Threat actors successfully deployed BlackSuit ransomware after maintaining access to a compromised network for 15 days. The intrusion, which began in December 2023, showcases the patience and methodical approach of modern cybercriminals.
The attack commenced with the execution of a Cobalt Strike beacon, a popular tool among hackers for its versatility in remote access and post-exploitation activities. Initially, the threat actors focused on reconnaissance, using Windows utilities like systeminfo and nltest to gather information about the compromised system and its environment.
As the intrusion progressed, the attackers employed a variety of sophisticated techniques to expand their foothold within the network. They conducted AS-REP Roasting and Kerberoasting attacks against domain controllers, leveraging tools such as Rubeus and Sharphound to harvest credentials and map the network structure.
The threat actors demonstrated their ability to move laterally within the network, compromising additional workstations and servers. They utilized multiple Cobalt Strike beacons and Remote Desktop Protocol (RDP) connections to maintain persistent access across the infrastructure.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
In a notable development, The DFIR researchers observed that the attackers deployed SystemBC, a tool frequently used by ransomware groups to establish proxy connections. This allowed them to access the local network from external computers, further facilitating their malicious activities.
Throughout the intrusion, the threat actors employed various evasion techniques, including routing their command and control traffic through CloudFlare to conceal their Cobalt Strike server. They also used process injection to hide within legitimate processes, making detection more challenging.
After two weeks of careful preparation, the attackers launched their final payload. They distributed the BlackSuit ransomware executable, named qwe.exe, to key endpoints using SMB shares. To ensure accurate execution, they included a text file with precise command-line arguments, minimizing the risk of errors during the critical encryption phase.
BlackSuit Ransomware Attack Timeline:
Initial Access (December 2023):
A Cobalt Strike beacon was executed, marking the start of the intrusion.
Early Reconnaissance (Day 1):
The threat actor used Windows utilities for system enumeration and conducted AS-REP Roasting and Kerberoasting attacks against domain controllers.
Lateral Movement (Day 2):
Multiple Cobalt Strike beacons were deployed on workstations and servers. RDP was used for further lateral movement.
Command and Control Shift (Day 7):
The Cobalt Strike command and control domain switched from CloudFlare to an Amazon AWS IP address.
Further Infiltration (Days 8-13):
More Cobalt Strike beacons were distributed, along with RDP logins and additional discovery activities.
Final Stage and Ransomware Deployment (Day 15):
The threat actor executed ADFind and a PowerShell script. BlackSuit ransomware (qwe.exe) was distributed via SMB to remote systems and manually executed through RDP connections.
The total time to Ransomware (TTR) was approximately 328 hours, 15 calendar days from initial access to the final ransomware deployment.
The BlackSuit ransomware recent high-profile attack was automotive IT firm CDK Global the actors “demanded tens of millions of dollars in ransom” cited an anonymous source.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial