Blog

Inside the SOC

Steps of a BumbleBee Intrusion to a Cobalt Strike| Darktrace

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
04
Sep 2022
04
Sep 2022
Discover the steps of a Bumblebee intrusion, from initial detection to Cobalt Strike deployment. Learn how Darktrace defends against evolving threats with AI.

Introduction

Throughout April 2022, Darktrace observed several cases in which threat actors used the loader known as ‘BumbleBee’ to install Cobalt Strike Beacon onto victim systems. The threat actors then leveraged Cobalt Strike Beacon to conduct network reconnaissance, obtain account password data, and write malicious payloads across the network. In this article, we will provide details of the actions threat actors took during their intrusions, as well as details of the network-based behaviours which served as evidence of the actors’ activities.  

BumbleBee 

In March 2022, Google’s Threat Analysis Group (TAG) provided details of the activities of an Initial Access Broker (IAB) group dubbed ‘Exotic Lily’ [1]. Before March 2022, Google’s TAG observed Exotic Lily leveraging sophisticated impersonation techniques to trick employees of targeted organisations into downloading ISO disc image files from legitimate file storage services such as WeTransfer. These ISO files contained a Windows shortcut LNK file and a BazarLoader Dynamic Link Library (i.e, DLL). BazarLoader is a member of the Bazar family — a family of malware (including both BazarLoader and BazarBackdoor) with strong ties to the Trickbot malware, the Anchor malware family, and Conti ransomware. BazarLoader, which is typically distributed via email campaigns or via fraudulent call campaigns, has been known to drop Cobalt Strike as a precursor to Conti ransomware deployment [2]. 

In March 2022, Google’s TAG observed Exotic Lily leveraging file storage services to distribute an ISO file containing a DLL which, when executed, caused the victim machine to make HTTP requests with the user-agent string ‘bumblebee’. Google’s TAG consequently called this DLL payload ‘BumbleBee’. Since Google’s discovery of BumbleBee back in March, several threat research teams have reported BumbleBee samples dropping Cobalt Strike [1]/[3]/[4]/[5]. It has also been reported by Proofpoint [3] that other threat actors such as TA578 and TA579 transitioned to BumbleBee in March 2022.  

Interestingly, BazarLoader’s replacement with BumbleBee seems to coincide with the leaking of the Conti ransomware gang’s Jabber chat logs at the end of February 2022. On February 25th, 2022, the Conti gang published a blog post announcing their full support for the Russian state’s invasion of Ukraine [6]. 

Figure 1: The Conti gang's public declaration of their support for Russia's invasion of Ukraine

Within days of sharing their support for Russia, logs from a server hosting the group’s Jabber communications began to be leaked on Twitter by @ContiLeaks [7]. The leaked logs included records of conversations among nearly 500 threat actors between Jan 2020 and March 2022 [8]. The Jabber logs were supposedly stolen and leaked by a Ukrainian security researcher [3]/[6].

Affiliates of the Conti ransomware group were known to use BazarLoader to deliver Conti ransomware [9]. BumbleBee has now also been linked to the Conti ransomware group by several threat research teams [1]/[10]/[11]. The fact that threat actors’ transition from BazarLoader to BumbleBee coincides with the leak of Conti’s Jabber chat logs may indicate that the transition occurred as a result of the leaks [3]. Since the transition, BumbleBee has become a significant tool in the cyber-crime ecosystem, with links to several ransomware operations such as Conti, Quantum, and Mountlocker [11]. The rising use of BumbleBee by threat actors, and particularly ransomware actors, makes the early detection of BumbleBee key to identifying the preparatory stages of ransomware attacks.  

Intrusion Kill Chain 

In April 2022, Darktrace observed the following pattern of threat actor activity within the networks of several Darktrace clients: 

1.     Threat actor socially engineers user via email into running a BumbleBee payload on their device

2.     BumbleBee establishes HTTPS communication with a BumbleBee C2 server

3.     Threat actor instructs BumbleBee to download and execute Cobalt Strike Beacon

4.     Cobalt Strike Beacon establishes HTTPS communication with a Cobalt Strike C2 server

5.     Threat actor instructs Cobalt Strike Beacon to scan for open ports and to enumerate network shares

6.     Threat actor instructs Cobalt Strike Beacon to use the DCSync technique to obtain password account data from an internal domain controller

7.     Threat actor instructs Cobalt Strike Beacon to distribute malicious payloads to other internal systems 

With limited visibility over affected clients’ email environments, Darktrace was unable to determine how the threat actors interacted with users to initiate the BumbleBee infection. However, based on open-source reporting on BumbleBee [3]/[4]/[10]/[11]/[12]/[13]/[14]/[15]/[16]/[17], it is likely that the actors tricked target users into running BumbleBee by sending them emails containing either a malicious zipped ISO file or a link to a file storage service hosting the malicious zipped ISO file. These ISO files typically contain a LNK file and a BumbleBee DLL payload. The properties of these LNK files are set in such a way that opening them causes the corresponding DLL payload to run. 

In several cases observed by Darktrace, devices contacted a file storage service such as Microsoft OneDrive or Google Cloud Storage immediately before they displayed signs of BumbleBee infection. In these cases, it is likely that BumbleBee was executed on the users’ devices as a result of the users interacting with an ISO file which they were tricked into downloading from a file storage service. 

Figure 2: The above figure, taken from the event log for an infected device, shows that the device contacted a OneDrive endpoint immediately before making HTTPS connections to the BumbleBee C2 server, 45.140.146[.]244
Figure 3: The above figure, taken from the event log for an infected device, shows that the device contacted a Google Cloud Storage endpoint and then the malicious endpoint ‘marebust[.]com’ before making HTTPS connections to the  BumbleBee C2 servers, 108.62.118[.]61 and 23.227.198[.]217

After users ran a BumbleBee payload, their devices immediately initiated communications with BumbleBee C2 servers. The BumbleBee samples used HTTPS for their C2 communication, and all presented a common JA3 client fingerprint, ‘0c9457ab6f0d6a14fc8a3d1d149547fb’. All analysed samples excluded domain names in their ‘client hello’ messages to the C2 servers, which is unusual for legitimate HTTPS communication. External SSL connections which do not specify a destination domain name and whose JA3 client fingerprint is ‘0c9457ab6f0d6a14fc8a3d1d149547fb’ are potential indicators of BumbleBee infection. 

Figure 4:The above figure, taken from Darktrace's Advanced Search interface, depicts an infected device's spike in HTTPS connections with the JA3 client fingerprint ‘0c9457ab6f0d6a14fc8a3d1d149547fb’

Once the threat actors had established HTTPS communication with the BumbleBee-infected systems, they instructed BumbleBee to download and execute Cobalt Strike Beacon. This behaviour resulted in the infected systems making HTTPS connections to Cobalt Strike C2 servers. The Cobalt Strike Beacon samples all had the same JA3 client fingerprint ‘a0e9f5d64349fb13191bc781f81f42e1’ — a fingerprint associated with previously seen Cobalt Strike samples [18]. The domain names ‘fuvataren[.]com’ and ‘cuhirito[.]com’ were observed in the samples’ HTTPS communications. 

Figure 5:The above figure, taken from Darktrace's Advanced Search interface, depicts the Cobalt Strike C2 communications which immediately followed a device's BumbleBee C2 activity

Cobalt Strike Beacon payloads call home to C2 servers for instructions. In the cases observed, threat actors first instructed the Beacon payloads to perform reconnaissance tasks, such as SMB port scanning and SMB enumeration. It is likely that the threat actors performed these steps to inform the next stages of their operations.  The SMB enumeration activity was evidenced by the infected devices making NetrShareEnum and NetrShareGetInfo requests to the srvsvc RPC interface on internal systems.

Figure 6: The above figure, taken from Darktrace’s Advanced Search interface, depicts a spike in srvsvc requests coinciding with the infected device's Cobalt Strike C2 activity

After providing Cobalt Strike Beacon with reconnaissance tasks, the threat actors set out to obtain account password data in preparation for the lateral movement phase of their operation. To obtain account password data, the actors instructed Cobalt Strike Beacon to use the DCSync technique to replicate account password data from an internal domain controller. This activity was evidenced by the infected devices making DRSGetNCChanges requests to the drsuapi RPC interface on internal domain controllers. 

Figure 7: The above figure, taken from Darktrace’s Advanced Search interface, depicts a spike in DRSGetNCChanges requests coinciding with the infected device’s Cobalt Strike C2 activity

After leveraging the DCSync technique, the threat actors sought to broaden their presence within the targeted networks.  To achieve this, they instructed Cobalt Strike Beacon to get several specially selected internal systems to run a suspiciously named DLL (‘f.dll’). Cobalt Strike first established SMB sessions with target systems using compromised account credentials. During these sessions, Cobalt Strike uploaded the malicious DLL to a hidden network share. To execute the DLL, Cobalt Strike abused the Windows Service Control Manager (SCM) to remotely control and manipulate running services on the targeted internal hosts. Cobalt Strike first opened a binding handle to the svcctl interface on the targeted destination systems. It then went on to make an OpenSCManagerW request, a CreateServiceA request, and a StartServiceA request to the svcctl interface on the targeted hosts: 

·      Bind request – opens a binding handle to the relevant RPC interface (in this case, the svcctl interface) on the destination device

·      OpenSCManagerW request – establishes a connection to the Service Control Manager (SCM) on the destination device and opens a specified SCM database

·      CreateServiceA request – creates a service object and adds it to the specified SCM database 

·      StartServiceA request – starts a specified service

Figure 8: The above figure, taken from Darktrace’s Advanced Search interface, outlines an infected system’s lateral movement activities. After writing a file named ‘f.dll’ to the C$ share on an internal server, the infected device made several RPC requests to the svcctl interface on the targeted server

It is likely that the DLL file which the threat actors distributed was a Cobalt Strike payload. In one case, however, the threat actor was also seen distributing and executing a payload named ‘procdump64.exe’. This may suggest that the threat actor was seeking to use ProcDump to obtain authentication material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). Given that ProcDump is a legitimate Windows Sysinternals tool primarily used for diagnostics and troubleshooting, it is likely that threat actors leveraged it in order to evade detection. 

In all the cases which Darktrace observed, threat actors’ attempts to conduct follow-up activities after moving laterally were thwarted with the help of Darktrace’s SOC team. It is likely that the threat actors responsible for the reported activities were seeking to deploy ransomware within the targeted networks. The steps which the threat actors took to make progress towards achieving this objective resulted in highly unusual patterns of network traffic. Darktrace’s detection of these unusual network activities allowed security teams to prevent these threat actors from achieving their disruptive objectives. 

Darktrace Coverage

Once threat actors succeeded in tricking users into running BumbleBee on their devices, Darktrace’s Self-Learning AI immediately detected the command-and-control (C2) activity generated by the loader. BumbleBee’s C2 activity caused the following Darktrace models to breach:

·      Anomalous Connection / Anomalous SSL without SNI to New External

·      Anomalous Connection / Suspicious Self-Signed SSL

·      Anomalous Connection / Rare External SSL Self-Signed

·      Compromise / Suspicious TLS Beaconing To Rare External

·      Compromise / Beacon to Young Endpoint

·      Compromise / Beaconing Activity To External Rare

·      Compromise / Sustained SSL or HTTP Increase

·      Compromise / Suspicious TLS Beaconing To Rare External

·      Compromise / SSL Beaconing to Rare Destination

·      Compromise / Large Number of Suspicious Successful Connections

·      Device / Multiple C2 Model Breaches 

BumbleBee’s delivery of Cobalt Strike Beacon onto target systems resulted in those systems communicating with Cobalt Strike C2 servers. Cobalt Strike Beacon’s C2 communications resulted in breaches of the following models: 

·      Compromise / Beaconing Activity To External Rare

·      Compromise / High Volume of Connections with Beacon Score

·      Compromise / Large Number of Suspicious Successful Connections

·      Compromise / Sustained SSL or HTTP Increase

·      Compromise / SSL or HTTP Beacon

·      Compromise / Slow Beaconing Activity To External Rare

·      Compromise / SSL Beaconing to Rare Destination 

The threat actors’ subsequent port scanning and SMB enumeration activities caused the following models to breach:

·      Device / Network Scan

·      Anomalous Connection / SMB Enumeration

·      Device / Possible SMB/NTLM Reconnaissance

·      Device / Suspicious Network Scan Activity  

The threat actors’ attempts to obtain account password data from domain controllers using the DCSync technique resulted in breaches of the following models: 

·      Compromise / Unusual SMB Session and DRS

·      Anomalous Connection / Anomalous DRSGetNCChanges Operation

Finally, the threat actors’ attempts to internally distribute and execute payloads resulted in breaches of the following models:

·      Compliance / SMB Drive Write

·      Device / Lateral Movement and C2 Activity

·      Device / SMB Lateral Movement

·      Device / Multiple Lateral Movement Model Breaches

·      Anomalous File / Internal / Unusual SMB Script Write

·      Anomalous File / Internal / Unusual Internal EXE File Transfer

·      Anomalous Connection / High Volume of New or Uncommon Service Control

If Darktrace/Network had been configured in the targeted environments, then it would have blocked BumbleBee’s C2 communications, which would have likely prevented the threat actors from delivering Cobalt Strike Beacon into the target networks. 

Figure 9: Attack timeline

Conclusion

Threat actors use loaders to smuggle more harmful payloads into target networks. Prior to March 2022, it was common to see threat actors using the BazarLoader loader to transfer their payloads into target environments. However, since the public disclosure of the Conti gang’s Jabber chat logs at the end of February, the cybersecurity world has witnessed a shift in tradecraft. Threat actors have seemingly transitioned from using BazarLoader to using a novel loader known as ‘BumbleBee’. Since BumbleBee first made an appearance in March 2022, a growing number of threat actors, in particular ransomware actors, have been observed using it.

It is likely that this trend will continue, which makes the detection of BumbleBee activity vital for the prevention of ransomware deployment within organisations’ networks. During April, Darktrace’s SOC team observed a particular pattern of threat actor activity involving the BumbleBee loader. After tricking users into running BumbleBee on their devices, threat actors were seen instructing BumbleBee to drop Cobalt Strike Beacon. Threat actors then leveraged Cobalt Strike Beacon to conduct network reconnaissance, obtain account password data from internal domain controllers, and distribute malicious payloads internally.  Darktrace’s detection of these activities prevented the threat actors from achieving their likely harmful objectives.  

Thanks to Ross Ellis for his contributions to this blog.

Appendices 

References 

[1] https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/ 

[2] https://securityintelligence.com/posts/trickbot-gang-doubles-down-enterprise-infection/ 

[3] https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming

[4] https://www.cynet.com/orion-threat-alert-flight-of-the-bumblebee/ 

[5] https://research.nccgroup.com/2022/04/29/adventures-in-the-land-of-bumblebee-a-new-malicious-loader/ 

[6] https://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/ 

[7] https://therecord.media/conti-leaks-the-panama-papers-of-ransomware/ 

[8] https://www.secureworks.com/blog/gold-ulrick-leaks-reveal-organizational-structure-and-relationships 

[9] https://www.prodaft.com/m/reports/Conti_TLPWHITE_v1.6_WVcSEtc.pdf 

[10] https://www.kroll.com/en/insights/publications/cyber/bumblebee-loader-linked-conti-used-in-quantum-locker-attacks 

[11] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime 

[12] https://isc.sans.edu/diary/TA578+using+thread-hijacked+emails+to+push+ISO+files+for+Bumblebee+malware/28636 

[13] https://isc.sans.edu/diary/rss/28664 

[14] https://www.logpoint.com/wp-content/uploads/2022/05/buzz-of-the-bumblebee-a-new-malicious-loader-threat-report-no-3.pdf 

[15] https://ghoulsec.medium.com/mal-series-23-malware-loader-bumblebee-6ab3cf69d601 

[16]  https://blog.cyble.com/2022/06/07/bumblebee-loader-on-the-rise/  

[17]  https://asec.ahnlab.com/en/35460/ 

[18] https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/

INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Sam Lister
SOC Analyst
Book a 1-1 meeting with one of our experts
share this article
USE CASES
No items found.
PRODUCT SPOTLIGHT
No items found.
COre coverage
No items found.

More in this series

No items found.

Safeguarding Distribution Centers in the Digital Age

Default blog imageDefault blog image
12
Jun 2024

Challenges securing distribution centers

For large retail providers, e-commerce organizations, logistics & supply chain organizations, and other companies who rely on the distribution of goods to consumers cybersecurity efforts are often focused on an immense IT infrastructure. However, there's a critical, often overlooked segment of infrastructure that demands vigilant monitoring and robust protection: distribution centers.

Distribution centers play a critical role in the business operations of supply chains, logistics, and the retail industry. They serve as comprehensive logistics hubs, with many organizations operating multiple centers worldwide to meet consumer needs. Depending on their size and hours of operation, even just one hour of downtime at these centers can result in significant financial losses, ranging from tens to hundreds of thousands of dollars per hour.

Due to the time-sensitive nature and business criticality of distribution centers, there has been a rise in applying modern technologies now including AI applications to enhance efficiency within these facilities. Today’s distribution centers are increasingly connected to Enterprise IT networks, the cloud and the internet to manage every stage of the supply chain. Additionally, it is common for organizations to allow 3rd party access to the distribution center networks and data for reasons including allowing them to scale their operations effectively.

However, this influx of new technologies and interconnected systems across IT, OT and cloud introduces new risks on the cybersecurity front. Distribution center networks include industrial operational technologies ICS/OT, IoT technologies, enterprise network technology, and cloud systems working in coordination. The convergence of these technologies creates a greater chance that blind spots exist for security practitioners and this increasing presence of networked technology increases the attack surface and potential for vulnerability. Thus, having cybersecurity measures that cover IT, OT or Cloud alone is not enough to secure a complex and dynamic distribution center network infrastructure.  

The OT network encompasses various systems, devices, hardware, and software, such as:

  • Enterprise Resource Planning (ERP)
  • Warehouse Execution System (WES)
  • Warehouse Control System (WCS)
  • Warehouse Management System (WMS)
  • Energy Management Systems (EMS)
  • Building Management Systems (BMS)
  • Distribution Control Systems (DCS)
  • Enterprise IT devices
  • OT and IoT: Engineering workstations, ICS application and management servers, PLCs, HMI, access control, cameras, and printers
  • Cloud applications

Distribution centers: An expanding attack surface

As these distribution centers have become increasingly automated, connected, and technologically advanced, their attack surfaces have inherently increased. Distribution centers now have a vastly different potential for cyber risk which includes:  

  • More networked devices present
  • Increased routable connectivity within industrial systems
  • Externally exposed industrial control systems
  • Increased remote access
  • IT/OT enterprise to industrial convergence
  • Cloud connectivity
  • Contractors, vendors, and consultants on site or remoting in  

Given the variety of connected systems, distribution centers are more exposed to external threats than ever before. Simultaneously, distribution center’s business criticality has positioned them as interesting targets to cyber adversaries seeking to cause disruption with significant financial impact.

Increased connectivity requires a unified security approach

When assessing the unique distribution center attack surface, the variety of interconnected systems and devices requires a cybersecurity approach that can cover the diverse technology environment.  

From a monitoring and visibility perspective, siloed IT, OT or cloud security solutions cannot provide the comprehensive asset management, threat detection, risk management, and response and remediation capabilities across interconnected digital infrastructure that a solution natively covering IT, cloud, OT, and IoT can provide.  

The problem with using siloed cybersecurity solutions to cover a distribution center is the visibility gaps that are inherently created when using multiple solutions to try and cover the totality of the diverse infrastructure. What this means is that for cross domain and multi-stage attacks, depending on the initial access point and where the adversary plans on actioning their objectives, multiple stages of the attack may not be detected or correlated if they security solutions lack visibility into OT, IT, IoT and cloud.

Comprehensive security under one solution

Darktrace leverages Self-Learning AI, which takes a new approach to cybersecurity. Instead of relying on rules and signatures, this AI trains on the specific business to learn a ‘pattern of life’ that models normal activity for every device, user, and connection. It can be applied anywhere an organization has data, and so can natively cover IT, OT, IoT, and cloud.  

With these models, Darktrace /OT provides improved visibility, threat detection and response, and risk management for proactive hardening recommendations.  

Visibility: Darktrace is the only OT security solution that natively covers IT, IoT and OT in unison. AI augmented workflows ensure OT cybersecurity analysts and operation engineers can manage IT and OT environments, leveraging a live asset inventory and tailored dashboards to optimize security workflows and minimize operator workload.

Threat detection, investigation, and response: The AI facilitates anomaly detection capable of detecting known, unknown, and insider threats and precise response for OT environments that contains threats at their earliest stages before they can jeopardize control systems. Darktrace immediately understands, identifies, and investigates all anomalous activity in OT networks, whether human or machine driven and uses Explainable AI to generate investigation reports via Darktrace’s Cyber AI Analyst.

