Targeted Threat ActorI was working a targeted threat actor response, and while we were continuing to collect information for scoping, so we could move to containment, we found that on one day, from one endpoint, the threat actor pushed their RAT installer to 8 endpoints, and had the installer launched via a Scheduled Task.
About a week later, we saw that the threat actor had pushed out another version of their RAT to a completely separate endpoint, by dropping the installer into the StartUp folder for an admin account.
The first thing we did once we got started was roll out our EDR tech, and begin getting insight into what was going on...which accounts had been compromised, which were the nexus systems the threat actor was operating from, how they were getting in, etc.
So we found this RAT installer in the StartUp folder for an admin account...a communal admin account.
We found it because in the course of rolling out our EDR tech, the admins used this account to push out their software management platform, as well as our agent...and the initial login to install the software management platform activated the installer.
We grabbed a full image of that endpoint, so we were able to get information from VSCs, including a copy of the original installer file.
The customer didn't have EDR in place prior to our arrival, so there's a lot we likely missed out on, but from what we were able to assemble from host-based historical data, it seemed that the threat actor's plan, at the point we were brought in, was to establish a beachhead. Pro Bono Legal CaseA number of years ago, I did some work on a legal case.
Jump forward about a year, and the guy who got hired grew disillusioned, and went in one Friday morning, logged into the computer, wrote out a Word document where they resigned, effective immediately.
They sent the document to the printer, then signed it, handed it in, and apparently walked out.
There were suits and countersuits, and I was asked to examine the image of the system, after exams had already been performed by law enforcement and an expert from SANS. What I found was that on Thursday evening, the day before the guy resigned, at 9pm, someone had logged into the system locally and surfed the web for about 6 minutes.
Using a variety of data sources, to include the Registry, Event Log, file system metadata, etc.
As part of the legal battle, the guy had witness statements and receipts from the bar he had been at the evening prior to resigning, where he'd been out with friends celebrating.
Further, the employer had testified that they'd sat at the computer the evening prior, but all they'd done was a short web browser session before logging out.
On the surface, what happened was clearly what the former employer described; the former employee came in, typed and printed their resignation, and launched the ransomware executable on their way out the door.
File system metadata, Registry key LastWrite times, and browser history painted a different story all together.
RAT RemovalDuring another targeted threat actor response engagement, I worked with a customer that had sales offices in China, and was seeing sporadic traffic associated with a specific variant of a well-known RAT come across the VPN from China.
As part of the engagement, we worked out a plan to have the laptop in question sent back to the states; when we received the laptop, the first thing I did was remove and image the hard drive.
Apparently, the employee/user of the endpoint had been coerced to install the RAT. Using all the parts of the buffalo, we were able to determine that, at one point, the user had logged into the console, attached a USB device, and run the RAT installer.
I turned out that an employee with remote access had somehow ended up with a keystroke logger installed on their home system, which they used to remote into the corporate infrastructure via RDP. This was about 2 weeks before they were scheduled to implement MFA. The threat actors was moving around the infrastructure via RDP, using an account that hadn't accessed the internal systems, because there was no need for the employee to do so.
This incident had to be reported to the PCI Council, but we did so with as complete a picture as possible, which showed that the threat actor was both unaware of the files, as well as apparently not interested in credit card, nor billing, data.
This Cyber News was published on windowsir.blogspot.com. Publication date: Sat, 06 Jan 2024 19:13:05 +0000