoint’s APG predicts the continued use of obfuscated PowerShell for execution, defense evasion, and persistence over the next 12 months. This assessment is supported by Blackpoint’s SOC observed incidents, including an October 2024 incident impacting a Government partner.

Mitigations

• Implement strict controls on the use of scripting languages, as threat actors rely on scripting languages to deploy malware and conduct malicious activities.
• Employ least-privilege access controls to ensure that users only have access to the data and resources required to complete their job functions.

Topline Takeaways

• Industry target: Real Estate
• Blackpoint SOC actions:
  • Isolated impacted devices
  • Contacted partner
• Attacker methods:
  • RDP
  • Scheduled tasks
  • Rclone
• Recommended mitigations:
  • Enforce multi-factor authentication (MFA) on all user accounts.
  • Regularly audit both the environment and endpoints.
  • Create and implement an Incident Response Plan (IRP).

Incident Timeline for 2024-11-05

Blackpoint’s MDR technology alerted to potential lateral spread and policy violations on a host of a real estate partner. Blackpoint’s SOC isolated all affected devices to prevent further activity, the incident resulted in five isolated devices and prevention of any malware deployment.

Initial investigation of the host revealed that a user executed privileged commands, which included disabling Windows firewall for all network profiles as well as modifying Windows Registry Keys to enable RDP connection. Additionally, Blackpoint’s SOC identified a publicly access SSL VPN instance.

Further investigation revealed suspicious Rclone (rclone.exe) execution on other hosts within the environment, indicating that the threat actor was likely attempting to exfiltrate data.

Based on the observed activity, Blackpoint’s APG and SOC assess this incident was likely related to ransomware activity.

More About Rclone

Rclone is a command-line program designed to allow users to manage files on cloud storage. Threat actors likely find Rclone an attractive option for data exfiltration due to its fast data transfer capabilities and the ability to integrate with multiple cloud services and protocols.

Rclone is efficient for large data exfiltration efforts and the legitimate use of the tool allows threat actors to blend in to “normal” traffic and evade detection. Blackpoint’s APG has tracked at least 13 ransomware operations that have been reported to rely on Rclone for data exfiltration.

APG Threat Analysis for Rclone

APG predicts continued use of legitimate tools, like Rclone, for data exfiltration activities over the next 12 months. This assessment is supported by multiple external reports of threat actors’ use of Rclone, including a ReliaQuest report indicating that Rclone is the most popular exfiltration tool used by threat actors in ReliaQuest-observed incidents.

Mitigations

• MFA on All Accounts: Enforcing MFA can prevent attackers from exploiting compromised credentials.
• Audit Environment: Regularly review scheduled tasks and system configurations for anomalies.
• Incident Response Plan: Ensure proper IRPs are in place in the event of an incident to ensure business continuity.