With the recent release of data from Microsoft surrounding Tarrask malware and the HAFNIUM group, Blackpoint Cyber’s Adversary Pursuit Group (APG) is releasing some additional information uncovered by our Security Operations Center (SOC). Back in 2021, Blackpoint identified suspicious activity that was believed to be an active advanced persistent threat (APT) group targeting monitored and protected infrastructure. Fortunately, Blackpoint was able to isolate and eradicate suspicious behavior before a complete compromise. This blog post provides the technical analysis and breakdown of this activity.

Social engineering is one of the top means of compromising a device either through phishing emails, pretexting, piggybacking on credentials, or quid pro quo, to name a few methods. The viability of these attack scenarios increases further when geographical factors are introduced alongside portable hardware such as loaner laptops. In the instance analyzed for this post, Blackpoint was able to monitor and identify the remote execution of commands from one such device.

Stage 1

Impacket is a collection of Python classes and functions developed with the intention of interacting with network protocols. It is also the core of many different pentesting tools used within the industry. WMIExec is one class that allows for the remote execution of code using WMI under the Admin user (see Figure 1).

Figure 1: Example SNAP Alert for WMIExec.py

 

In this instance, SOC analysts identified that commands were being issued to exfiltrate the NTDS.dit file. Stored under ‘%systemroot%\NTDS’, the NTDS file contains all the Active Directory data for a domain, including information relating to user objects, groups, and group memberships. The theft of this file would allow threat actors to use the password hashes to perform Pass the Hash (PtH) attacks potentially giving them the ability to act as any user within the domain, including Domain Administrator(s). Since the NTDS file is usually locked, one of the easiest ways to gather and exfiltrate this file is to use ‘vssadmin’ to interact with Volume Shadow Copy and extract the files from there. In this instance, the attackers began by checking if any Volume Shadow Copies already existed (see Figure 2).

 

Fig 2. Shadow Volume Listing

 

The presence of an already existing Volume Shadow Copy on the device meant that the attackers did not need to create any new ones nor increase their footprint on the device. As such, the next step involved copying the NTDS.dit file to a location that would have allowed for interaction (see Figure 3).

 

Fig 3. Copying of NTDS.dit to ProgramData

 

There are two main ways of acquiring the Boot Key which aids in the decryption of the NTDS file. One method is to copy the SYSTEM file from the registry. The other is to copy it from the Volume Shadow Copy. During this attack, the threat actors were observed using the latter technique to acquire the SYSTEM file (see Figure 4).

 

Fig 4. Copying of SYSTEM file to ProgramData

 

Fig 5. Attack Chain Stage 1

 

Stage 2

During examination of the event, SOC analysts concluded that the threat actors were issuing commands to the victim on port 443 from a single residential IP address located in the United States. Further analysis showed that, at the time of intrusion, the IP address was resolving to a residential proxy owned by ‘Bright Data’. What was of special interest, however, is the similarity between this intrusion and those discussed in the paper “Resident Evil: Understanding Residential IP Proxy as a Dark Service” published in 2019 [1].

While the impacted machines were isolated pending further investigation, the same proxy address was observed using the stolen administrator credentials to directly connect to a new device and issue commands over WMIEXEC two days after the initial attack (see Figure 6).

 

Fig 6. Attack Chain Stage 2

 

When analyzing the network information on the server, a suspicious transmission control protocol (TCP) connection to the residential proxy was documented indicating a backdoor mechanism in which case WMIExec was identified and stopped again (see Figure 7).

 

Fig 7. Netstat data for suspicious winsrv.exe process

 

 

At this stage, the attackers were also observed attempting to instigate persistent communications via a relay server (see Figure 8).

 

Fig 8. Persistence to Proxy Server

 

Based on the approach taken by Blackpoint Cyber, it is not in the nature of the company to allow attackers to continue operating as a means of telemetry generation. The speed in which detection and remediation is performed provides strong levels of protection but does reduce the ability to attribute the attacks. In this instance, attribution was speculated internally based on the facts available. However, when comparing the observed behavior, especially the proxy persistence to the recent open-source intelligence from Microsoft, we are more certain of our original attribution to the HAFNIUM group and the Tarrask malware campaign.

Blackpoint Cyber is a provider of leading-edge cybersecurity threat hunting, detection, and response technology. Founded by former United States Department of Defense (DoD) and intelligence security experts, we fuse real security with real response to protect what’s most important to you. Our true, 24/7 Managed Detection & Response (MDR) service works in tandem with our Security Operations Center (SOC) team to take in real-time threat alerts, respond immediately, and eradicate malicious actors’ access to your networks. Before lateral movement can happen, trust Blackpoint to eliminate any chance of further compromise.  If you’re interested in decades of extensive knowledge in real-world defensive and offensive tactics protecting you and your clients’ business, contact us today!

[1]: X. Mi, X. Feng, X. Liao, B. Liu, X. Wang, F. Qian, Z. Li, S. Alrwais, L. Sun and Y. Liu, “Resident Evil: Understanding Residential IP Proxy as a Dark Service,” 2019 IEEE Symposium on Security and Privacy, pp. 1185-1201, 2019.