Security experts spotted an interesting case of a suspected ransomware attack that used bespoke tools typically used by APT (Advanced Persistent Threat) groups.
Although no concrete link between the groups has been discovered, the operational tactics, targeting scope and customization capabilities of the malware indicate a potential link.
As detailed in a report sent to Bleeping Computer by Security Joes, the threat actors were observed in an attack on one of its clients in the gambling industry where a mixture of tailor-made and readily available open source tools were used.
The most notable cases are a modified version of Ligolo, a reverse tunneling utility freely available to pentesters on GitHub, and a custom tool for dumping credentials from LSASS.
Attack in the wild
According to Security Joes responders, the attack took place on a weekend evening and followed a rapid development, showcasing the actors’ skills and their “red team” knowledge.
Initial access was through compromised employee SSL-VPN credentials, followed by administrative and RDP brute force scans, then credential harvesting efforts .
The next steps involved accessing additional machines with elevated privileges, deploying custom proxy tunneling for secure communications, and finally, abandoning Cobalt Strike.
Although threat actors never had a chance to go further in this particular case, Security Joes believes that the next step would be to deploy a ransomware payload, as the methods followed match those of typical operations. ransomware gangs.
However, this part was unconfirmed because the responders stopped the execution of the payload before the infiltrators were ready to deploy anything to the compromised network.
Threat actors used several off-the-shelf open source tools commonly used by many adversaries, such as Mimikatz, SoftPerfect, and Cobalt Strike.
A notable differentiation is the deployment of “Sockbot”, a utility written in GoLang based on the open source reverse tunneling tool Ligolo.
The hackers modified Ligolo with significant additions that removed the need to use command line parameters and included several runtime checks to avoid running multiple instances.
As a Security Joes researcher told Bleeping Computer, a custom Ligolo is not common in the arsenal of threat actors, with the exception of the Iranian state-sponsored MuddyWater hacking group, which is the only threat group known to modify it.
The reason for this rarity is that Ligolo is not suitable for malicious deployment, so to adapt it to intrusion operations, coding skills are required.
“By comparing the new variant (Sockbot) to the original source code available online, the threat actors added several execution checks to prevent multiple instances from running at the same time, set the relay value local as a hardcoded string to avoid the need to pass command line parameters when performing the attack and set persistence via a scheduled task.” – Safety Joes
Another particularly interesting case is “lsassDumper”, a custom tool also written in GoLang, used by actors for the automatic exfiltration of the LSASS process to the “transfer.sh” service.
Security Joes claims this is the first time that lsassDumper has been spotted in the wild, further demonstrating the particular threat actor’s capability and sophistication.
Additionally, direct dumping of LSASS credentials is another typical method of ransomware gangs, so this is another piece of evidence supporting this hypothesis.
Finally, network infiltrators used ADFind for network reconnaissance, a freely available tool that adversaries use to gather information from the Active Directory, also very common in the ransomware space.
“Based on the behavior, tools observed in this intrusion, and targeted sectors, we have concluded that the attackers behind this operation are closely linked to a Russian-speaking ransomware gang, which takes tools used by other groups and adds their personal signature to them.” – concludes the Security Joes report.