We also observed that the threat actor used AccessChk64, a command-line tool developed by Sysinternals that is primarily used for checking the security permissions and access rights of objects in Windows. Get-ADUser -Filter * -Properties * | Select -Property EmailAddress,GivenName,Surname,DisplayName,sAMAccountName,Title,Department,OfficePhone,MobilePhone,Fax,Enabled,LastLogonDate | Export-CSV "C:\users\public\music\ADusers.csv" -NoTypeInformation -Encoding UTF8 The threat actor used the following PowerShell command to gather user information and to save it into a CSV file: The command specifies that it wants to retrieve the values of the name, common name (CN), operating system, and dNSHostName attributes for each computer object and output its result in a CSV format. In this case, the threat actor used it to fetch information on the operating system using the command adfind.exe -f objectcategory=computer -csv name cn OperatingSystem dNSHostName. In the hands of a threat actor, AdFind can be misused for enumeration of user accounts, privilege escalation, and even password hash extraction. First, they used AdFind, a tool designed to retrieve and display information from Active Directory (AD) environments. The threat actor used a few other tools for discovery in the customer's environment. Msi.dll: A delayed-loaded DLL (not loaded until a user’s code attempts to reference a symbol contained within the DLL) that will act as a dropper for a real WinSCP installer and a malicious Python execution environment responsible for downloading Cobalt Strike beacons.Setup.exe: A renamed msiexec.exe executable.We list the details of these two files here: Once the user mounts the ISO, it contains two files, setup.exe and msi.dll. On Twitter, user first spotted the same infection chain mimicking the AnyDesk application. Once the user selects the “Download” button, this begins the download of an ISO file to their system.Above the organic search results, the user finds a malvertisement for the WinSCP application that leads to a malicious website.In this example, the user wants to download the WinSCP application and enters the search term “WinSCP Download” on the Bing search bar. A user searches for an application by entering a search term in a search bar (such as Google or Bing).In summary, the malicious actor uses the following malvertising infection chain: The overall infection flow involves delivering the initial loader, fetching the bot core, and ultimately, dropping the payload, typically a backdoor. The following chart represents how the infection starts. It is highly likely that the enterprise would have been substantially affected by the attack if intervention had been sought later, especially since the threat actors had already succeeded in gaining initial access to domain administrator privileges and started establishing backdoors and persistence. Attempted to steal passwords and tried to access backup servers.Attempted to establish persistence and backdoor access to the customer environment using remote management tools like AnyDesk.Stole top-level administrator privileges and used these privileges to conduct unauthorized activities.The targeted organization conducted a joint investigation with the Trend team and discovered that cybercriminals performed the following unauthorized and malicious activities within the company’s network: Malware distributors abuse the same functionality in a technique known as malvertising, where chosen keywords are hijacked to display malicious ads that lure unsuspecting search engine users into downloading certain types of malware. In this case, the distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer.Īdvertising platforms like Google Ads enable businesses to display advertisements to target audiences to boost traffic and increase sales. In the investigation, malicious actors used malvertising to distribute a piece of malware via cloned webpages of legitimate organizations. Recently, the Trend Micro incident response team engaged with a targeted organization after having identified highly suspicious activities through the Targeted Attack Detection (TAD) service.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |