Between June 12-19, 2024, Blackpoint’s Security Operations Center (SOC) responded to 81 total incidents. These incidents included 14 on-premises MDR incidents, 1 Cloud Response for Google Workspace, and 66 Cloud Response for Microsoft 365 incidents, with confirmed or likely threat actor use of:
- AsyncRAT for remote access and information theft;
- NetSupport RAT for persistence; and
- VssAdmin to delete shadow copies for defense evasion.
In this blog, we’ll dive into the details behind these select incidents, including why they’re important for partners to account for today – even if they’ve not been attacked yet! – as well as possible mitigations leveraging your current tech stack and Blackpoint Cyber.
AsyncRAT Incident with Industrials Partner on June 13, 2024
Topline Takeaways
- Industry target: Industrials
- Attacker information:
- AsyncRAT
- Scheduled tasks
- .zip initial malicious file
- Antivirus (AV) and / or EDR present in environment? Yes
- Threat assessment for partners:
- The Adversary Pursuit Group (APG) predicts that it is very likely that threat actors will continue to use AsyncRAT to exploit other Industrials organizations over the next 12 months.
- Recommended remediations and mitigations:
- Heuristics-based activity monitoring and remediation
- Scripting language controls
- Employee security training
- Least-privilege access controls
AsyncRAT Incident Timeline for Industrials Partner on 2024-06-13
- Blackpoint’s MDR+R technology initially alerted to a number of suspicious processes and commands running on a Manufacturing partner’s host.
- Initial investigation by the Active SOC team identified several anomalous scripts saved in the “C:\Users\Public” folder, a common file path used by threat actors to attempt undetected operations. Threat actors also created a scheduled task to execute a .vbs file, located in the same folder.
- Additional investigation uncovered a suspicious network connection to an IP address associated with AsyncRAT malware.
- The Active SOC analysts isolated the impacted host and reached out to the Manufacturing partner on next steps and additional remediation advice.
- Later analysis indicated that initial access most likely came from an executed .zip file, downloaded earlier that day.
More About AsyncRAT
Click for details
AsyncRAT is an open source remote access tool that was released in 2019 and is frequently exploited as a remote access trojan (RAT) by threat actors (1). AsyncRAT can perform multiple functions for threat actors, including:
- Keylogging;
- Providing initial access for final payload distribution;
- Establishing persistence access via remote desktop control; and
- Exfiltrating data for ransom or extortion.
This wide feature array makes AsyncRAT an attractive tool for threat actors, letting them conduct multiple malicious strategic actions – from initial access and persistence, to credential access and payload deployment – without the need for developing and maintaining their own malware variants.
Thus, threat actor attribution based on AsyncRAT deployment alone tends to be especially difficult.
APG Threat Analysis of AsyncRAT for 2024
Click for details
The APG predicts that threat actors will very likely continue to use AsyncRAT over the next 12 months.
We base this assessment on internal Blackpoint observed attacks, corroborated with external incident reports which detail campaigns including similar and extensive use of AsyncRAT malware.
- In 2023, AT&T Alien Labs reported a spike in phishing emails featuring GIF attachments leading to a svg file, which also downloaded a highly obfuscated JavaScript file. This intrusion was followed by other obfuscated PowerShell scripts, with a final execution of an AsyncRAT client (3).
- In 2021, ESET security researchers reported that AsyncRAT was used as a part of a phishing campaign called “Operation Spalax”. The campaign used HTML attachments for AsyncRAT delivery while also integrating reflective loading techniques. The operation targeted Colombian entities, using at least 70 domains and 24 different IP addresses (2).
Recommended AsyncRAT Mitigations and Remediations
Click for details
Blackpoint’s APG recommends the following actions to help mitigate the malicious use of AsyncRAT for initial access, persistence, and credential access.
- Monitor system activity through heuristics-based triggers and alerts, which can help identify deviations from normal or expected behavior that indicates potential malicious behavior.
- Minimize the use of – or implement strict controls on – the use of scripting languages that can help restrict the use of scripts for specific users who should not be conducting this type of activity, which can limit a threat actors’ ability to leverage scripts for malicious actions.
- Conduct employee security awareness training, including how to spot a phishing email and how and when to report them to an incident response authority. As many threat actors still rely on social engineering tactics to gain initial access, security training can help lower the risk of falling victim to download malicious software or legitimate tools for malicious actions.
- Implement the practice of least privilege, which will help ensure regular user accounts are unable to install certain tools and conducting certain activities.
NetSupport RAT Incidents with Healthcare and Consumer Non-Cyclicals Partners on June 17, 2024
Topline Takeaways
- Industry targets:
- Healthcare
- Consumer Non-Cyclicals
- Attacker information:
- NetSupport RAT
- PowerShell
- Antivirus (AV) and / or EDR present in environment? Yes
- Threat assessment for partners:
- The Adversary Pursuit Group (APG) predicts that it is likely that threat actors will continue to use NetSupport RAT to exploit other Healthcare organizations over the next 12 months.
- Recommended remediations and mitigations:
- Employee security training
- Heuristics-based activity monitoring and remediation
- Scripting language controls
- Multifactor authentication (MFA)
NetSupport RAT Incidents Timeline for Healthcare & Consumer Non-Cyclicals Partners on 2024-06-17
- Blackpoint’s MDR+R technology alerted to a suspicious identification on a Healthcare partner’s host.
- Further investigation by the Active SOC team revealed obfuscated PowerShell commands in base64, as well as a network connection to a Ukrainian IP address.
- The NetSupport remote access trojan (RAT) was identified as the strain of malware leveraged in the incident.
- On the same day, our MDR+R technology alerted to a suspicious process executing PowerShell on a Consumer Non-Cyclicals partner’s host.
- Further analysis identified that an executed .js file called up the PowerShell through wscript.exe. The JavaScript file posed as a fake update, which installed the NetSupport RAT onto the host.
- The Active SOC team observed malicious commands stemming from the RAT, as well as a callout to an IP address in Moldova.
- In both instances, Blackpoint’s Active SOC isolated the impacted hosts to prevent any further malicious actions, before reaching out to both the Healthcare and Consumer Non-Cyclicals partners with more details and next steps for remediation.
More About NetSupport RAT
Click for details
NetSupport Manager is a legitimate remote support tool frequently abused by multiple threat actor groups for malicious purposes (4). NetSupport RAT is a malicious spinoff of the legitimate NetSupport Manager supports multiple features for illicit purposes, including:
- File transfers,
- Remote access to compromised environments,
- Keylogging, and
- Controlling system resources.
Due to the malware’s widespread availability for both malicious and legitimate use cases, the use NetSupport RAT alone cannot be attributed to a single threat actor. Threat actors of all skill levels abuse the NetSupport tool, even if they lack the necessary technical knowledge or resources needed to use custom malware or tools.
This widespread use of NetSupport RAT leads to a variety of initial access methods; however, social engineering appears to remain a top choice for threat actors to deploy the NetSupport RAT.
APG Threat Analysis of NetSupport RAT for 2024
Click for details
The APG predicts that threat actors will likely continue to use NetSupport RAT over the next 12 months.
We base this assessment on internal Blackpoint observed attacks and external reporting on widespread use of NetSupport RAT in cyberattacks across multiple industries, as this week’s series of incidents illustrated for impacted Blackpoint partners.
- In 2024, security researchers with Perception Point reported a campaign delivering the NetSupport RAT targeting U.S.-based organizations (6). The threat actors sent phishing emails that purported to be from an accounting service, luring victims to download the attached Office Word file to view a “monthly salary report.” The threat group used OLE template manipulation, exploiting document templates to execute malicious code without detection.
