welcome to netwrkspider

Tuesday, September 22, 2020

APT 41 Coldlock Ransomware IOCs Details


The attack chain of ransomware incidents in Taiwan

The Trend Micro Security Research team investigated the ColdLock ransomware attack, which actually targeted the energy industry in Taiwan. The ransomware attack chain is outlined in Figure 1; however, we currently do not know the initial arrival vector of this threat into a potential victim’s network. Our analysis focused on the way the attacker spreads the ransomware to infect as many machines as possible. 

  1. The threat actor enters a victim’s network environment and obtains the account username and password of the company headquarters’ active directory server.
  2. After logging in to the active directory server, the threat actor modifies the active directory server group policy object — this includes a request that all domain account members create a scheduled task and execute the malware.  
  3. In the final step, the other subsidiary active directory servers and all the endpoint machines will download the scheduled task and execute the ransomware.


Figure.1 The attacker uses an Active Directory (AD) scheduled task to deploy the ransomware in the customer environment.

Scheduled tasks play a very important role in this incident. The threat actors use a scheduled task command to spread and infect a victim’s environment. The screenshot in Figure 2 shows how the threat actor uses SMB and internal IIS Web Service to copy “lc.tmp” (the main ransomware loader in this incident) to other victims’ host machines. After that, the PowerShell command executes the main ransomware loader.



SHA 256                                         Malware Family  



No comments: