With the recent release of data from Microsoft surrounding Tarrask malware and the HAFNIUM group, Blackpoint Cyber’s Adversary Pursuit Group (APG) is releasing some additional information uncovered by our Security Operations Center (SOC). Back in 2021, Blackpoint identified suspicious activity that was believed to be an active advanced persistent threat (APT) group targeting monitored and protected infrastructure. Fortunately, Blackpoint was able to isolate and eradicate suspicious behavior before a complete compromise. This blog post provides the technical analysis and breakdown of this activity.
Social engineering is one of the top means of compromising a device either through phishing emails, pretexting, piggybacking on credentials, or quid pro quo, to name a few methods. The viability of these attack scenarios increases further when geographical factors are introduced alongside portable hardware such as loaner laptops. In the instance analyzed for this post, Blackpoint was able to monitor and identify the remote execution of commands from one such device.
Impacket is a collection of Python classes and functions developed with the intention of interacting with network protocols. It is also the core of many different pentesting tools used within the industry. WMIExec is one class that allows for the remote execution of code using WMI under the Admin user (see Figure 1).
Based on the approach taken by Blackpoint Cyber, it is not in the nature of the company to allow attackers to continue operating as a means of telemetry generation. The speed in which detection and remediation is performed provides strong levels of protection but does reduce the ability to attribute the attacks. In this instance, attribution was speculated internally based on the facts available. However, when comparing the observed behavior, especially the proxy persistence to the recent open-source intelligence from Microsoft, we are more certain of our original attribution to the HAFNIUM group and the Tarrask malware campaign.
About Blackpoint Cyber
Blackpoint Cyber is a provider of leading-edge cybersecurity threat hunting, detection, and response technology. Founded by former United States Department of Defense (DoD) and intelligence security experts, we fuse real security with real response to protect what’s most important to you. Our true, 24/7 Managed Detection & Response (MDR) service works in tandem with our Security Operations Center (SOC) team to take in real-time threat alerts, respond immediately, and eradicate malicious actors’ access to your networks. Before lateral movement can happen, trust Blackpoint to eliminate any chance of further compromise. If you’re interested in decades of extensive knowledge in real-world defensive and offensive tactics protecting you and your clients’ business, contact us today!
: X. Mi, X. Feng, X. Liao, B. Liu, X. Wang, F. Qian, Z. Li, S. Alrwais, L. Sun and Y. Liu, “Resident Evil: Understanding Residential IP Proxy as a Dark Service,” 2019 IEEE Symposium on Security and Privacy, pp. 1185-1201, 2019.