Security researchers have found a trove of threat actor tools that can bypass security defenses like Windows Defender and Malwarebytes, delete backups, disable systems, and many more malicious processes.
The threat actors are using tools like SLiver, Ngrok, SystemBC and PoshC2 to communicate with their Command-and-control (C2) servers. The tools have likely been used in ransomware intrusions in a campaign that dates to at least September 2023, and activity has continued into August 2024.
Threat Actor Tools Found in Open Directory
In December 2023, DFIR threat researchers discovered an open directory containing batch scripts designed for defense evasion and executing command and control (C2) payloads, deleting backups, and disabling SQL, Hyper-V, antivirus tools, and Exchange servers.
Their investigation also revealed the use of tools like Ngrok, SystemBC, and C2 frameworks Sliver and PoshC2. The tools have likely been developed for ransomware intrusion activities. The threat actors have been active since September 2023, with the latest activity observed in August 2024.
The open directory contains a wide range of batch scripts, each crafted for different stages of an attack and aimed at both Windows and Linux systems. These scripts are integral to the attacker’s operations, performing tasks such as disabling security measures, stopping critical services, and establishing command and control channels.
Scripts Developed for Three Attack Phases
In an analysis of the findings, Cyble threat researchers broke down the scripts into three attack phases:
Defense Evasion: These batch scripts are designed to disable endpoint security and antivirus software, making it easier for attackers to avoid detection. This includes terminating processes associated with antivirus tools and stopping security-related services, such as those related to SQL, Hyper-V, and Exchange servers.
Persistence and Privilege Escalation: Some scripts are aimed at gaining and maintaining elevated privileges within the compromised environment. This includes deleting backups, wiping event logs, and managing the installation or removal of remote monitoring (RMM) tools like Atera, which could be used for continued access and control.
Command and Control: The scripts also set up and maintain communication channels with the attacker’s C2 servers. Tools like Ngrok and SystemBC and well-known frameworks such as Sliver and PoshC2 are employed to tunnel traffic, relay commands, and exfiltrate data, ensuring ongoing control over the compromised systems.
Cyble researchers said that “By analyzing these scripts in detail, we can better understand the attacker’s strategy and the specific techniques they employ to execute, sustain, and conceal their operations across various stages of their attack campaign.”
Here are the scripts, 24 in all:
| File Name | Description |
| atera_del.bat / atera_del2.bat | Removes Atera remote management agent |
| backup.bat | Deletes all system state and general backups, removes all shadow copies, and ignores all boot failures |
| clearlog.bat | Deletes Windows event logs, clears recycle bin, and removes registry keys related to the terminal server client |
| cmd.cmd | Disables UAC and modifies registry settings, including RDP settings |
| defendermalwar.bat | Disables Windows Defender, alters user account control settings and uninstalls Malwarebytes |
| delbackup.bat | Deletes all system state backups, backup catalogs, shadow copies, and alters boot configuration to ignore failures |
| disable.bat | Stops and disables services related to Microsoft SQL and Exchange, various database services, and additional system services |
| hyp.bat | Deletes various Hyper-V, SQL, and Firebird server services; stops a wide range of system and third-party services on Windows machines |
| LOGOFALL.bat | Lists all user sessions and logs off each session except the first one |
| LOGOFALL1.bat | Attempts to log off all sessions up to the 20th session, excluding the current user’s session |
| NG1.bat | Contains a Ngrok authentication token that runs on port 3389 (RDP) |
| NG2.bat | Contains a Ngrok authentication token that also runs on port 3389 (RDP) |
| Ngrok.exe | Legitimate tool abused for proxy purposes |
| ON.bat | Ensures network services are running and set to start automatically |
| Posh_v2_dropper_x64.e xe | PoshC2 dropper, a PowerShell-based C2 executable |
| native_dropper | Linux version of Posh_v2_dropper_x64.exe |
| poshc2+user.txt | Text file with PowerShell one-liners to execute the PoshC2 agent and perform further post-exploitation actions |
| py_dropper.sh | Bash shell script to execute a Python dropper for PoshC2 |
| Setup_uncnow.msi | Atera remote admin tool installer |
| shadow.bat / shadowGuru.bat | Deletes multiple registry keys related to security tools and creates network shares with full access permissions for multiple disk drives |
| VmManagedSetup.exe | SystemBC malware executable |
| WILD_PRIDE.exe | Sliver C2 framework executable |
| z.bat | Removes services and processes associated with Hyper-V, multiple AV programs, SQL, and other specific services |
| z1.bat | Automates disabling of processes, services, registry modification, and other defense evasion techniques |
Indicators of Compromise and MITRE ATT&CK Techniques Observed
Below are the indicators of compromise (IoCs) and MITRE ATT&CK techniques observed in the PoshC2 threat actors’ arsenal.
