They also continued further discovery activity running PowerShell scripts to discover the disk utilization of hosts, review user last login time per host, assess the installed anti-virus software, and track which hosts were online for the threat actors to target. From the domain controller the threat actors continued further lateral movement to more servers in the environment. About 12 hours later the threat actors became active again. Once on remote systems the threat actor used Cobalt Strike to dump lsass memory for further credentials.Īfter this phase completed, the threat actor’s activity faded but the Cobalt Strike continued to beacon out to the C2 server.
This was the primary lateral movement option favored by the threat actor, however PowerShell Cobalt Strike beacons, service executable Cobalt Strike beacons, and RDP were all used, but less commonly. Lateral movement began by the threat actor transferring an executable to a remote system and then executing it using wmic. To see what machines were active in the environment, the threat actors scanned the network for SMB.Īround two and a half hours into the intrusion the threat actors began lateral movement. The threat actors then began using pass the hash with various accounts which continued several times throughout the intrusion. The threat actors used Cobalt Strike to run additional discovery tasks using Microsoft utilities like net, ping, systeminfo, and taskmanager. After this activity, the host went quiet for about one hour before downloading and executing a Cobalt Strike beacon DLL. Upon initial execution on the beachhead, the malware made an initial connection to command and control, and then a few minutes later it performed discovery tasks on the host using Microsoft utilities like Net and Nltest to discover the domain and users of interest. In this case we observed the initial activity beginning with a BazarLoader DLL.
However BazarLoader has also been used with Word and Excel documents as well.
ANTARES AUTOTUNE 5 CRACK ZIP
At the time of the intrusion, the group was favoring zip attachments with malicious javascript files to download the BazarLoader malware. For this intrusion we don’t know the initial campaign that deployed the malware but based on previous information, we can assess with high confidence that the delivery vector was a malicious email campaign. Case SummaryīazarLoader has continued to be one of the preeminent initial access brokers for ransomware threat actor access. In July we witnessed a BazarLoader campaign that deployed Cobalt Strike and ended with domain wide encryption using Conti ransomware. Despite the group having it’s affiliate guide leaked, which revealed many techniques already covered in previous reports, the group’s using the ransomware are unlikely to let up any time soon. The groups deploying this RaaS have only grown more prevalent. Conti is a top player in the ransomware ecosystem, being listed as 2nd overall in the Q2 2021 Coveware ransomware report.