![]() The threat actor then deployed AnyDesk, which was the only observed persistence mechanism used during the intrusion. From these injected processes, the threat actors began discovery tasks using Windows utilities like ping and tasklist.įour hours after initial access, the threat actor used RDP to access a server using the local Administrator account. This Cobalt Strike beacon was subsequently executed and then proceeded to inject into various other processes on the host (explorer.exe, rundll32.exe). At first, things remained fairly quiet, just C2 communications until around 3 hours later, Bumblebee dropped a Cobalt Strike beacon named wab.exe on the beachhead host. From there, the loader reached out to the Bumblebee C2 servers. When the user double clicks or opens the lnk file, they inadvertently start a hidden file, a DLL (namr.dll) containing the Bumblebee malware loader. The execution phase started with that password protected zip, which after extracting would show the user an ISO file that after the user double clicks would mount like a CD or external media device on Windows and present the user with a single file named documents in the directory. The intrusion began with a password protected zipped ISO file that we assess with medium to high confidence due to other reports, likely arrived via an email which included a link to download said zip file. In this intrusion, the threat actors operated in an environment over an 11 day dwell period. Read more about BumbleBee here, and here.ĭuring this intrusion, the threat actors gained access using an ISO and LNK file, used several lateral movement techniques, dumped credentials three different ways, kerberoasted a domain admin account and dropped/executed a bespoke tool for discovering privilege escalation paths. Google TAG attributes this malware to an initial access broker (IAB) dubbed EXOTIC LILY, working with the cybercrime group FIN12/WIZARD SPIDER/DEV-0193. However, the researchers believe it’s more likely that the group is actually an independent affiliate working for multiple RaaS operations.In this intrusion from April 2022, the threat actors used BumbleBee as the initial access vector.īumbleBee is a malware loader that was first reported by Google Threat Analysis Group in March 2022. There is a possibility that ShadowSyndicate is an initial access broker, a type of threat actor that compromises systems and sells the access gained to other cybercriminals, including ransomware gangs. Researchers believe that former members of these groups could be continuing with their criminal activity using the same infrastructure, but they might now operate individually or in other criminal groups." Ryuk ceased to exist at the end of 2021, while Conti and Trickbot (which are connected) went dormant at the beginning of 2022. "However, these criminal groups no longer exist. "While checking List A servers using Group-IB data sources, we established that some servers were mapped as Ryuk, Conti, and Trickbot," the researchers said. Weaker connections were found with Royal, Cl0p and Play ransomware. ![]() The researchers have found strong connections between ShadowSyndicate and attacks with Quantum (September 2022), Nokoyawa (October 2022, November 2022, and March 2023) and ALPHV (aka BlackCat) ransomware in February 2023. The researchers said they are fairly confident that ShadowSyndicate is not a hosting service because the servers were located in 13 different countries - with Panama being the favorite - and across different networks belonging to different organizations. Group-IB analysts partnered with researcher Joshua Penny from European MSSP Bridewell and independent malware researcher Michael Koczwara to investigate all the connections they found and try to determine what ShadowSyndicate is: a server host that deploys servers with the same SSH fingerprint, a DevOps engineer for threat actors, a bulletproof hosting service for cybercriminals, an initial access broker, or a RaaS affiliate. Additionally, we can say with various degrees of confidence that the group has used seven different ransomware families over the course of the past year, making ShadowSyndicate notable for their versatility." ![]() "In total, we found ShadowSyndicate's SSH fingerprint on 85 servers since July 2022. "It's incredibly rare for one Secure Shell (SSH) fingerprint to have such a complex web of connections with a large number of malicious servers," researchers from cybercrime investigations firm Group-IB said in a report. The gang, which researchers have now dubbed ShadowSyndicate, is believed to be either an initial access broker or an affiliate working with multiple ransomware-as-a-service (RaaS) operations. A previously undocumented cybercrime group has built a collection of over 80 command-and-control (C2) servers for malware implants over the past two years.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |