Between April 3-10, 2024, Blackpoint’s Security Operations Center (SOC) responded to 138 total incidents. These incidents included 19 on-premises Managed Detection and Response (MDR) incidents, two (2) Cloud Response for Google Workspace, and 117 Cloud Response for Microsoft 365 incidents, with confirmed or likely threat actor use of:
- DarkGate malware delivered via malicious PDF file attachment for initial access,
- SolarMarker malware discovered during initial partner onboarding using PowerShell for information stealing and persistence, and
- “LogConverter[.]bat” spawning malicious PowerShell commands for execution and persistence.
In this blog, we’ll dive into the details behind these select incidents, including why they’re important for partners to account for today – even if they’ve not been attacked yet! – as well as possible mitigations leveraging your current tech stack and Blackpoint Cyber.
DarkGate Incident with Consumer Cyclicals Partner on April 4, 2024
Topline Takeaways
- Industry target: Consumer Cyclicals
- Attacker information:
- DarkGate
- Advanced IP Scanner
- AutoIt
- Impacted partner systems:
- Microsoft Windows Defender
- Threat assessment for partners:
- The Adversary Pursuit Group (APG) predicts that it is likely that threat actors will continue to use DarkGate to exploit other Consumer Cyclicals organizations over the next 12 months.
- Recommended remediations and mitigations:
- Employee security training
- Risk-based patch management programs
- Multifactor authentication (MFA)
DarkGate Incident Timeline for April 04, 2024
- Blackpoint’s MDR alerted to a possible DarkGate malware attack stemming from a malicious PDF file attachment within a phishing email.
- An MDR analyst began initial triage and investigation, and discovered the malicious file initiated AutoIt (to run malicious scripts), Advanced IP Scanner (to perform enumeration), Adobe injection (to communicate with its malicious external command and control [C2] server), and a startup task for attempted persistence.
- The analyst escalated the incident to senior SOC leadership.
- The senior MDR analyst isolated the impacted endpoint to prevent lateral spread and external communication with C2 server, which was not successful.
- The SOC made contact with the partner about the incident and provided additional remediation advice.
More About DarkGate
DarkGate malware is a Malware-as-a-Service (MaaS) that has been sold on cybercriminal marketplaces since 2017. The malware allows attackers to conduct a number of malicious activities, including keylogging, information theft, privilege escalation, remote access tools (RATs) for persistence, and cryptocurrency mining (1).
DarkGate malware is offered through a subscription-based model with a one-day package for $1000, a monthly package for $15,000, and a one-year package for $100,000. DarkGate malware has previously used various initial access methods, including social engineering, malvertising, and vulnerability exploitation (2).
APG Threat Analysis of DarkGate for 2024
The APG predicts that threat actors will likely continue to use DarkGate over the next 12 months.
We base this assessment on our observations of recent threat use and accelerated dark web sales of the malware.
For example, this year (2024), security researchers with Trend Micro reported a DarkGate campaign exploiting the vulnerability CVE-2024-21412 (CVSS Score 8.1)–a security feature bypass vulnerability affecting Microsoft Windows Internet Shortcut Files (3). The campaign included the use of a phishing email with a malicious attachment that, when executed, deployed the DarkGate malware.
Recommended DarkGate Mitigations and Remediations
The APG recommends the following actions to help mitigate the deployment of the DarkGate malware.
- Conduct employee security awareness training to ensure employees are aware of what basic phishing emails look like, and are more cautious about opening email attachments.
- Implement a proactive, risk-based patch management program to ensure that known exploited vulnerabilities (such as CVE-2024-21412) are patched in a timely manner to prevent use by threat actors.
- Ensure employees are using MFA and VPNs to access sensitive data and resources, providing an additional level of credential authentication even if a threat actor should compromise an individual account.
SolarMarker Incident with Healthcare Partner on April 5, 2024
Topline Takeaways
- Industry target: Healthcare
- Attacker information:
- SolarMarker
- Impacted partner systems:
- PowerShell
- Threat assessment for partners:
- The APG predicts that it is likely that threat actors will continue to use SolarMarker to exploit other healthcare organizations over the next 12 months.
- Recommended remediations and mitigations:
- Heuristics-based activity monitoring and remediation
- Least-privilege access controls
- Password managers
SolarMarker Incident Timeline for April 5, 2024
- The Blackpoint SOC received an onboarding ticket request for a new healthcare partner.
- The SOC began the onboarding process for the new partner, and our MDR immediately alerted to pre-existing malicious activity on the host endpoint: malicious PowerShell scripts tied to SolarMarker malware. The scripts created several variables to call on for a persistence payload disguised as a shortcut (lnk file) in the compromised user’s startup folder.
- An MDR analyst escalated the incident to senior SOC leadership. A senior MDR analyst observed the PowerShell script, noting that its outbound connections led to an IP address geolocated to Denmark. The script itself was heavily obfuscated to bypass antivirus (AV) detections and employed a fileless persistence technique by creating a registry key in the user’s registry hive.
- The senior MDR analyst isolated the impacted endpoints from all external and internal communications.
- The SOC made contact with the partner about the incident and provided additional remediation advice.
More About SolarMarker
Active since 2021, SolarMarker is a malware variant written in .NET that possesses a backdoor and information stealing capability (4). SolarMarker encrypts its traffic to C2 servers using hard-coded RSA key and a symmetric AES CBC algorithm; data is often exfiltrated in a JSON format to the server.
SolarMarker has previously collected information about the infected system (4), including:
- Machine name,
- OS version,
- System architecture (x64 or x86),
- User rights (admin or users),
- Workgroup,
- DNS, and
- Protocol version.
APG Threat Analysis of SolarMarker for 2024
The APG predicts that threat actors will almost certainly continue to use SolarMarker and other information stealing malware over the next 12 months.
We base this assessment on observed attempted attacks in Blackpoint SOC protected environments, as well as third-party research observations.
In 2024, security researchers with Malwarebytes reported a cyberattack involving SolarMarker malware targeting an academic institution; the malware had been present on the system since 2021 (5). This activity was reportedly identified due to PowerShell attempting to establish a network connection to an IP address in France – a similar tactic the Blackpoint SOC observed in this week’s specific incident.
In fact, SolarMarker has increasingly become a reliable information stealing malware for threat actors. Critical verticals, such as Academics and Healthcare, remain an attractive target to threat actors – both advanced persistent threat (APT) and cybercriminal – due to:
- The vast amount of personal information that can be sold to other threat actors,
- The ability to sell access to other criminal groups, such as ransomware operators, and
- The impact these attacks can have on an organization.
Recommended SolarMarker Mitigations and Remediations
The APG recommends the following actions to help mitigate the SolarMarker malware:
- Implement least privilege access controls, to help ensure that users only have access to the data and resources required to complete their job functions in the event of a compromised credential or account.
- Implement behavioral monitoring
These actions will help you detect unusual patterns that could be indicative of malicious behavior by threat actors. In this case, traditional EDRs and AVs may have been unable to detect this SolarMarker infection, as it had explicitly designed scripts for persistence and obfuscation against AVs prior to onboarding. However, with the installation of malicious-activity alerts and managed triage by the Blackpoint SOC, the infected device was identified and isolated almost immediately. In addition, you should…
- Encourage the use of secure password managers, versus browser-based password storage that can be accessed by information stealing malware such as SolarMarker.
Malicious PowerShell Command Incident with Real Estate Partner on April 8, 2024
Topline Takeaways
- Industry target: Real Estate
- Attacker information:
- LogConverter.bat
- PowerShell
- C:\Windows\SysWOW64\cmd.exe
- C:\ProgramData\Microsoft\LogConverter\LogConverter.bat
- Impacted partner systems:
- Cylance
- Threat assessment for partners:
- The APG predicts that it is almost certain that threat actors will continue to use malicious PowerShell commands to exploit other real sstate organizations over the next 12 months.
- Recommended remediations and mitigations:
- Heuristics-based activity monitoring and remediation
- Network segmentation for common ports
- Least-privilege access controls
LogConverter.bat Incident Timeline for April 8, 2024
- Blackpoint’s MDR alerted to a suspicious PowerShell command on the domain controller of a real estate partner.
- An MDR analyst began initial triage and investigation. They found that the PowerShell command was heavily obfuscated, spawning from a batch script called “LogCoverter[.]bat”.
- The analyst isolated the impacted endpoints from all external and internal communications.
- The SOC made contact with the partner about the incident and provided additional remediation advice.
More About Malicious PowerShell Commands
PowerShell is a task automation and configuration management program from Microsoft. PowerShell uses a fileless approach that executes commands and scripts in memory, which can make it harder to detect.
Threat actors often leverage PowerShell (6). In fact, all 36 ransomware groups currently tracked by the APG have previously been observed using PowerShell, as well as multiple APT groups.
APG Threat Analysis of Malicious PowerShell Commands for 2024
The APG predicts that threat actors will almost certainly continue to use malicous PowerShell commands over the next 12 months to deploy malware, attempt persistance, and other malicious activities in victim environments.
We base this assessment on our current SOC activity analysis, as well as recent external research.
In December 2023, for example, security researchers with ConnectWise reported that a former DarkSide ransomware affiliate was observed delivering trojanized installers via malvertising (7). In this incident, extracted files from the 7zip archive were moved to a file named “LogConverter[.]bat”.
(Note that while this specific incident interrupted by the SOC has not been officially attributed to any specific threat group or malware, threat actors often reuse similar file names in multiple attacks.)
Recommended Malicous PowerShell Command Mitigations and Remediations
The APG recommends the following actions to help mitigate malicious PowerShell commands:
- Implement malicious behavioral monitoring on managed environments to detect unusual patterns that could be indicative of threat actor activities.
- Use network segmentation to ensure critical systems are isolated from less secure areas and prevent unauthorized communication restrictions between segments.
- Implement least privilege access controls, to help ensure that users only have access to the data and resources required to complete their job functions – similar to the earlier SolarMarker incident we analyzed for this week.
References and Resources
- Blackpoint Cyber’s Blog: “APG Threat Digest” by Blackpoint Cyber on 2023-10-16
- SOCRadar’s Blog: “DarkGate Malware: Exploring Threats and Countermeasures” by SOCRadar on 2024-03-18
- Trend Micro’s Blog: CVE-2024-21412: “DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign” by Peter Girnus, Aliakbar Zahravi, and Simon Zuckerbraun on 2024-03-13
- eSentire’s Blog: “eSentire Threat Intelligence Malware Analysis: SolarMarker” by eSentire Threat Response Unit (TRU) on 2022-04-27
- Malwarebytes Labs’s Blog: “Stopping a K-12 cyberattack (SolarMarker) with ThreatDown MDR” by Bill Cozens on 2024-03-28
- ConnectWise’s Blog: “Former DarkSide ransomware affiliate distributing trojanized installers via malvertising” by Blake Eakin on 2023-12-13