Ransomware is used by hackers to abuse victims’ data, locking it until a ransom is paid.
This method of cyber attack is profitable as it takes advantage of data’s proximity and vitality to individuals and companies, so they have no choice but to pay for quick returns.
An invasion started with an email containing a forked IcedID variant that emphasized payload delivery.
After gaining initial access, the intruder installed ScreenConnect on the computer for remote control, abusively utilized Cobalt Strike beacons, and deployed CSharp Streamer RAT to gain credentials and move laterally within domain controllers and servers.
During the identification phase, sensitive information was placed in ‘confucius_cpp,’ a special program of which rclone showed the extraction.
With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis
For eight days, they performed a systematic deployment of ScreenConnect installers across hosts using WMI before finally delivering ALPHV ransomware payloads after deleting backups.
ALPHV Ransomware Deployment
The malicious spam electronic mail, which tricked the prey into downloading and unzipping a folder with a readme and Visual Basic Script (VBS), served as the initial access vector.
Activating VBS executed an embedded, obfuscated IcedID loader DLL that dropped and ran another IcedID DLL payload, completing the infection chain, reads the DFIR report.
This is consistent with a known malicious activity where the same technique was employed to distribute an IcedID fork that deals with payload deployment instead of banking activities.
The threat actor deployed ScreenConnect remote access tools using disguised installation programs that operated through wmiexec and RDP sessions.
Several techniques were employed to extract Cobalt Strike beacons, including bitsadmin, certutil, and PowerShell.
CSharp Streamer RAT kept persistence via scheduled tasks in LSASS credential dumping, lateral movement, and C2 communications.
IcedID ensured its persistence by using scheduled tasks, while ScreenConnect was made persistent across reboots.
During lateral movement into winlogon.exe and rundll32.exe, process injection was observed. Renamed installers were deleted by the actor.
Key activities involved LSASS credential dumping, which was validated through memory analysis, and dcsync was performed from the beachhead to a domain controller for credential harvesting.
This was followed by the threat actor conducting initial recognition using native Windows utilities launched through IcedID and subsequently exploiting ScreenConnect for more reconnaissance commands.
SoftPerfect netscan for network scanning took place on different days, targeting IP ranges plus ports of RPC, SMB, RDP, and Veeam backups.
ScreenConnect installers were then laterally copied via SMB and became deployed with wmiexec.py to get remote control. The attacker extensively used RDP for lateral movement including proxying through CSharp Streamer.
Before exfiltration, a custom tool called confucius_cpp enumerated systems by LDAP query, accessed shares based on keywords, and compressed sensitive information. The attacker also opened documents using the Firefox installation.
The threat actor leveraged multiple tools during the intrusion:-
- IcedID for initial access communicating with modalefastnow[.]com
- Cobalt Strike beacons across hosts connecting to tracked C2 infrastructure
- CSharp Streamer RAT at 109.236.80.191 using WebSockets over rotating ports
- ScreenConnect remote access tools deployed via renamed binaries executed through wmiexec.py
While Firefox was used for document preview and downloading rclone, which was executed through a VBS script for data exfiltration.
The final payload was ALPHV ransomware, staged on the backup server then deployed across hosts via xcopy and WMI-initiated execution after deleting backups.
A ransom note referencing the group’s Twitter was left post-encryption.
Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo