The attack chain of ransomware incidents in Taiwan
The
Trend Micro Security Research team investigated the ColdLock
ransomware attack, which actually targeted the energy industry in
Taiwan. The ransomware attack chain is outlined in Figure 1; however, we
currently do not know the initial arrival vector of this threat into a
potential victim’s network. Our analysis focused on the way the attacker
spreads the ransomware to infect as many machines as possible.
- The threat actor enters a victim’s network environment and obtains the account username and password of the company headquarters’ active directory server.
- After logging in to the active directory server, the threat actor modifies the active directory server group policy object — this includes a request that all domain account members create a scheduled task and execute the malware.
- In the final step, the other subsidiary active directory servers and all the endpoint machines will download the scheduled task and execute the ransomware.
Figure.1 The attacker uses an Active Directory (AD) scheduled task to deploy the ransomware in the customer environment.
Scheduled tasks play a very important role in this incident. The threat
actors use a scheduled task command to spread and infect a victim’s
environment. The screenshot in Figure 2 shows how the threat actor uses
SMB and internal IIS Web Service to copy “lc.tmp” (the main ransomware
loader in this incident) to other victims’ host machines. After that,
the PowerShell command executes the main ransomware loader.
SHA 256 | Malware Family | ||
2367326f995cb911c72baadc33a3155f8f674600 | NTDSDump | ||
75e49120a0238749827196cebb7559a37a2422f8 | COLDLOCK | ||
5b9b7fb59f0613c32650e8a3b91067079bcb2fc2 | COLDLOCK | ||
e7aa8f55148b4548ef1ab9744bc3d0e67588d5b7 | COLDLOCK | ||
ad6783c349e98c2b4a8ce0b5c9207611309adca7 | COBALTSTRIKE | ||
29cc0ff619f54068ce0ab34e8ed3919d13fa5ee9 | COLDLOCK | ||
2051f0a253eced030539a10ebc3e6869b727b8a9 | COLDLOCK | ||
a2046f17ec4f5517636ea331141a4b5423d534f0 | COLDLOCK | ||
03589dffe2ab72a0de5e9dce61b07e44a983d857 | COBALTSTRIKE | ||
9d6feb6e246557f57d17b8df2b6d07194ad66f66 | COLDLOCK | ||
28d172e374eebc29911f2152b470528fc695662e | PWDDUMPER | ||
574fb6a497c032f7b9df54bc4669d1eb58d78fb4 | ASPSHELL |
#C&C
104.233.224.227
No comments:
Post a Comment