Between April 24 and May 1, 2024, Blackpoint’s Active-Security Operations Center (Active-SOC) responded to 177 total incidents. These incidents included 27 on-premises Managed Detection Response and Remediation (MDR+R) incidents, 144 Cloud Response for Microsoft 365 incidents, and six (6) Cloud Response for Google Workspace, with confirmed or likely threat actor use of:

  • Social engineering and PowerShell scripts by Sangria Tempest for initial access and attempted ransomware deployment
  • SocGholish’s use of ActiveX for establishing connections to threat actor-controlled endpoints
  • BITS download and double file extension name masking for execution and discovery, with additional malicious inbox rules

In this blog, we’ll dive into the details behind these select incidents, including why they’re important for partners to account for today – even if they’ve not been attacked yet! – as well as possible mitigations leveraging your current tech stack and Blackpoint Cyber.

Sangria Tempest and PsFlauncher64.exe Incident with Consumer Cyclicals End Client on April 24, 2024

Topline Takeaways

  • Industry target: Consumer Cyclicals
  • Attacker information:
    • Sangria Tempest
    • asana.msix
    • yyykOrlBiVNdTfPGQWSO.ps1
  • Antivirus (AV) and / or endpoint detection and response (EDR) present in environment? Yes
  • Threat assessment for partners:
    • The Adversary Pursuit Group (APG) predicts that it is very likely that threat actors will continue to use PsFlauncher64.exe to exploit other Consumer Cyclicals organizations over the next 12 months.
  • Recommended remediations and mitigations:
    • Employee security training
    • Heuristics-based activity monitoring and remediation
    • Password managers
    • Incident response plans (IRPs)
  • Sangria Tempest and PsFlauncher64.exe Incident Timeline for April 24, 2024
    • Blackpoint’S MDR+R technology alerted to activity associated with the ransomware-linked Sangria Tempest threat activity group on a Consumer Cyclicals end client host.
    • An MDR+R analyst began initial triage and investigation, during which they observed additional tactics implicating Sangria Tempest activity, including:
      • “PSFlauncher65.exe”, used for DLL injection
      • A new download folder named “asana.msix”
      • A PowerShell session running the suspicious script “yyykOrlBiVNdTfPGQWSO.ps1” which spawned a Chrome browser session connection to “asana.com”
      • Multiple brute force attacks against the user’s business email from several foreign companies.
    • The analyst escalated the incident to senior Active-SOC leadership, who then isolatesd the impacted host endpoint from all external and internal communications, before contacting the involved partner about the incident and providing additional remediation advice.

It is the APG and Active-SOC’s assessment that there is a roughly even chance that the initial compromise of the user’s host endpoint may have been initiated by a social engineering attack, leading to the installation of the malicious “asana.msix” file from which the other malicious activity spawned.

More About Sangria Tempest (also known as “Carbon Spider”, “FIN7”)

Sangria Tempest is a financially motivated cybercriminal group that has focused on operations that have led to data theft, extortion, and ransomware deployment.

Operating since at least 2012, Sangria Tempest got its start with point-of-sale (PoS) and ATM malware deployments for stealing payment card data, with attribution credit for multiple custom malware variants – including JSSLoader and Griffon (1).

In 2020, Sangria Tempest switched to ransomware for financial gain, including operating with the Maze and REvil Ransomware-as-a-Service (RaaS) operations. Security researchers also attribute the DarkSide ransomware and BlackMatter operations – both of which closed in 2021 – to the Sangria Tempest group. operation, which closed operations in 2021, and BlackMatter, which closed in 2021 as well. (1)

Despite reports of multiple key members arrested in 2018 and 2020, the Sangria Tempest criminal group is still active. Today, they:

  • Conduct (often successful) financially motivated attack campaigns
  • Developing malware variants, for themselves and other threat groups
  • Create fake companies to help recruit “employees” to their operations (1)

In 2023, Microsoft security researchers reported that Sangria Tempest delivered EugenLoader through malicious MSIX package installations. The group also used Google ad lures to trick victims into downloading MSIX app packages to deliver POWERTRASH – an obfuscated PowerShell script, in a similar file name and approach seen in this specific Blackpoint incident. (2)

APG Threat Analysis of Sangria Tempest for 2024

The APG predicts that the Sangria Tempest threat group will very likely continue to operate and deploy this and similar social engineering initial intrusion attacks over the next 12 months.

Sangria Tempest is well-known for their abilities in social engineering attacks, illicitly acquiring tens of millions of dollars from victims throughout their time in operation – though they are far from unique in doing so. Researchers and defenders often observe threat actors from all different types of threat groups, from ransomware to nation-state supported organizations, employing social engineering tactics to create a sense of trust or urgency to trick their victims into granting initial access.

Additionally, researchers (including those in the APG) have seen Sangria Tempest conducting business email compromise (BEC) attacks.

During a BEC, cybercriminals gain unauthorized access to a legitimate business email account – typically through phishing or credential theft – and mine the inbox and outbox for additional information on the organization. They can even send emails from the legitimate account internally to other employees, pretending to be the compromised user, increasing the believability of their requests for wire transfers and proprietary data exfiltrations (3).

Recommended Sangria Tempest Mitigations and Remediations

The APG recommends the following actions to help mitigate malicious activities conducted by Sangria Tempest and other financially motivated threat groups.

  • Conduct employee security awareness training to ensure employees are aware of what basic phishing emails – and malvertising campaigns! – look like, and are more cautious about opening email attachments.
  • Implement environmental user activity monitoring to detect unusual patterns that may indicate malicious threat actor behavior.
  • Create and implement an organization-wide secure password policy to ensure employees’ passwords are not reused and meet minimum strength requirements, lowering the risk of brute force, password spraying, and other credential attacks.
    • Consider paying for and implementing password managers on managed organizational devices, too, which can be configured to enforce these password requirements for you!
  • Design, test, and (when needed) implement an IRP that covers the processes for:
    • Data backup and restoration
    • Internal and external notifications, to include organizational partners, cyber insurance carriers, legal firms, impacted vendors, team members, and law enforcement
    • Business continuity during incident response and disaster recovery efforts

ActiveX Incident with Technology Partner on April 26, 2024

Topline Takeaways

  • Industry target: Technology
  • Attacker information:
    • SocGholish
    • ActiveX
  • AV and / or EDR present in environment? Yes
  • Threat assessment for partners:
    • The APG predicts that it is likely that threat actors will continue to use ActiveX to exploit other Technology organizations over the next 12 months.
  • Recommended remediations and mitigations:
    • Least-privilege access controls
    • Application allowlisting and blocklisting
    • Scripting language controls

SocGholish and ActiveX Incident Timeline for April 26, 2024

  • Blackpoint’s MDR+R technology alerted to a Technology partner’s managed device connecting to a known SocGholish domain / IP address.
  • An MDR+R analyst began initial triage and investigation, during which they saw ActiveX installations, which SocGholish has used during previous infections (4). They didn’t observe SocGholish-associated JavaScript execution on the infected machine, however.
  • The analyst escalated the incident to senior Active-SOC leadership.
  • The senior MDR+R analyst isolated the impacted device from all external and internal communications.
  • The Active-SOC contacted the Technology partner about the incident and provided additional remediation advice.

More About SocGholish and ActiveX Abuse 

SocGholish

Active since at least 2018, SocGholish is a malware family, often used by a wide variety of threat actors to deploy other malware – including ransomware (5). At the end of 2023, ReliaQuest researchers found SocGholish to be the second most used loader malware (6).

Based on APG analyzed data from Blackpoint managed environments and incidents, we have seen SocGholish used in LockBit ransomware campaigns, delivering LockBit as the final payload.

ActiveX

An ActiveX control is a software program for Internet Explorer that can activates and runs pre-scripted functionality after a web page loads. Threat actors can abuse ActiveX to communicate with devices, masquerading as legitimate software in order to gain initial access to a victim’s system (7).

