GET A DEMO
See why 9,000+ companies trust Darktrace
Thanks, your request has been received
A member of our team will be in touch with you shortly.
YOU MAY FIND INTERESTING
Five Key Takeaways from Black Hat 2023
Hives & Frankensteins: The Half-Year Threat Report
Oops! Something went wrong while submitting the form.

Blog

Inside the SOC

A Busy Agenda: Darktrace’s Detection of Qilin Ransomware-as-a-Service Operator

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
04
Jul 2024
04
Jul 2024
This blog examines the tactics, techniques and procedures associated with the notorious Ransomware-as-a-Service operator Qilin. Darktrace’s Threat Research team investigated several examples of Qilin actors targeting Darktrace customers between 2022 and 2024.

Qilin ransomware has recently dominated discussions across the cyber security landscape following its deployment in an attack on Synnovis, a UK-based medical laboratory company. The ransomware attack ultimately affected patient services at multiple National Health Service (NHS) hospitals that rely on Synnovis diagnostic and pathology services. Qilin’s origins, however, date back further to October 2022 when the group was observed seemingly posting leaked data from its first known victim on its Dedicated Leak Site (DLS) under the name Agenda[1].

The Darktrace Threat Research team investigated network artifacts related to Qilin and identified three probable cases of the ransomware across the Darktrace customer base between June 2022 and May 2024.

Qilin Ransomware-as-a-Service Operator

Qilin operates as a Ransomware-as-a-Service (RaaS) that employs double extortion tactics, whereby harvested data is exfiltrated and threatened of publication on the group's DLS, which is hosted on Tor. Qilin ransomware has samples written in both the Golang and Rust programming languages, making it compilable with various operating systems, and is highly customizable. When building Qilin ransomware variants to be used on their target(s), affiliates can configure settings such as the encryption mode (i.e., skip-step, percent, and speed), the file extension being appended, files, extensions and directories to be skipped during the encryption, and the processes and services to be terminated, among others[1] [2].  

Trend Micro analysts, who were the first to discover Qilin samples in August 2022, when the name "Agenda" was still used in ransom notes, found that each analyzed sample was customized for the intended victims and that "unique company IDs were used as extensions of encrypted files" [3]. This information is configurable from within the Qilin's affiliate panel's 'Targets' section, shown below. The panel's background image features the eponym Chinese legendary chimerical creature Qilin (pronounced “Ke Lin”). Despite this Chinese mythology reference, Russian language was observed being used by a Qilin operator in an underground forum post aimed at hiring affiliates and advertising their RaaS operation[2].

Figure 1: Qilin ransomware’s affiliate panel.

Qilin's RaaS program purportedly has an attractive affiliates' payment structure, with affiliates allegedly able to earn 80% of ransom payments of USD 3m or less and 85% for payments above that figure[2], making it a possibly appealing option in the RaaS ecosystem.  Publication of stolen data and ransom payment negotiations are purportedly handled by Qilin operators. Qilin affiliates have been known to target companies located around the world and within a variety of industries, including critical sectors such as healthcare and energy.

As Qilin is a RaaS operation, the choice of targets does not necessarily reflect Qilin operators' intentions, but rather that of its affiliates.  Similarly, the tactics, techniques, procedures (TTPs) and indicators of compromise (IoC) identified by Darktrace are associated with the given affiliate deploying Qilin ransomware for their own purpose, rather than TTPs and IoCs of the Qilin group. Likewise, initial vectors of infection may vary from affiliate to affiliate. Previous studies show that initial access to networks were gained via spear phishing emails or by leveraging exposed applications and interfaces.

Differences have been observed in terms of data exfiltration and potential C2 external endpoints, suggesting the below investigations are not all related to the same group or actor(s).

Darktrace’s Threat Research Investigation

June 2022

Darktrace first detected an instance of Qilin ransomware back in June 2022, when an attacker was observed successfully accessing a customer’s Virtual Private Network (VPN) and compromising an administrative account, before using RDP to gain access to the customer’s Microsoft System Center Configuration Manager (SCCM) server

From there, an attack against the customer's VMware ESXi hosts was launched. Fortunately, a reboot of their virtual machines (VM) caught the attention of the security team who further uncovered that custom profiles had been created and remote scripts executed to change root passwords on their VM hosts. Three accounts were found to have been compromised and three systems encrypted by ransomware.  

Unfortunately, Darktrace was not configured to monitor the affected subnets at the time of the attack. Despite this, the customer was able to work directly with Darktrace analysts via the Ask the Expert (ATE) service to add the subnets in question to Darktrace’s visibility, allowing it to monitor for any further unusual behavior.

Once visibility over the compromised SCCM server was established, Darktrace observed a series of unusual network scanning activities and the use of Kali (a Linux distribution designed for digital forensics and penetration testing). Furthermore, the server was observed making connections to multiple rare external hosts, many using the “[.]ru” Top Level Domain (TLD). One of the external destinations the server was attempting to connect was found to be related to SystemBC, a malware that turns infected hosts into SOCKS5 proxy bots and provides command-and-control (C2) functionality.

Additionally, the server was observed making external connections over ports 993 and 143 (typically associated with the use of the Interactive Message Access Protocol (IMAP) to multiple rare external endpoints. This was likely due to the presence of Tofsee malware on the device.

After the compromise had been contained, Darktrace identified several ransom notes following the naming convention “README-RECOVER-<extension/company_id>.txt”” on the network. This naming convention, as well as the similar “<company_id>-RECOVER-README.txt” have been referenced by open-source intelligence (OSINT) providers as associated with Qilin ransom notes[5] [6] [7].

April 2023

The next case of Qilin ransomware observed by Darktrace took place in April 2023 on the network of a customer in the manufacturing sector in APAC. Unfortunately for the customer in this instance, Darktrace RESPOND™ was not active on their environment and no autonomous response actions were taken to contain the compromise.

Over the course of two days, Darktrace identified a wide range of malicious activity ranging from extensive initial scanning and lateral movement attempts to the writing of ransom notes that followed the aforementioned naming convention (i.e., “README-RECOVER-<extension/company_id>.txt”).

Darktrace observed two affected devices attempting to move laterally through the SMB, DCE-RPC and RDP network protocols. Default credentials (e.g., UserName, admin, administrator) were also observed in the large volumes of SMB sessions initiated by these devices. One of the target devices of these SMB connections was a domain controller, which was subsequently seen making suspicious WMI requests to multiple devices over DCE-RPC and enumerating SMB shares by binding to the ‘server service’ (srvsvc) named pipe to a high number of internal devices within a short time frame. The domain controller was further detected establishing an anomalously high number of connections to several internal devices, notably using the RDP administrative protocol via a default admin cookie.  

Repeated connections over the HTTP and SSL protocol to multiple newly observed IPs located in the 184.168.123.0/24 range were observed, indicating C2 connectivity.  WebDAV user agent and a JA3 fingerprint potentially associated with Cobalt Strike were notably observed in these connections. A few hours later, Darktrace detected additional suspicious external connections, this time to IPs associated with the MEGA cloud storage solution. Storage solutions such as MEGA are often abused by attackers to host stolen data post exfiltration. In this case, the endpoints were all rare for the network, suggesting this solution was not commonly used by legitimate users. Around 30 GB of data was exfiltrated over the SSL protocol.

Darktrace did not observe any encryption-related activity on this customer’s network, suggesting that encryption may have taken place locally or within network segments not monitored by Darktrace.

May 2024

The most recent instance of Qilin observed by Darktrace took place in May 2024 and involved a customer in the US. In this case, Darktrace initially detected affected devices using unusual administrative and default credentials, before additional internal systems were observed making extensive suspicious DCE-RPC requests to a range of internal locations, performing network scanning, making unusual internal RDP connections, and transferring suspicious executable files like 'a157496.exe' and '83b87b2.exe'.  SMB writes of the file "LSM_API_service" were also observed, activity which was considered 100% unusual by Darktrace; this is an RPC service that can be abused to enumerate logged-in users and steal their tokens. Various repeated connections likely representative of C2 communications were detected via both HTTP and SSL to rare external endpoints linked in OSINT to Cobalt Strike use. During these connections, HTTP GET requests for the following URIs were observed:

/asdffHTTPS

/asdfgdf

/asdfgHTTP

/download/sihost64.dll

Notably, this included a GET request a DLL file named "sihost64.dll" from a domain controller using PowerShell.  

Over 102 GB of data may have been transferred to another previously unseen endpoint, 194.165.16[.]13, via the unencrypted File Transfer Protocol (FTP). Additionally, many non-FTP connections to the endpoint could be observed, over which more than 783 GB of data was exfiltrated. Regarding file encryption activity, a wide range of destination devices and shares were targeted.

Figure 2: Advanced Search graph displaying the total volume of data transferred over FTP to a malicious IP.

During investigations, Darktrace’s Threat Research team identified an additional customer, also based in the United States, where similar data exfiltration activity was observed in April 2024. Although no indications of ransomware encryption were detected on the network, multiple similarities were observed with the case discussed just prior. Notably, the same exfiltration IP and protocol (194.165.16[.]13 and FTP, respectively) were identified in both cases. Additional HTTP connectivity was further observed to another IP using a self-signed certificate (i.e., CN=ne[.]com,OU=key operations,O=1000,L=,ST=,C=KM) located within the same ASN (i.e., AS48721 Flyservers S.A.). Some of the URIs seen in the GET requests made to this endpoint were the same as identified in that same previous case.

Information regarding another device also making repeated connections to the same IP was described in the second event of the same Cyber AI Analyst incident. Following this C2 connectivity, network scanning was observed from a compromised domain controller, followed by additional reconnaissance and lateral movement over the DCE-RPC and SMB protocols. Darktrace again observed SMB writes of the file "LSM_API_service", as in the previous case, activity which was also considered 100% unusual for the network. These similarities suggest the same actor or affiliate may have been responsible for activity observed, even though no encryption was observed in the latter case.

Figure 3. First event of the Cyber AI Analyst investigation following the compromise activity.

According to researchers at Microsoft, some of the IoCs observed on both affected accounts are associated with Pistachio Tempest, a threat actor reportedly associated with ransomware distribution. The Microsoft threat actor naming convention uses the term "tempest" to reference criminal organizations with motivations of financial gain that are not associated with high confidence to a known non-nation state or commercial entity. While Pistachio Tempest’s TTPs have changed over time, their key elements still involve ransomware, exfiltration, and extortion. Once they've gained access to an environment, Pistachio Tempest typically utilizes additional tools to complement their use of Cobalt Strike; this includes the use of the SystemBC RAT and the SliverC2 framework, respectively. It has also been reported that Pistacho Tempest has experimented with various RaaS offerings, which recently included Qilin ransomware[4].

Conclusion

Qilin is a RaaS group that has gained notoriety recently due to high-profile attacks perpetrated by its affiliates. Despite this, the group likely includes affiliates and actors who were previously associated with other ransomware groups. These individuals bring their own modus operandi and utilize both known and novel TTPs and IoCs that differ from one attack to another.

Darktrace’s anomaly-based technology is inherently threat-agnostic, treating all RaaS variants equally regardless of the attackers’ tools and infrastructure. Deviations from a device’s ‘learned’ pattern of behavior during an attack enable Darktrace to detect and contain potentially disruptive ransomware attacks.

Credit to: Alexandra Sentenac, Emma Foulger, Justin Torres, Min Kim, Signe Zaharka for their contributions.

References

[1] https://www.sentinelone.com/anthology/agenda-qilin/  

[2] https://www.group-ib.com/blog/qilin-ransomware/

[3] https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html

[4] https://www.microsoft.com/en-us/security/security-insider/pistachio-tempest

[5] https://www.trendmicro.com/en_us/research/22/h/new-golang-ransomware-agenda-customizes-attacks.html

[6] https://www.bleepingcomputer.com/forums/t/790240/agenda-qilin-ransomware-id-random-10-char;-recover-readmetxt-support/

[7] https://github.com/threatlabz/ransomware_notes/tree/main/qilin

Darktrace Model Detections

Internal Reconnaissance

Device / Suspicious SMB Scanning Activity

Device / Network Scan

Device / RDP Scan

Device / ICMP Address Scan

Device / Suspicious Network Scan Activity

Anomalous Connection / SMB Enumeration

Device / New or Uncommon WMI Activity

Device / Attack and Recon Tools

Lateral Movement

Device / SMB Session Brute Force (Admin)

