Between Feb. 14-21, 2024, Blackpoint’s Security Operations Center (SOC) responded to 121 total incidents. These incidents included 10 SNAP incidents and 107 Cloud Response incidents. In this blog, we will discuss some of the incidents we observed, why they’re important, and how you can mitigate these types of incidents with Blackpoint Cyber.  

On Feb. 16, 2024, the SOC was alerted via Webroot to a malicious version of QuickBooks running on a client device. The malware was downloaded by tricking victims into downloading what appears to be a legitimate version of QuickBooks. This malware is often used to download additional payloads and gain remote access to victims’ environments. In this case, the SOC observed a scheduled task being created to deploy executables. The partner was contacted to warn them of the activity.  

The SOC observed the following binary names during this incident:  

• c:\users\public\documents\system32\int\qbdmakers.exe 
• C:\Users\Public\Documents\System32\INT\QBDLD.exe 

The SOC warned the partner and thwarted any additional malicious activity from occurring on the victim environment. Fake QuickBooks installers have been used to download multiple types of malware variants, including information stealing malware, backdoors, and loader malware. Social engineering remains one of the top initial access vectors and embedding malware into installation packages with legitimate software – or masquerading as legitimate software – is one of the most effective means of social engineering. Using a name that users trust, such as QuickBooks, is likely to lead to fewer suspicions and more successful deployments.  

On Feb. 17, 2024, the SOC received multiple Microsoft Defender for Endpoint alerts on client machines. The threat was identified as Wacatac, a trojan-type malware which can be used to deploy additional malware, steal sensitive information, and add a compromised device to a botnet. During the investigation, the SOC observed that the detections were associated with an unusual file name ” _ReCoVeRy_+rsuuw.txt” appearing on different unrelated paths. They also found the same files with the “PNG” extension that resembled a ransom note. No files were encrypted during the intrusion. The SOC isolated the affected machines and contacted the client to report the findings and offer mitigation advice.  

The SOC observed the following binary names:  

• F:\IT\Office2010()\Admin\ru-ru\ReCoVeRy+rsuuw.png 

The Wacatac malware is an information stealer that gathers multiple types of victim information, including login credentials and banking information, and has been used to deploy additional malware payloads, including ransomware. In 2023, threat actors were observed leveraging a zero-day attack embedded in three PyPI packages to deliver the Wacatac malware. Wacatac has also been observed being deployed via social engineering tactics, including masquerading as legitimate software. Credentials and financial information are attractive information for threat actors due to the potential for follow-on attacks and the ability to sell stolen information on cybercriminal forums.   

On Feb.17, 2024, the SOC was alerted to a client user account using MEGAsync.exe on a host. MEGAsync is an application that allows the syncing and backing up files and folders between any computer and MEGA Cloud Storage. It is often used by threat actors to exfiltrate sensitive information. During the investigation, the SOC observed MEGAsync.exe calling out to MEGA servers in Luxembourg, Germany, and Belgium. The SOC reached out to the client to confirm if this was a legitimate business action. After it was confirmed that MEGAsync would not be used for legitimate purposes, the SOC isolated the machine and killed the MEGAsync.exe sessions.  

Binary observed:  

• C:\Users\$username\AppData\Local\MEGAsync\MEGAsync.exe 

Scheduled Task observed:  

• MEGAsync Update Task S-1-5-21-2068093081-481465237-2686154525-1003 

MEGAsync is a cloud-based synchronization tool that is designed to work with the MEGA file-sharing service and allows the upload/download of files. MEGAsync is frequently used by threat actors to exfiltrate data from victim environments. Threat actors that use MEGAsync include the following: 

• 8Base 
• Akira
• BianLian
• Black Basta 
• BlackCat
• Cactus
• CL0P
• INC Ransom 
• Knight
• Money Message 
• Monti
• Rhysida
• Trigona 

By using legitimate tools such as MEGAsync to exfiltrate sensitive data, threat actors can blend in with normal traffic and appear legitimate to evade detections.  

On Feb. 21, 2024, the SOC was alerted to several SentinelOne detections on a client host detecting JWrapper-Remote Access software. JWrapper is a remote access software used by SimpleHelp that allows users to connect to remote computers, view their screens, and control them. It can also be used by malicious actors to gain persistent access to compromised machines. The SOC then alerted to an encoded PowerShell being executed from ScreenConnect.ClientService.exe. The encoded PowerShell was observed creating several variables to setup a System.Net.WebClient object to download data from the internet while using the system’s default proxy settings and credentials.  

Following the PowerShell activity, the SOC observed sftp.exe being executed which spawned icals.exe, which is used to change access control lists on files and folders. Permissions were observed being granted to the SID group “S-1-5-32-545″, allowing the group to use the  JWrapper-Remote Access software. Connections were observed being made with a foreign IP address. After speaking to the client about the activity, it was deemed malicious, and the affected devices were isolated.  

Binaries observed:  

• C:\windows\temp\ScreenConnect\ 
• C:\ProgramData\JWrapper-Remote Access\ 

Remote monitoring and management (RMM) software, such as ScreenConnect, provides threat actors with a way to establish persistent access without the need for installing additional software or malware. ScreenConnect has been previously used by multiple threat actors, including Trigona, Medusa, LockBit, Hive, and BlackCat. This incident was specifically related to the ConnectWise vulnerabilities identified in February of 2024 and is a good example of the capabilities RMM tools give to attackers. It is likely that threat actors will continue to use RMM software for persistence, command and control, and initial access over the next 12 months.  

Learn more about the ConnectWise vulnerabilities:

• Blog: Breaking Through the Screen
• Blog: ConnectWise ScreenConnect Vulnerabilities.
• Blog: Don’t arm the enemy. Safeguard your allies.
• On-Demand Webinar: Don’t arm the enemy. Safeguard your allies.

On Feb. 21, 2024, the SOC received a Managed Application Control alert indicating the use of TeamViewer on a client host. The SOC notified the client and isolated the machines for mitigation and further investigations after confirming it was uncommon activity. 

Binary observed: 

• C:\Users\$username\AppData\Local\TeamViewer\CustomConfigs\mrk83db\TeamViewer.exe 

Observed commands:  

• |—-svchost.exe NT AUTHORITY\SYSTEM 2088 svchost.exe -k netsvcs -p -s Schedule                                                                           884 2/15/2024 2:16:07 PM 
• |  |—-TeamViewer.exe UNKNOWN 18528 TeamViewer.exe –configuration mrk83db –cqsupdate –dr 

TeamViewer is a remote access software that allows the maintenance of computers and other remote devices. This type of software is an attractive target and tool for threat actors due to the type of access these types of tools allow. Compromising these types of devices allows threat actors to identify network-attached resources, establish persistence, deploy malware, and more. Additionally, threat actors can blend in with normal traffic in a compromised environment and evade detection. Multiple ransomware and APT groups have been observed using this tool including TeamSpy (AKA SIG39, Iron Lyric, Team Bear, Anger Bear), LockBit, BianLian, and Trigona. It is likely that remote access software, including TeamViewer, will continue to be used over the next 12 months as both an initial access vector and to establish persistence on victim machines.  

The Adversary Pursuit Group, including… 

Andi Ursry, Threat Intelligence Analyst 

Andi Ursry has over five years of experience in threat intelligence. She has experience in both small business and Fortune 500 companies, beginning her career in the retail sector helping box stores mitigate risk prior to shifting to cyber intelligence. Her expertise lies in ransomware and APT (advanced persistent threat) groups’ tactics and tracking cyber trends. She holds a bachelor’s and master’s degree in criminal justice from Colorado Technical University, Online.

Connect with Andi on LinkedIn.