- In 2023, security researchers with Malwarebytes reported that a fraud site for TradingView leveraged the NetSupport RAT to infect visitors of the site, if the site was a Windows machine (5). If the device was found to be a macOS device, the victim was targeted with Atomic Stealer malware. The goal of the attackers was to steal sensitive data from the victims.
Recommended NetSupport RAT Mitigations and Remediations
Click for details
Blackpoint’s APG recommends the following actions to help mitigate the malicious use of NetSupport RAT for malicious activities. The mitigations for NetSupport RAT activity are similar to those recommended for other malware variants, including AsyncRAT.
- Conduct employee security awareness training, including how to spot a phishing email and how and when to report them to an incident response authority. As many threat actors still rely on social engineering tactics to gain initial access – as other attacks with NetSupport RAT have demonstrated – this security training helps lower the risk of falling victim to download malicious software or legitimate tools for malicious actions.
- Monitor system activity through heuristics-based triggers and alerts, which can help identify deviations from normal or expected behavior that indicates potential malicious behavior. Even if NetSupport has legitimate use cases, monitoring that alerts to potential abuse of allowlisted apps will catch threat actors attempting to disguise their activities by abusing already-installed apps.
- Minimize the use of – or implement strict controls on – the use of scripting languages that can help restrict the use of scripts for specific users who should not be conducting this type of activity, which can limit a threat actors’ ability to leverage scripts for malicious actions.
- Use multifactor authentication (MFA) and VPN, wherever feasible, to ensure only identified and authorized employees can access sensitive data and resources with an additional level of credential authentication.
VssAdmin and Attempted Shadow Copies Deletion Incident with Consumer Non-Cyclicals Partner on June 19, 2024
Topline Takeaways
- Industry target: Consumer Non-Cyclicals
- Attacker information:
- VssAdmin
- id_service.exe
- Delete Shadow Copies
- Antivirus (AV) and / or EDR present in environment? Yes
- Threat assessment for partners:
- The Adversary Pursuit Group (APG) predicts that it is very likely that threat actors will continue to abuse VssAdmin to delete shadow copies, among other actions, to exploit other Consumer Non-Cyclicals organizations over the next 12 months.
- Recommended remediations and mitigations:
- Zero trust network architecture
- Create and maintain data backups
- Least-privilege access controls
- Incident response plans (IRPs)
VssAdmin and Attempted Shadow Copies Deletion Incident Timeline for Consumer Non-Cyclicals Partner on 2024-06-19
- Blackpoint’s MDR+R technology alerted to the deletion of Volume Shadow copies on a Consumer Non-Cyclicals partner’s host.
- Further Active SOC team investigation revealed that the activity originated from the process id_service.exe, which is part of IDrive: an application used for backup.
- The deletion of shadow copies is a typical technique leveraged by ransomware, to hinder system recovery and strengthen ransom demands post-encryption or exfiltration of the would-be victim’s data.
- Blackpoint’s Active SOC isolated the device to prevent further potential malicious activity, before reaching out to the Consumer Non-Cyclicals partner with additional information and remediation advice.
More About VssAdmin Abuse and Shadow Copy Deletion
Click for details
VssAdmin is a legitimate Windows utility used to create, delete, and list information about shadow copies (7). It can be used to resize the shadow copy storage area, as well.
Threat actors often use allowlisted processes, applications, and utilities such as VssAdmin instead of installing custom or net-new malware to an infected system to better blend in with normal or expected network traffic, increasing their chances of a successful attack.
Threat actors will also attempt to delete shadow copies of data on victim systems. If left alone, defending security professionals could use shadow copies of any corrupted, locked, or deleted data to reestablish or return files to a past state – greatly reducing the impact of an attempted extortion or ransom demand.
APG Threat Analysis of VssAdmin Abuse and Shadow Copy Deletion for 2024
Click for details
The APG predicts that threat actors will very likely continue to abuse VSSAdmin to delete Shadow Copies over the next 12 months.
We base this assessment on internal Blackpoint observed attacks, corroborated by external reporting and research demonstrating threat actor abuse of VssAdmin to delete and modify shadow copies during cyberattacks.
Blackpoint’s APG has tracked at least 26 separate ransomware operators, each observed abusing the VssAdmin utility to evade detection by deleting or modify shadow copies.
- In 2023, security researchers with Microsoft released a report detailing the operations of the BlackByte ransomware operation, which included the use of VssAdmin to resize the shadow copies (8).
- Researchers observed BlackByte using the commands “cmd /c vssadmin Resize ShadowStorge /For=B:\ /On=B:\ /MaxSize=401MB” and “cmd /c vssadmin Resize ShadowStorage /For=B:\ /On=B:\ /MaxSize=UNBOUNDED” to resize the shadow copies.
- The goal of resizing the shadow copies is likely to ensure that when the system attempts to make a new shadow copy, there is not enough space. Thus, the data gets overwritten, and system admins and incident responders are unable to recover majority of the encrypted or deleted files.
- In May 2024, the U.S. CISA released a #StopRansomare report detailing the operations of the Black Basta ransomware group, which included the use of the VssAdmin utility to delete shadow copies (9). The group’s goal of deleting the shadow copies is to evade detection and inhibit the victim’s ability to recover their files without paying the ransom demand.
Recommended VSSAdmin Abuse and Shadow Copy Deletion Mitigations and Remediations
Click for details
Blackpoint’s APG recommends the following actions to help mitigate threat actors’ abuse of VssAdmin to resize or delete shadow copies for defense evasion and inhibiting system recovery.
- Operate from a zero-trust mentality, which assumes that all requests to each resource is malicious and embodies aggressive and continuous monitoring and management.
- Create and maintain data backups, including offline backups that are kept separate from the network and system.
- Implement the practice of least privilege, which will help ensure regular user accounts are unable to install certain tools and conducting certain activities.
- Implement an incident response plan that includes the processes for data backup, restoration, notification processes (including partners, team members, and law enforcement), and ensuring business continuity.
References and Resources
A quick note on incident details:
As these analyses concern recent incidents in actively monitored environment, certain details may be occasionally omitted and / or obfuscated, to better secure our partners and protect any still-ongoing investigations.
However, we felt that these incidents were important enough to bring to the community’s attention as fast as possible, and so included them in this public writeup.
Please feel free to reach out to the APG directly if you have any questions about a specific incident!
Click for full reference list
- SOCRadar’s Blog: “Campaign Alert: The Year-Long Shadow of AsyncRAT in U.S. Infrastructure” by SOCRadar on 2024-02-02
- ESET’s Blog: “Operation Spalax: Targeted malware attacks in Colombia” by Matías Porolli on 2021-01-12
- AT&T’s Blog: “AsyncRAT loader: Obfuscation, DGAs, decoys and Govno” by Fernando Martinez on 2024-01-05
- Vmware’s Blog: “NetSupport RAT: The RAT King Returns” by Alan Ngo, Abe Schneider, and Fae Carlisle on 2023-11-20
- Malwarebytes’s Blog: “Mac users targeted in new malvertising campaign delivering Atomic Stealer” by Jérôme Segura on 2023-09-06
- Perception Point’s Blog: “Operation PhantomBlu: New and Evasive Method Delivers NetSupport RAT” by Ariel Davidpur and Peleg Cabra on 2024-03-18
- Microsoft’s Repository: “Volume Shadow Copy Service” by Microsoft on 2022-12-07
- Microsoft’s Blog: “The five-day job: A BlackByte ransomware intrusion case study” by Microsoft Incident Response on 2023-07-06
- U.S. Cybersecurity & Infrastructure Security Agency’s Advisory: “#StopRansomware: Black Basta” by CISA; FBI; HHS; et. al. on 2024-05-10