Device / Large Number of Model Breaches from Critical Network Device

Device / Multiple Lateral Movement Model Breaches

Anomalous Connection / Unusual Admin RDP Session

Device / SMB Lateral Movement

Compliance / SMB Drive Write

Anomalous Connection / New or Uncommon Service Control

Anomalous Connection / Anomalous DRSGetNCChanges Operation

Anomalous Server Activity / Domain Controller Initiated to Client

User / New Admin Credentials on Client

C2 Communication

Anomalous Server Activity / Outgoing from Server

Anomalous Connection / Multiple Connections to New External TCP Port

Anomalous Connection / Anomalous SSL without SNI to New External

Anomalous Connection / Rare External SSL Self-Signed

Device / Increased External Connectivity

Unusual Activity / Unusual External Activity

Compromise / New or Repeated to Unusual SSL Port

Anomalous Connection / Multiple Failed Connections to Rare Endpoint

Device / Suspicious Domain

Device / Increased External Connectivity

Compromise / Sustained SSL or HTTP Increase

Compromise / Botnet C2 Behaviour

Anomalous Connection / POST to PHP on New External Host

Anomalous Connection / Multiple HTTP POSTs to Rare Hostname

Anomalous File / EXE from Rare External Location

Exfiltration

Unusual Activity / Enhanced Unusual External Data Transfer

Anomalous Connection / Data Sent to Rare Domain

Unusual Activity / Unusual External Data Transfer

Anomalous Connection / Uncommon 1 GiB Outbound

Unusual Activity / Unusual External Data to New Endpoint

Compliance / FTP / Unusual Outbound FTP

File Encryption

Compromise / Ransomware / Suspicious SMB Activity

Anomalous Connection / Sustained MIME Type Conversion

Anomalous File / Internal / Additional Extension Appended to SMB File

Compromise / Ransomware / Possible Ransom Note Write

Compromise / Ransomware / Possible Ransom Note Read

Anomalous Connection / Suspicious Read Write Ratio

IoC List

IoC – Type – Description + Confidence

93.115.25[.]139 IP C2 Server, likely associated with SystemBC

194.165.16[.]13 IP Probable Exfiltration Server

91.238.181[.]230 IP C2 Server, likely associated with Cobalt Strike

ikea0[.]com Hostname C2 Server, likely associated with Cobalt Strike

lebondogicoin[.]com Hostname C2 Server, likely associated with Cobalt Strike

184.168.123[.]220 IP Possible C2 Infrastructure

184.168.123[.]219 IP Possible C2 Infrastructure

184.168.123[.]236 IP Possible C2 Infrastructure

184.168.123[.]241 IP Possible C2 Infrastructure

184.168.123[.]247 IP Possible C2 Infrastructure

184.168.123[.]251 IP Possible C2 Infrastructure

184.168.123[.]252 IP Possible C2 Infrastructure

184.168.123[.]229 IP Possible C2 Infrastructure

184.168.123[.]246 IP Possible C2 Infrastructure

184.168.123[.]230 IP Possible C2 Infrastructure

gfs440n010.userstorage.me ga.co[.]nz Hostname Possible Exfiltration Server. Not inherently malicious; associated with MEGA file storage.

gfs440n010.userstorage.me ga.co[.]nz Hostname Possible Exfiltration Server. Not inherently malicious; associated with MEGA file storage.

INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Alexandra Sentenac
Cyber Analyst
Watch the NIS2 Webinar
Book a 1-1 meeting with one of our experts
Get in touch
share this article
CATEGORIES
McLaren
PREVENT
RESPOND
Cloud
Ransomware
Inside the SOC
Thought Leadership
Crypto
Email
Threat Finds
OT
USE CASES
No items found.
PRODUCT SPOTLIGHT
No items found.
COre coverage
No items found.
RELATED BLOGS
No items found.
Trending blogs
1
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Attack trends: Cloud-Based Cyber-Attacks and the Rise of Alternative Initial Access Methods
Apr 29, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
Moving Beyond XDR to Achieve True Cyber Resilience with Darktrace ActiveAI Security Platform
Apr 9, 2024

More in this series

No items found.

Blog

No items found.

Darktrace: Microsoft UK Partner of the Year 2024

Default blog imageDefault blog image
27
Jun 2024

Darktrace has been named as Microsoft UK Partner of the Year for 2024!    
The Microsoft Partner Awards recognize winners for their commitment to customers, impact of solutions, and exemplary use of Microsoft technologies.  

Whilst the award was granted based on our innovations combining Darktrace/Email and Microsoft Defender for Office 365, our shared values go beyond technology. Darktrace stood out for the integration of our products to deliver exceptional security value to customers, as well as our investment in partnerships, marketplace and go to market. Microsoft was also impressed with our strong commitment to diversity and inclusion and our broader contribution to both the UK economy and the UK tech sector.

Microsoft Defender for Office 365 + Darktrace/Email leave attackers nowhere to hide

The email threat landscape is constantly evolving. Attacks are becoming more sophisticated, more targeted and increasing in multi-stage payload attacks. Across the Darktrace customer base in 2023 alone, we have seen a 135% increase in ‘novel social engineering attacks’, corresponding with the rise of ChatGPT, 45% of phishing emails were identified as spear phishing attempts and a 59% increase in multi-stage payload attacks.  

Legacy defenses were built to address a high volume of unsophisticated attacks, but generative AI has shifted the threats towards lower quantity yet very sophisticated, high impact targeted attacks. Microsoft Defender for Office 365’s rapid innovation has outpaced the Secure Email Gateway’s rule and signature based historical data approach. Customers no longer need email gateways which duplicate workflows and add expense native to their Defender for O365 solution.    

Point email solutions overlap with Microsoft in 3 key areas: detection approach, workflows, capabilities  

  • Detection - Microsoft receives trillions threat signals daily, giving customers the broadest scope of the attack landscape. Darktrace combined with Microsoft unites business and attack centric approaches
  • Workflows – any Microsoft configurations are reflected automatically in Darktrace/Email. Users can keep daily workflow in Microsoft, while a traditional SEG requires duplicated workflows  
  • Capabilities – Microsoft handles foundational elements like archiving/encryption/signature matching while Darktrace handles advanced threat security

Darktrace/Email is built to elevate, not duplicate, Microsoft email security – removing the burden of operating legacy point solutions and blocking 25% more threats. Robust account takeover protections to stop the 38% of sophisticated threats other tools miss. Customers can seamlessly correlate activity and insights across Microsoft email, DMARC and Teams to stop threats on average 13 days earlier.  

Azure Marketplace

Microsoft Azure customers can access Darktrace in the Azure Marketplace to take advantage of the scalability, reliability, and agility of Azure to drive rapid IT operations and security integrations across the enterprise. Customers can leverage their Microsoft Azure Consumption Commitments (MACC), making procurement simple.

As UK Partner of the Year winner, customers know they have a trusted partner with Darktrace and a proven solution to work seamlessly with Azure.

Continue reading
About the author
Francesca Bowen
Global Vice President, Cloud GTM

Blog

Inside the SOC

Following up on our Conversation: Detecting & Containing a LinkedIn Phishing Attack with Darktrace

Default blog imageDefault blog image
25
Jun 2024

Note: Real organization, domain and user names have been modified and replaced with fictitious names to maintain anonymity.  

Social media cyber-attacks

Social media is a known breeding ground for cyber criminals to easily connect with a near limitless number of people and leverage the wealth of personal information shared on these platforms to defraud the general public.  Analysis suggests even the most tech savvy ‘digital natives’ are vulnerable to impersonation scams over social media, as criminals weaponize brands and trends, using the promise of greater returns to induce sensitive information sharing or fraudulent payments [1].

LinkedIn phishing

As the usage of a particular social media platform increases, cyber criminals will find ways to exploit the increasing user base, and this trend has been observed with the rise in LinkedIn scams in recent years [2].  LinkedIn is the dominant professional networking site, with a forecasted 84.1million users by 2027 [3].  This platform is data-driven, so users are encouraged to share information publicly, including personal life updates, to boost visibility and increase job prospects [4] [5].  While this helps legitimate recruiters to gain a good understanding of the user, an attacker could also leverage the same personal content to increase the sophistication and success of their social engineering attempts.  

Darktrace detection of LinkedIn phishing

Darktrace detected a Software-as-a-Service (SaaS) compromise affecting a construction company, where the attack vector originated from LinkedIn (outside the monitoring of corporate security tools), but then pivoted to corporate email where a credential harvesting payload was delivered, providing the attacker with credentials to access a corporate file storage platform.  

Because LinkedIn accounts are typically linked to an individual’s personal email and are most commonly accessed via the mobile application [6] on personal devices that are not monitored by security teams, it can represent an effective initial access point for attackers looking to establish an initial relationship with their target. Moreover, user behaviors to ignore unsolicited emails from new or unknown contacts are less frequently carried over to platforms like LinkedIn, where interactions with ‘weak ties’ as opposed to ‘strong ties’ are a better predictor of job mobility [7]. Had this attack been allowed to continue, the threat actor could have leveraged access to further information from the compromised business cloud account to compromise other high value accounts, exfiltrate sensitive data, or defraud the organization.

LinkedIn phishing attack details

Reconnaissance

The initial reconnaissance and social engineering occurred on LinkedIn and was thus outside the purview of corporate security tools, Darktrace included.

However, the email domain “hausconstruction[.]com” used by the attacker in subsequent communications appears to be a spoofed domain impersonating a legitimate construction company “haus[.]com”, suggesting the attacker may have also impersonated an employee of this construction company on LinkedIn.  In addition to spoofing the domain, the attacker seemingly went further to register “hausconstruction.com” on a commercial web hosting platform.  This is a technique used frequently not just to increase apparent legitimacy, but also to bypass traditional security tools since newly registered domains will have no prior threat intelligence, making them more likely to evade signature and rules-based detections [8].  In this instance, open-source intelligence (OSINT) sources report that the domain was created several months earlier, suggesting this may have been part of a targeted attack on construction companies.  

Initial Intrusion

It was likely that during the correspondence over LinkedIn, the target user was solicited into following up over email regarding a prospective construction project, using their corporate email account.  In a probable attempt to establish a precedent of bi-directional correspondence so that subsequent malicious emails would not be flagged by traditional security tools, the attacker did not initially include suspicious links, attachments or use solicitous or inducive language within their initial emails.

Example of bi-directional email correspondence between the target and the attacker impersonating a legitimate employee of the construction company haus.com.
Figure 1: Example of bi-directional email correspondence between the target and the attacker impersonating a legitimate employee of the construction company haus.com.
Cyber AI Analyst investigation into one of the initial emails the target received from the attacker.
Figure 2: Cyber AI Analyst investigation into one of the initial emails the target received from the attacker.  

To accomplish the next stage of their attack, the attacker shared a link, hidden behind the inducing text “VIEW ALL FILES”, to a malicious file using the Hightail cloud storage service. This is also a common method employed by attackers to evade detection, as this method of file sharing does not involve attachments that can be scanned by traditional security tools, and legitimate cloud storage services are less likely to be blocked.

OSINT analysis on the malicious link link shows the file hosted on Hightail was a HTML file with the associated message “Following up on our LinkedIn conversation”.  Further analysis suggests the file contained obfuscated Javascript that, once opened, would automatically redirect the user to a malicious domain impersonating a legitimate Microsoft login page for credential harvesting purposes.  

The malicious HTML file containing obfuscated Javascript, where the highlighted string references the malicious credential harvesting domain.
Figure 3: The malicious HTML file containing obfuscated Javascript, where the highlighted string references the malicious credential harvesting domain.
Screenshot of fraudulent Microsoft Sign In page hosted on the malicous credential harvesting domain.
Figure 4: Screenshot of fraudulent Microsoft Sign In page hosted on the malicious credential harvesting domain.

Although there was prior email correspondence with the attacker, this email was not automatically deemed safe by Darktrace and was further analyzed for unusual properties and unusual communications for the recipient and the recipient’s peer group.  

Darktrace determined that:

  • It was unusual for this file storage solution to be referenced in communications to the user and the wider network
  • Textual properties of the email body suggested a high level of inducement from the sender, with a high level of focus on the phishing link.
  • The full link contained suspicious properties suggesting it is high risk.
Darktrace’s analysis of the phishing email, presenting key information about the unusual characteristics of this email, information on highlighted content, and an overview of actions that were initially applied.
Figure 5: Darktrace’s analysis of the phishing email, presenting key information about the unusual characteristics of this email, information on highlighted content, and an overview of actions that were initially applied.  

Based on these anomalies, Darktrace initially moved the phishing email to the junk folder and locked the link, preventing the user from directly accessing the malicious file hosted on Hightail.  However, the customer’s security team released the email, likely upon end-user request, allowing the target user to access the file and ultimately enter their credentials into that credential harvesting domain.

Darktrace alerts triggered by the malicious phishing email and the corresponding Autonomous Response actions.
Figure 6: Darktrace alerts triggered by the malicious phishing email and the corresponding Autonomous Response actions.

Lateral Movement

Correspondence between the attacker and target continued for two days after the credential harvesting payload was delivered.  Five days later, Darktrace detected an unusual login using multi-factor authentication (MFA) from a rare external IP and ASN that coincided with Darktrace/Email logs showing access to the credential harvesting link.

This attempt to bypass MFA, known as an Office365 Shell WCSS attack, was likely achieved by inducing the target to enter their credentials and legitimate MFA token into the fake Microsoft login page. This was then relayed to Microsoft by the attacker and used to obtain a legitimate session. The attacker then reused the legitimate token to log into Exchange Online from a different IP and registered their own device for MFA.

Screenshot within Darktrace/Email of the phishing email that was released by the security team, showing the recipient clicked the link to file storage where the malicious payload was stored.
Figure 7: Screenshot within Darktrace/Email of the phishing email that was released by the security team, showing the recipient clicked the link to file storage where the malicious payload was stored.
Event Log showing a malicious login and MFA bypass at 17:57:16, shortly after the link was clicked. Highlighted in green is activity from the legitimate user prior to the malicious login, using Edge.
Figure 8: Event Log showing a malicious login and MFA bypass at 17:57:16, shortly after the link was clicked.  Highlighted in green is activity from the legitimate user prior to the malicious login, using Edge. Highlighted in orange and red is the malicious activity using Chrome.

The IP addresses used by the attacker appear to be part of anonymization infrastructure, but are not associated with any known indicators of compromise (IoCs) that signature-based detections would identify [9] [10].

In addition to  logins being observed within half an hour of each other from multiple geographically impossible locations (San Francisco and Phoenix), the unexpected usage of Chrome browser, compared to Edge browser previously used, provided Darktrace with further evidence that this activity was unlikely to originate from the legitimate user.  Although the user was a salesperson who frequently travelled for their role, Darktrace’s Self-Learning AI understood that the multiple logins from these locations was highly unusual at the user and group level, and coupled with the subsequent unexpected account modification, was a likely indicator of account compromise.  

Accomplish mission

Although the email had been manually released by the security team, allowing the attack to propagate, additional layers of defense were triggered as Darktrace's Autonomous Response initiated “Disable User” actions upon detection of the multiple unusual logins and the unauthorized registration of security information.  

However, the customer had configured Autonomous Response to require human confirmation, therefore no actions were taken until the security team manually approved them over two hours later. In that time, access to mail items and other SharePoint files from the unusual IP address was detected, suggesting a potential loss of confidentiality to business data.

Advanced Search query showing several FilePreviewed and MailItemsAccessed events from either the IPs used by the attacker, or using the software Chrome. Note some of the activity originated from Microsoft IPs which may be whitelisted by traditional security tools.
Figure 9: Advanced Search query showing several FilePreviewed and MailItemsAccessed events from either the IPs used by the attacker, or using the software Chrome.  Note some of the activity originated from Microsoft IPs which may be whitelisted by traditional security tools.

However, it appears that the attacker was able to maintain access to the compromised account, as login and mail access events from 199.231.85[.]153 continued to be observed until the afternoon of the next day.  

Conclusion

This incident demonstrates the necessity of AI to security teams, with Darktrace’s ActiveAI Security Platform detecting a sophisticated phishing attack where human judgement fell short and initiated a real-time response when security teams could not physically respond as fast.  

