Between August 07-14, 2024, Blackpoint’s Security Operations Center (SOC) responded to 105 total incidents across Microsoft 365, Google Workspace, and other MDR-protected environments, with confirmed or likely threat actor use of:
- Raspberry Robin for persistence;
- ScreenConnect and AteraAgent for persistence; and
- RDP, whoami, and SharpShares for initial access and discovery.
In this blog, we’ll dive into the details behind these select incidents, including why they’re important for partners to account for today – even if they’ve not been attacked yet! – as well as possible mitigations leveraging your current tech stack and Blackpoint Cyber.
Raspberry Robin Incident with Institutions & Organizations Partner on August 07, 2024
Topline Takeaways
- Industry target: Institutions & Organizations
- Attacker information:
- Raspberry Robin
- .sav initial file
- USB drive
- Antivirus (AV) and / or EDR present in environment? Yes
- Threat assessment for partners:
- The Adversary Pursuit Group (APG) predicts that it is very likely that threat actors will continue to use Raspberry Robin for persistence to exploit other Institutions & Organizations over the next 12 months.
- Recommended remediations and mitigations:
- Employee security training
- Heuristics-based activity monitoring and remediation
- Network segmentation for common ports
Raspberry Robin Incident Timeline for 2024-08-07
- Blackpoint’s MDR+R technology alerted to Raspberry Robin activity on the host of an Institutions & Organizations partner.
- Initial analysis by the Blackpoint Active SOC team found that threat actors delivered the malware via an infected USB drive that executed the first stage – a .sav file – after an end user plugged the drive into the affected device.
- Additional observation by the Active SOC team did not find any lateral movement or second-stage payload activity.
- Active SOC analysts isolated the affected device to prevent any additional malicious activity, before reaching out to the Institutions & Organizations partner with additional details and remediation advice.
What is Raspberry Robin?
Click for details
First identified in 2021, Raspberry Robin (1) is a Windows worm malware that spreads itself through a network after an initial infection via malicious USB drives.
Threat actors use Raspberry Robin as an initial access malware for other malware variants and malicious campaigns, using its worm feature to move laterally through affected networks prior to deploying additional payloads.
APG Threat Analysis of Raspberry Robin for 2024
Click for details
The APG predicts that threat actors will very likely continue to use Raspberry Robin for persistence over the next 12 months.
We base this assessment on internal Blackpoint observed attacks, such as this March 31st attack against a Basic Materials partner, and external incident reports that detail the use of Raspberry Robin to gain persistence and deploy second stage payloads. For example:
- In April 2024, HP security researchers reported a Raspberry Robin incident involving the threat actor spreading Raspberry Robin malware through Windows Script Files (.wsf) via web downloads (2), demonstrating how threat actors continue to improve and develop their malware delivery tactics to evade detection and remain a critical threat to organizations.
- The malicious .wsf files were offered for download via various threat actor-controlled domains and subdomains.
- The script file acted as a downloader and used a variety of anti-analysis and virtual machine detection techniques.
- In 2023, Reliaquest security researchers reported that Raspberry Robin was the third most used malware loader in incidents observed by the company, comprising 23% of reported incidents (3).
- And, earlier this year in 2024, ReliaQuest researchers updated that report to state that Raspberry Robin was, again, in the topmost observed malware loader in observed security incidents, involved in 7% of all company-reported incidents (4).
Recommended Raspberry Robin Mitigations and Remediations
Click for details
Blackpoint’s APG recommends the following actions to help mitigate the deployment of Raspberry Robin.
- Run employee security training as a strong “insurance policy” of sorts for your most exposed security liabilities: your end users. They must repeatedly be exposed to what basic phishing and malvertising lures look like, and be more cautious about opening email attachments or clicking on sponsored ads in search results.
- Deploy heuristics-based activity monitoring and remediation, which can help detect malicious behavior patterns lurking within allowlisted applications or protocols – and help ensure your environment remains secure even in the face of previously unknown exploitations or malicious scripts.
- Segment critical systems, so they are isolated from less secure areas while preventing unauthorized communication between segments.
- Restrict access controls for removeable media, particularly for USB drives, to reduce the chances of malicious USB or memory devices to execute payloads on monitored endpoints.
ScreenConnect and AteraAgent Incident with Financials Partner on August 11, 2024
Topline Takeaways
- Industry target: Financials
- Attacker information:
- ScreenConnect
- AteraAgent
- Scheduled task “Intuit”
- “Canopy Desktop Assistant”
- Antivirus (AV) and / or EDR present in environment? Yes
- Threat assessment for partners:
- The Adversary Pursuit Group (APG) predicts that it is very likely that threat actors will continue to use ScreenConnect and AteraAgent to exploit other Financials organizations over the next 12 months.
- Recommended remediations and mitigations:
- Multifactor authentication (MFA)
- Application allowlisting and blocklisting
- Heuristics-based activity monitoring and remediation
- Risk-based patch management program
ScreenConnect and AteraAgent Timeline for 2024-08-11
- Blackpoint’s MDR+R technology alerted to suspicious activity on a host and user account of a Financials partner.
- Initial analysis by the Blackpoint Active SOC team found:
- The user account in question tried to install ScreenConnect (AKA ConnectWise), before trying to install AteraAgent.
- An executable named “Intuit” called out to an IP address in the Netherlands, 185.161.211[.]11, with an additional threat-created scheduled task, also named “Intuit”.
- Note: Analysts first identified this fake QuickBooks executable due to the naming convention of “Intuit” versus “intuit”.
- The fake QuickBooks installer downloaded the software “Canopy Desktop Assistant,” which can be used to exfiltrate data.
- Further review of the Financial partner’s network revealed additional scheduled tasks using the same name (“Intuit”) on another hostname.
- Active SOC analysts isolated the affected devices and deleted the malicious scheduled tasks to prevent further malicious activity, and then reached out to the Financials partner to provide information about the incident and to provide mitigation advice.
More About ScreenConnect and AteraAgent
What is ScreenConnect?
ScreenConnect (AKA ConnectWise) is a legitimate remote access tool intended for organizational use to remotely manage end user devices (5).
Threat actors often abuse ScreenConnect and other “authorized” or legitimate remote monitoring and management (RMM) tools due to:
- The complete device and network access this type of tool provides,
- The ability to remain undetected and blend into normal traffic, and
- The potential for persistent access to compromised networks.
What is AteraAgent?
Similar to ScreenConnect, AteraAgent is another remote monitoring and management (RMM) tool that allows system administrators, IT helpdesk employees, and other authorized users to take full control of a device remotely (6).
The tool is an attractive tool for threat actors, as they can conduct a wide variety of activities – such as network discovery and persistent access – after an initial comprise. Since AteraAgent is also a “legitimate” tool used by many IT organizations, it is likely that threat actors use the tool in an attempt to blend in to normal traffic, as well.
APG Threat Analysis of ScreenConnect and AteraAgent Abuse for 2024
Click for details
Blackpoint’s APG predicts that threat actors will very likely continue to abuse RMM tools such as ScreenConnect and AteraAgent over the next 12 months.
We base this assessment on internal Blackpoint observed attacks and external incident reports that review the malicious abuse of both RMM tools that the threat actor attempted to deploy during this incident.
In these selected public APG incident analysis of internal attacks this year, threat actors abused ScreenConnect and other remote access tools on:
- February 21, 2024, alongside JWrapper remote access software;
- April 22, 2024, with abused RDP alongside PCHunter64.exe;
- May 07, 2024, with a compromised remote desktop protocol (RDP) session forming the opening salvo for an attempted Devos ransomware takeover;
- May 29, 2024, with netscan, FileZilla, and a Labtech RMM tool;
- June 09, 2024, abuse of TeamViewer remote administration tool alongside of malicious scheduled tasks and added registry keys; and
- July 10, 2024, with TeamViewer and Advanced IP Scanner.
Beyond the Blackpoint managed ecosystem, the APG currently tracks:
- At least nine ransomware operations and three threat groups abusing the ScreenConnect tool during publicly reported incidents, and
- At least nine ransomware operations and two threat groups separately seen abusing the AteraAgent tool.
Selected external support of continued ScreenConnect and AteraAgent abuse by threat actors includes:
- In June 2024, eSentire security researchers reported multiple incidents with threat actors abusing ScreenConnect for persistence (7).
- The threat group deployed the tool via malicious websites that redirected users to download the ScreenConnect application automatically.
- The malicious ScreenConnect installation then allowed threat actors to download AsyncRAT malware, which can be used to deploy second-stage payloads and steal sensitive data.
- In March 2024, Proofpoint security researchers reported an incident attributed to the Iran-linked threat group MuddyWater (AKA TA450, Mango Sandstorm, Static Kitten), which included AteraAgent abuse (8).
- The group reportedly sent emails with PDF attachments that contained malicious links, resulting in malicious installation of AteraAgent on the compromised system.
Recommended ScreenConnect, AteraAgent and Other RMM Abuse Mitigations and Remediations
Click for details
Blackpoint’s APG recommends the following actions to help mitigate the abuse of legitimate RMM tools for maintaining persistent access.
- Enforce multi-factor authentication (MFA) on all user accounts – especially those with privileged access! – to help decrease the chances of undetected credential compromise.
- Implement application controls, including blocklists and allowlists, to help manage and control software installation by end users to only approved and vetted applications.
- Deploy heuristics-based activity monitoring and remediation, which can help detect malicious behavior patterns lurking within allowlisted applications or protocols – and help ensure your environment remains secure even in the face of previously unknown exploitations or malicious scripts.
- Implement a risk-based patch management program to ensure that relevant and exploited security vulnerabilities in critical services are patched in a timely manner, to prevent exploitation of low-criticality-but-still-relevant CVEs.
RDP, whoami, and SharpShares Incident with Industrials Partner on August 12, 2024
Topline Takeaways
- Industry target: Industrials
- Attacker information:
- RDP
- whoami
- SharpShares
- msiexec
- Antivirus (AV) and / or EDR present in environment? Yes
- Threat assessment for partners:
- The Adversary Pursuit Group (APG) predicts that it is almost certain that threat actors will continue to use RDP for initial access to exploit other Industrials organizations over the next 12 months.
- Recommended remediations and mitigations:
- Least-privilege access controls
- Adequate firewall rules
- Select zero-trust access controls
- Incident response plans (IRPs)
RDP, whoami, and SharpShares Incident Timeline for 2024-08-12
- Blackpoint’s MDR+R technology alerted to a suspicious admin remote desktop protocol (RDP) session from a public IP to a domain controller of an Industrials partner.
- Initial investigation by the Active SOC team found that:
- After connecting to the domain controller, the threat actor compromising the administrator account ran whoami.exe /user command and used SharpShares for enumeration.
- The threat actor issued whoami to see what the account could access, then used SharpShares to enumerate what shares were available to the network.
- The threat actor then attempted to mount the admin shares of two hosts, and was ultimately unsuccessful.
- The threat actor then saved the results of the enumeration in a .txt file.
- Finally, the threat actor attempted to unregister the affected device from the end partner’s security software by using msiexec.exe.
- After connecting to the domain controller, the threat actor compromising the administrator account ran whoami.exe /user command and used SharpShares for enumeration.
- Additional analysis identified that the threat actor gained initial access via exposed RDP and has a public IP address.
- The Active SOC team ended the impacted session, isolated impacted devices, and reached out to the Industrials partner with additional remediation advice and support.
More About RDP, whoami, and SharpShares
What is remote desktop protocol (RDP)?
Remote desktop protocol (RDP) is a protocol that allows legitimate organization users with IT, development, and security functions to use a desktop remotely. Threat actors can abuse RDP to move laterally through compromised networks. RDP is used by both legitimate system administrators and malicious threat actors for two primary purposes:
- Remote Desktop Access: Users can utilize remote access to their physical desktop computer from another device.
- Remote Administration: Users can perform remote administrative work by accessing the device.
Threat actors can target RDP and use it through a variety of methods (9), including:
- Hijacking RDP sessions;
- Using accessibility features, such as Sticky Keys;
- Brute force attacks,
- Specialty malware explicitly designed for RDP; and
- Protocol tunneling.
What is whoami?
whoami is a command used in both Windows and Unix operating systems and can be used to display the current username and privilege information (10).
Threat actors can use this tool for reconnaissance, gathering information that can then be used for:
- Persistence,
- Lateral movement, and
- Privilege escalation.
What is SharpShares?
SharpShares is a tool designed to enumerate all network shares within the current domain, and can be used to resolve names to IP addresses (11).Threat actors abuse this tool to identify:
- Folders and drives shared on remote systems;
- Information that can be collected and exfiltrated for maximum impact; and
- Systems of interest that can be moved to, for further malicious activities.