Proactive risk identification: Risk management capabilities like attack path modeling can prioritize remediation and mitigation that will most effectively reduce derived risk scores. Rather than relying on knowledge of past attacks and CVE lists and scores, Darktrace AI learns what is ‘normal’ for its environment, discovering previously unknown threats and risks by detecting subtle shifts in behavior and connectivity. Through the application of Darktrace AI for OT environments, security teams can investigate novel attacks, discover blind spots, get live-time visibility across all their physical and digital assets, and reduce the time to detect, respond to, and triage security events.

Continue reading
About the author
Daniel Simonds
Director of Operational Technology

Blog

Inside the SOC

Medusa Ransomware: Looking Cyber Threats in the Eye with Darktrace

Default blog imageDefault blog image
10
Jun 2024

What is Living off the Land attack?

In the face of increasingly vigilant security teams and adept defense tools, attackers are continually looking for new ways to circumvent network security and gain access to their target environments. One common tactic is the leveraging of readily available utilities and services within a target organization’s environment in order to move through the kill chain; a popular method known as living off the land (LotL). Rather than having to leverage known malicious tools or write their own malware, attackers are able to easily exploit the existing infrastructure of their targets.

The Medusa ransomware group in particular are known to extensively employ LotL tactics, techniques and procedures (TTPs) in their attacks, as one Darktrace customer in the US discovered in early 2024.

What is Medusa Ransomware?

Medusa ransomware (not to be confused with MedusaLocker) was first observed in the wild towards the end of 2022 and has been a popular ransomware strain amongst threat actors since 2023 [1]. Medusa functions as a Ransomware-as-a-Service (RaaS) platform, providing would-be attackers, also know as affiliates, with malicious software and infrastructure required to carry out disruptive ransomware attacks. The ransomware is known to target organizations across many different industries and countries around the world, including healthcare, education, manufacturing and retail, with a particular focus on the US [2].

How does medusa ransomware work?

Medusa affiliates are known to employ a number of TTPs to propagate their malware, most prodominantly gaining initial access by exploiting vulnerable internet-facing assets and targeting valid local and domain accounts that are used for system administration.

The ransomware is typically delivered via phishing and spear phishing campaigns containing malicious attachments [3] [4], but it has also been observed using initial access brokers to access target networks [5]. In terms of the LotL strategies employed in Medusa compromises, affiliates are often observed leveraging legitimate services like the ConnectWise remote monitoring and management (RMM) software and PDQ Deploy, in order to evade the detection of security teams who may be unable to distinguish the activity from normal or expected network traffic [2].

According to researchers, Medusa has a public Telegram channel that is used by threat actors to post any data that may have been stolen, likely in an attempt to extort organizations and demand payment [2].  

Darktrace’s Coverage of Medusa Ransomware

Established Foothold and C2 activity

In March 2024, Darktrace /NETWORK identified over 80 devices, including an internet facing domain controller, on a customer network performing an unusual number of activities that were indicative of an emerging ransomware attack. The suspicious behavior started when devices were observed making HTTP connections to the two unusual endpoints, “wizarr.manate[.]ch” and “go-sw6-02.adventos[.]de”, with the PowerShell and JWrapperDownloader user agents.

Darktrace’s Cyber AI Analyst™ launched an autonomous investigation into the connections and was able to connect the seemingly separate events into one wider incident spanning multiple different devices. This allowed the customer to visualize the activity in chronological order and gain a better understanding of the scope of the attack.

At this point, given the nature and rarity of the observed activity, Darktrace /NETWORK's autonomous response would have been expected to take autonomous action against affected devices, blocking them from making external connections to suspicious locations. However, autonomous response was not configured to take autonomous action at the time of the attack, meaning any mitigative actions had to be manually approved by the customer’s security team.

Internal Reconnaissance

Following these extensive HTTP connections, between March 1 and 7, Darktrace detected two devices making internal connection attempts to other devices, suggesting network scanning activity. Furthermore, Darktrace identified one of the devices making a connection with the URI “/nice ports, /Trinity.txt.bak”, indicating the use of the Nmap vulnerability scanning tool. While Nmap is primarily used legitimately by security teams to perform security audits and discover vulnerabilities that require addressing, it can also be leveraged by attackers who seek to exploit this information.

