Researchers uncovered two previously unknown endpoints with older Cortex XDR agents that used to test an AV/EDR bypass tool were compromised, granting unauthorized access.
The threat actor utilized a bypass tool, likely purchased from cybercrime forums, to compromise the system.
Subsequent analysis of recovered files and digital footprints revealed the identity of one of the attackers, providing insights into their personal and professional life.
The disabler.exe tool, derived from EDRSandBlast source code, targets and removes EDR hooks in user-mode and kernel-mode by leveraging a vulnerable driver, wnbios.sys or WN_64.sys, for privileged access.
Build an in-house SOC or outsource SOC-as-a-Service -> Calculate Costs
The rogue system’s “Z:freelance” directory contained usernames potentially linked to cybercrime affiliates.
By searching forums like XSS and Exploit, “Marti71” was identified as a likely suspect due to their consistent activity and posts seeking AV/EDR bypass tools.
They found a potential solution advertised by KernelMode on an online forum, with positive feedback from other users. However, the exact nature of the tool and its developer remain unclear.
The threat actor demonstrated a tool capable of bypassing multiple AV/EDR agents, enabling successful Mimikatz execution, which was confirmed by comparing identical tool demonstration recordings found on both the rogue system and the actor’s shared archive.
Analysis of captured files from DESKTOP-J8AOTJS reveals a compressed archive (ContiTraining.rar) containing a torrent file (ContiTraining.torrent) created in 2021, which points to publicly leaked Conti attacker materials, including penetration testing tools and exploit manuals.
The folder contained sensitive PII, device details, and authentication credentials. It also included various hacking tools, such as AV/EDR bypass tools, Mimikatz, and kernel driver utilities.
Additionally, the folder held materials related to code obfuscation, anti-cheat bypass, and a presentation on compiler obfuscation, suggesting potential malicious intent and advanced technical capabilities.
The threat actor accessed and exfiltrated sensitive financial information, including P-1 forms, from a compromised system, potentially exposing details about companies and individuals involved in transactions within Kazakhstan.
The video evidence suggests that threat actors are using virtual machines to bypass AV/EDR tools, potentially targeting Mikrotik routers through WinBox.
The unconventional management console URL and the presence of OBS Studio indicate a sophisticated setup for recording and sharing these attacks.
The attackers used Atera, Cobalt Strike, PsExec, and Rclone, mirroring Conti’s TTPs. The Cobalt Strike watermark links the attack to Conti and Dark Scorpius, but ransomware was not deployed.
The threat actor, Andry, a Kazakhstani employee, was exposed due to an OpSec failure. His LinkedIn and VKontakte profiles and company website revealed his identity and potential connections.
An individual identified as KernelMode, likely a developer of an AV/EDR bypass tool, was linked to rogue system hosting tool demonstrations. However, while this individual was an active system user, their ownership and direct involvement in the attack remain uncertain.
The recent trend of AV/EDR bypass tools continues to evolve as threat actors monetize these tools on underground forums, regularly updating them. This exposes a rogue system, revealing a threat actor’s toolkit and identity.
According to Unit 42, organizations should enable agent tampering protection and block indicators of compromise to mitigate this issue.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!