The threat actors have been spotted increasingly depending on Remote Management and Monitoring (RMM) tools, which resulted in a relatively botched Hive ransomware distribution.
The original payload consisted of an executable file disguised as a legitimate document.
According to Huntress, this campaign was most likely distributed by email, with a link that, when clicked, downloaded the executable.
The DFIR reports that the initial access method needed the end user to be a local Administrator, as less privileged users would cause the installation to fail.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
How the Attack is Carried Out?
The threat actor launched discovery commands through ScreenConnect around an hour after execution, utilizing basic Windows tools such as system info, ipconfig, and net.
After a few minutes, the threat actor executed a BITS transfer task to deploy a Cobalt Strike beacon.
The threat actor utilized ScreenConnect to download additional binary after being idle for an hour. This new file contained a trojanized ApacheBench executable with Metasploit shellcode hidden inside it.
The shellcode would start a Meterpreter command and control channel when it was run. The threat actor launched a new command and control channel and then transitioned to lateral movement by launching PowerShell and MSI installers for Atera and Splashtop on a server via remote services.
More BITS transfers were seen to create more Cobalt Strike footholds. Reports say the threat actor executed a batch file that used PowerShell’s built-in tools to retrieve Active Directory data. The threat actor examined file shares and backups on the network using these RDP connections.
The threat actor launched the Hive ransomware as the first step in their ultimate operation. They altered the administrator’s password before manually running the ransomware on many important servers.
To perform domain-wide encryption, the threat actor placed the ransomware binary on a network share. Then he built a new domain-wide GPO with a scheduled job to execute the ransomware binary on each domain-joined machine.
Also, the threat actor then tried to encrypt the whole domain after these manual ransomware operations.
Researchers say the time to ransomware (TTR) from initial access was 61 hours. The threat actor erased beneficial artifacts during their attack to hide their presence. According to the research, attackers used remote services for lateral movement.
Managed endpoint solutions enable organizations to scan for threats manage, resolve, and prevent data breaches. Try for Free Today!