APG Threat Analysis of RDP, whoami, and SharpShares Abuse for 2024
Click for details
Blackpoint’s APG predicts that threat actors will almost certainly continue to abuse RDP for initial access and commands and tools, such as whoami and SharpShares, for discovery over the next 12 months.
We base this assessment on internal Blackpoint observed attacks and external incident reports covering RDP abuse and other malicious use of whoami and SharpShares.
The APG currently tracks:
- At least 30 ransomware operations and 18 threat groups abusing the RDP for lateral movement or initial access publicly reported incidents,
- At least seven ransomware operations and nine threat groups separately seen using the whoami command for discovery, and
- At least three ransomware operations abusing SharpShares.
The APG has put out previous analysis of threat actor abuse of RDP and whoami command, in particular:
RDP Abuse
- Industrials incident on April 22, 2024
- Professional & Commercial Services incident on May 04, 2024
- Consumer Cyclicals Partner on May 24, 2024
- Industrials incident on July 7, 2024
whoami Abuse
Additional external reporting and support of the APG’s threat assessment of the abuse of these tools includes:
- In 2024, the U.S. CISA released an updated #StopRansomware report related to the BlackSuit ransomware operation, which includes their use of the SharpShares tool for discovery and reconnaissance tactics (12).
- CISA updated their previous Royal ransomware report to reflect the group’s purported rebrand to the BlackSuit variant.
Recommended RDP, whoami, and ScreenShares Abuse Mitigations and Remediations
Click for details
Blackpoint’s APG recommends the following actions to help mitigate the malicious use of legitimate services, commands, and tools for initial access and discovery.
- Employ least-privilege access controls to ensure that users only have access to the data and resources required to complete their job functions, making it harder for threat actors to move laterally within the infected environment to more desireable targets.
- Establish effective firewall rules and configurations, including restricting access to port 3389 and blocking RDP traffic between network security zones.
- Strategically adopt portions of zero trust security architecture. A “zero trust” security strategy assumes that all resource requests are malicious until otherwise proven by credentials, authorizations, and other checks – even if the request comes from a previously accepted and cleared source. (Ask every time it’s feasible to do so!)
- Create, test, and implement incident response plans (IRPs), including the organization’s disaster recovery (DR) and business continuity (BC) processes. IRPs should cover emergency processes for data backup and restoration, as well as notification processes – such as internal and external partners, team members, and law enforcement – and annual investment and testing of documented procedures.
References and Resources
A quick note on incident details:
As these analyses concern recent incidents in actively monitored environment, certain details may be occasionally omitted and / or obfuscated, to better secure our partners and protect any still-ongoing investigations.
However, we felt that these incidents were important enough to bring to the community’s attention as fast as possible, and so included them in this public writeup.
Please feel free to reach out to the APG directly if you have any questions about a specific incident!
Click for full reference list
- Red Canary’s Blog: “Raspberry Robin” by Red Canary on 2024-04-17
- HP’s Blog: “Raspberry Robin Now Spreading Through Windows Script Files” by Patrick Schläpfer on 2024-04-10
- ReliaQuest’s Blog: “3 Malware Loaders You Can’t (Shouldn’t) Ignore” by ReliaQuest Threat Research Team on 2023-08-25
- ReliaQuest’s Blog: “Common Malware Loaders” by Righi, Ivan on 2024-08-13
ConnectWise’s Website: “ScreenConnect” by ConnectWise on N/A- Atera’s Website: “All-in-one IT Platform” by Atera on N/A
- eSentire’s Blog: “Exploring the Infection Chain: ScreenConnect’s Link to AsyncRAT Deployment” by eSentire Threat Response Unit on 2024-07-03
- Proofpoint’s Blog: “Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign” by Joshua Miller on 2024-03-21
- Blackpoint Cyber’s Blog: “How RDP Attacks Go Down” by Blackpoint Cyber on 2022-05-31
- Microsoft’s Repository: “whoami” by Microsoft on 2023-02-03
GitHub’s Repository: “Sharp Shares” by djhohnstein on 2019-11-19- CISA’s Advisory: “#StopRansomware: BlackSuit (Royal) Ransomware” by CISA on 2024-08-07