Security teams are very familiar with social engineering and impersonation attempts, but these attacks remain highly prevalent due to the widespread adoption of technologies that enable these techniques to be deployed with great sophistication and ease.  In particular, the popularity of information-rich platforms like LinkedIn that are geared towards connecting with unknown people make it an attractive initial access point for malicious attackers.

In the second half of 2023 alone, over 200 thousand fake profiles were reported by members on LinkedIn [11].  Fake profiles can be highly sophisticated, use professional images, contain compelling descriptions, reference legitimate company listings and present believable credentials.  

It is unrealistic to expect end users to defend themselves against such sophisticated impersonation attempts. Moreover, it is extremely difficult for human defenders to recognize every fraudulent interaction amidst a sea of fake profiles. Instead, defenders should leverage AI, which can conduct autonomous investigations without human biases and limitations. AI-driven security can ensure successful detection of fraudulent or malicious activity by learning what real users and devices look like and identifying deviations from their learned behaviors that may indicate an emerging threat.

Appendices

Darktrace Model Detections

DETECT/ Apps

SaaS / Compromise / SaaS Anomaly Following Anomalous Login

SaaS / Compromise / Unusual Login and Account Update

SaaS / Unusual Activity / Multiple Unusual External Sources For SaaS Credential

SaaS / Access / Unusual External Source for SaaS Credential Use

SaaS / Compliance / M365 Security Information Modified

RESPOND/ Apps

Antigena / SaaS / Antigena Suspicious SaaS Activity Block

Antigena / SaaS / Antigena Unusual Activity Block

DETECT & RESPOND/ Email

·      Link / High Risk Link + Low Sender Association

·      Link / New Correspondent Classified Link

·      Link / Watched Link Type

·      Antigena Anomaly

·      Association / Unknown Sender

·      History / New Sender

·      Link / Link to File Storage

·      Link / Link to File Storage + Unknown Sender

·      Link / Low Link Association

List of IoCs

·      142.252.106[.]251 - IP            - Possible malicious IP used by attacker during cloud account compromise

·      199.231.85[.]153 – IP - Probable malicious IP used by attacker during cloud account compromise

·      vukoqo.hebakyon[.]com – Endpoint - Credential harvesting endpoint

MITRE ATT&CK Mapping

·      Resource Development - T1586 - Compromise Accounts

·      Resource Development - T1598.003 – Spearphishing Link

·      Persistence - T1078.004 - Cloud Accounts

·      Persistence - T1556.006 - Modify Authentication Process: Multi-Factor Authentication

·      Reconnaissance - T1593.001 – Social Media

·      Reconnaissance - T1598 – Phishing for Information

·      Reconnaissance - T1589.001 – Credentials

·      Reconnaissance - T1591.002 – Business Relationships

·      Collection - T1111 – Multifactor Authentication Interception

·      Collection - T1539 – Steal Web Session Cookie

·      Lateral Movement - T1021.007 – Cloud Services

·      Lateral Movement - T1213.002 - Sharepoint

References

[1] Jessica Barker, Hacked: The secrets behind cyber attacks, (London: Kogan Page, 2024), p. 130-146.

[2] https://www.bitdefender.co.uk/blog/hotforsecurity/5-linkedin-scams-and-how-to-avoid-them/

[3] https://www.washingtonpost.com/technology/2023/08/31/linkedin-personal-posts/

[4] https://www.forbes.com/sites/joshbersin/2012/05/21/facebook-vs-linkedin-whats-the-difference/

[5] https://thelinkedblog.com/2022/3-reasons-why-you-should-make-your-profile-public-1248/

[6] https://www.linkedin.com/pulse/50-linkedin-statistics-every-professional-should-ti9ue

[7] https://www.nytimes.com/2022/09/24/business/linkedin-social-experiments.html

[8] https://darktrace.com/blog/the-domain-game-how-email-attackers-are-buying-their-way-into-inboxes

[9] https://spur.us/context/142.252.106[.]251

[10] https://spur.us/context/199.231.85[.]153

[11]https://www.statista.com/statistics/1328849/linkedin-number-of-fake-accounts-detected-and-removed

Continue reading
About the author
Nicole Wong
Cyber Security Analyst
Our ai. Your data.

Elevate your cyber defenses with Darktrace AI

Start your free trial
Darktrace AI protecting a business from cyber threats.