APG Threat Analysis of SocGholish and ActiveX Abuse for 2024

The APG predicts that threat actors such as SocGholish will likely continue to mask malicious activity via legitimate applications such as ActiveX over the next 12 months.

We base this assessment on our own internal activity metrics, and extrapolation from previous incidents as reported by other research firms.

For example, in 2022, Cyberreason security researchers reported a SocGholish campaign abusing ActiveX to establish connections to attacker-controlled endpoints and to issue POST requests, downloading and executing additional malicious content in an attack very similar to the one attempted on this Technology partner’s device (8).

Recommended SocGholish Malware and ActiveX Abuse Mitigations and Remediations

The APG recommends the following actions to help mitigate the malicious activity of SocGholish and similar malware.

  • Implement the least-privilege access controls wherever feasible. Doing so ensures that users can only access the data and resources required to complete their job functions, and – in the event of a compromised endpoint or user profile – helps prevent data exfiltration, extortion, and the threat actor’s lateral movement across environments.
  • Implement application controls to block or restrict unauthorized applications from executing in suspiciously malicious ways.
    • Application allowlisting and blocklisting can also help to prevent malware that “looks” right at a glance from installing on users’ endpoints.
  • Minimize the use of – or implement strict controls on – the use of scripting languages for users who do not need it, as threat actors rely on scripting languages such as JavaScript to deploy malware and conduct malicious activities. While JavaScript was not deployed in this incident, that may have only been the case because the Active-SOC caught and remediated the intrusion before it could download and execute on the compromised endpoint.

BITS Download and Double File Extension Incident with Industrials End Client on April 30, 2024

Topline Takeaways

  • Industry target: Industrials
  • Attacker information:
    • Background Intelligent Transfer Service (BITS) Download
    • Top_Candidates_Proven_Talent_Custom_Career_Files.pdf.js
  • AV and / or EDR present in environment? Yes
  • Threat assessment for partners:
    • The APG predicts that it is likely that threat actors will continue to use BITS Download and double file extensions to exploit other Industrials organizations over the next 12 months.
  • Recommended remediations and mitigations:
    • Employee security training
    • Network segmentation for common ports
    • Least-privilege access controls
    • Regularly audit both environment and endpoints

BITS Download Incident Timeline for April 30, 2024

  • Blackpoint’s MDR+R technology alerted to malicious BITS download on an Industrial’s end client host.
  • An MDR+R analyst began initial triage and investigation, during which they observed the file “Top_Candidates_Proven_Talent_Custom_Career_Files.pdf.js” running from the compromised user’s Outlook inbox. The file connected with a malicious IP address through a BITS download, triggering the initial alert, and ran a malicious beacon file.
  • The analyst escalated the incident to senior Active-SOC leadership. During this time, they observed the compromised user account executing enumeration commands, moving towards lateral movement and escalation.
  • The senior MDR+R analyst isolated the impacted host from all external and internal communications, interrupting the lateral movement attempt before it could begin.
  • The Active-SOC contacted the involved partner about the incident, with additional remediation advice.

After further analysis by APG researchers, we discovered the IP address to be located in Russia, with previous association with malicious activity including trojan malware – which is often used to download and execution malicious tools and malware (9).

More About BITS Download Abuse

BITS is used by programmers and system administrators to download files from or upload files to HTTP web servers and SMB file shares (10).

Threat actors abuse this process to gain persistence by creating BITS jobs that download and execute malicious code. In fact, the APG has tracked at least five ransomware operators that have used BITSadmin – a command line tool used to create, download, or upload jobs and monitor their progress – during reported Blackpoint managed environment incidents.

BITS jobs are helpful to threat actors for persistence, because they are able to survive system reboots and remain active, even when the user is not logged in (10).

Additionally – as observed in this incident – threat actors may use a double extension in the file name to aid in masquerading the file type (11). Double-extention file names can help the threat actor evade detection: some browsers, operating systems, and software will only show the first and ignore the second (true) file name extension.

