Analysis of the malware and tools used in an intrusion links a threat actor to three different ransomware-as-a-service (RaaS) operations, threat intelligence firm The DFIR Report says.
The attack occurred in September 2024 and began with the victim executing a malicious file posing as DeskSoft’s world clock application EarthTime, which deployed the .NET-based SectopRAT malware on the system.
The malicious application was signed with a revoked certificate from Brave Pragmatic Network Technology, a compromised or fraudulent CA known for signing multiple malware samples.
After establishing persistence, the threat actor created a new local account with administrator privileges, deployed the SystemBC proxy tunnelling tool, compromised the domain controller via RDP, and started enumerating hosts using Windows utilities such as IPconfig and NLtest.
Using RDP to connect to various servers, the attacker then deployed SystemBC across the environment, and executed PowerShell scripts on a backup server to retrieve credentials for Veeam. The threat actor was also seen accessing the victim’s file server via RDP and exfiltrating data from it.
“They carried out further discovery activity with the use of AdFind for AD queries, PowerShell Cmdlets to collect host data, SharpHound for directory mapping, and SoftPerfect NetScan to scan remote hosts,” The DFIR Report says.
Six days after initial access, the threat actor used SectopRAT to deploy a second backdoor, named Betruger, and performed additional reconnaissance by executing various commands on the domain controller.
Betruger consolidates capabilities observed in multiple pre-ransomware tools in a single executable, allowing attackers to take screenshots, log keystrokes, escalate privileges, perform network discovery, and steal credentials.
“This extensive functionality suggests that Betruger was explicitly developed to streamline ransomware operations by reducing the number of distinct tools that need to be deployed on a compromised network during the preparation phase of an attack,” The DFIR Report notes.
During the attack, the threat actor also used the legitimate PsExec utility for privilege escalation, the Grixba data-gathering tool for further discovery, modified registry keys to disable Windows Defender security features, and performed potentially time-stomping activities.
They were also seen using information stealers, dumping Veeam databases, and performing DCSync attacks to harvest credentials from the compromised systems.
“Throughout the intrusion, the threat actor used multiple defense evasion techniques, including process injection, timestomping, disabling Microsoft Defender’s protections, and deploying binaries with spoofed metadata to disguise themselves as legitimate cybersecurity tools such as SentinelOne and Avast Antivirus,” The DFIR Report says.
The final purpose of the attack, the cybersecurity firm notes, was ransomware deployment. While no file-encrypting malware was executed, however, the threat actor systematically archived data from the compromised systems and exfiltrated it via FTP.
According to The DFIR Report, the threat actor can be linked to three RaaS operations, based on the tools employed during the attack: Grixba is a custom tool used by the Play ransomware group, Betruger is commonly deployed by RansomHub affiliates, and an output file associated with NetScan points to a DragonForce compromise.
Related: Pennsylvania Attorney General Confirms Ransomware Behind Weeks-Long Outage
Related: Jaguar Land Rover Operations ‘Severely Disrupted’ by Cyberattack
Related: China-Linked Hackers Hijack Web Traffic to Deliver Backdoor
Related: Like Ransoming a Bike: Organizational Muscle Memory Drives the Most Effective Response