APG Threat Analysis of BITS Download and Double File Name Extension for 2024

The APG predicts that threat actors will likely continue to use BITS Download and double file name extensions over the next 12 months.

We base this assessment on previous Blackpoint analyzed security incidents, as well as external research and agency guidance.

For example, in 2020, Mandiant security researchers reported a campaign deploying SINGLEMALT – a loader/backdoor malware – that led to ransomware deployment (12). SINGLEMALT had been observed employing BITS to maintain persistence through reboot, by creating a BITS job to download a non-existent URL.

Additionally, in 2024, the U.S. CISA released a guidance report related to detection and mitigation for live-off-the-land (LotL) techniques, which includes the use of legitimate tools and processes such as BITS Download for malicious actions (13).

The APG recently sponsored a keynote talk reviewing original research on LotL trends and common remediations at the 2024 Right of Boom conference for MSP partners and their security teams.

Recommended BITS Download and Double File Name Extension Mitigations and Remediations

The APG recommends the following actions to help mitigate the use of malicious BITS jobs and tools such as BITSadmin, as well as to block malicious files with double extension names.

  • As always, conduct employee security awareness training to ensure employees are aware of what basic phishing emails look like and are more cautious about opening email attachments. For MSPs, ensure this training trickles down to your end client users, as well!
  • Segment your networks and environments, in addition to locking down commonly abused ports, to ensure critical systems are isolated from less secure areas and prevent unauthorized communication restrictions between segments should one become compromised.
  • Similar to our earlier incident, least-privilege access controls can limit threat actors’ from leveraging compromised user profiles and devices to either deploy additional malware, find and take relevant data, or move to another (more privileged) machine altogether.
  • Conduct regular environment and endpoint audits to identify weak points, apply necessary patching requirements, and close potential infection paths. After all, you can only protect what you know exists!

References and Resources

A quick note on incident details:

As these analyses concern recent incidents in actively monitored environment, certain details may be occasionally omitted and / or obfuscated, to better secure our partners and end clients, and protect any still-ongoing investigations.

However, we felt that these incidents were important enough to bring to the community’s attention as fast as possible, and so included them in this public writeup.

Please feel free to reach out to the APG directly if you have any questions about a specific incident!

References

  1. Microsoft’s Blog: “Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself” by Microsoft Threat Intelligence on 2022 May 09
  2. Blackpoint Cyber’s Blog: “Top Hacker Tactics You Should Be Aware Of” by Blackpoint Cyber on 2023 September 14
  3. Cybereason’s Blog: “SocGholish and Zloader – From Fake Updates and Installers to Owning Your Systems” by Cybereason Global SOC Team
  4. Blackpoint Cyber’s Blog: “SocGholish: Haunting the Digital Realm for Over Five Years” by Blackpoint Cyber on 2023 July 17
  5. ReliaQuest’s Blog: “3 Malware Loaders You Can’t (Shouldn’t) Ignore” by ReliaQuest Threat Research Team on 2023 August 25
  6. Zscaler’s Blog: “Outpace Attackers with AI-Powered Advanced Threat Protection” by Brendon Macaraeg on 2024 March 11
  7. Joe Security LLC’s Blog: “JoeSandbox Cloud” by JoeSandbox Cloud on 2024 April 30
  8. Microsoft’s Repository: “Background Intelligent Transfer Service” by Microsoft on 2021 May 25
  9. ReZa AdineH’s Blog: “Abusing BITS Jobs for Persistence” on 2023 March 11
  10. MITRE’s Repository: “Masquerading: Double File Extension” by MITRE on 2021 October 14
  11. Mandiant’s Blog: “Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser” by Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, and Douglas Bienstock on 2024 April 11
  12. CISA’s Advisory: “Identifying and Mitigating Living Off the Land Techniques” by CISA et al on 2024 February 07

Date Published
May 3, 2024

By
Blackpoint Cyber

The Blackpoint Brief

The Blackpoint Brief is our monthly e-newsletter that covers the latest APG research, SOC saves, sales resources, webinars, and in-person events. Stay up to date so that you can best protect your clients.

Subscribe now!