Darktrace / NETWORK model alert showing the URI “/nice ports, /Trinity.txt.bak”, indicating the use of Nmap.
Figure 1: Darktrace /NETWORK model alert showing the URI “/nice ports, /Trinity.txt.bak”, indicating the use of Nmap.

Darktrace observed actors using multiple credentials, including “svc-ndscans”, which was also seen alongside DCE-RPC activity that took place on March 1. Affected devices were also observed making ExecQuery and ExecMethod requests for IWbemServices. ExecQuery is commonly utilized to execute WMI Query Language (WQL) queries that allow the retrieval of information from WI, including system information or hardware details, while ExecMethod can be used by attackers to gather detailed information about a targeted system and its running processes, as well as a tool for lateral movement.

Lateral Movement

A few hours after the first observed scanning activity on March 1, Darktrace identified a chain of administrative connections between multiple devices, including the aforementioned internet-facing server.

Cyber AI Analyst was able to connect these administrative connections and separate them into three distinct ‘hops’, i.e. the number of administrative connections made from device A to device B, including any devices leveraged in between. The AI Analyst investigation was also able to link the previously detailed scanning activity to these administrative connections, identifying that the same device was involved in both cases.

Cyber AI Analyst investigation into the chain of lateral movement activity.
Figure 2: Cyber AI Analyst investigation into the chain of lateral movement activity.

On March 7, the internet exposed server was observed transferring suspicious files over SMB to multiple internal devices. This activity was identified as unusual by Darktrace compared to the device's normal SMB activity, with an unusual number of executable (.exe) and srvsvc files transferred targeting the ADMIN$ and IPC$ shares.

Cyber AI Analyst investigation into the suspicious SMB write activity.
Figure 3: Cyber AI Analyst investigation into the suspicious SMB write activity.
Graph highlighting the number of successful SMB writes and the associated model alerts.
Figure 4: Graph highlighting the number of successful SMB writes and the associated model alerts.

The threat actor was also seen writing SQLite3*.dll files over SMB using a another credential this time. These files likely contained the malicious payload that resulted in the customer’s files being encrypted with the extension “.s3db”.

Darktrace’s visibility over an affected device performing successful SMB writes.
Figure 5: Darktrace’s visibility over an affected device performing successful SMB writes.

Encryption of Files

Finally, Darktrace observed the malicious actor beginning to encrypt and delete files on the customer’s environment. More specifically, the actor was observed using credentials previously seen on the network to encrypt files with the aforementioned “.s3db” extension.

Darktrace’s visibility over the encrypted files.
Figure 6: Darktrace’s visibility over the encrypted files.


After that, Darktrace observed the attacker encrypting  files and appending them with the extension “.MEDUSA” while also dropping a ransom note with the file name “!!!Read_me_Medusa!!!.txt”

Darktrace’s detection of threat actors deleting files with the extension “.MEDUSA”.
Figure 7: Darktrace’s detection of threat actors deleting files with the extension “.MEDUSA”.
Darktrace’s detection of the Medusa ransom note.
Figure 8: Darktrace’s detection of the Medusa ransom note.

At the same time as these events, Darktrace observed the attacker utilizing a number of LotL techniques including SSL connections to “services.pdq[.]tools”, “teamviewer[.]com” and “anydesk[.]com”. While the use of these legitimate services may have bypassed traditional security tools, Darktrace’s anomaly-based approach enabled it to detect the activity and distinguish it from ‘normal’’ network activity. It is highly likely that these SSL connections represented the attacker attempting to exfiltrate sensitive data from the customer’s network, with a view to using it to extort the customer.

Cyber AI Analyst’s detection of “services.pdq[.]tools” usage.
Figure 9: Cyber AI Analyst’s detection of “services.pdq[.]tools” usage.

If this customer had been subscribed to Darktrace's Proactive Threat Notification (PTN) service at the time of the attack, they would have been promptly notified of these suspicious activities by the Darktrace Security Operation Center (SOC). In this way they could have been aware of the suspicious activities taking place in their infrastructure before the escalation of the compromise. Despite this, they were able to receive assistance through the Ask the Expert service (ATE) whereby Darktrace’s expert analyst team was on hand to assist the customer by triaging and investigating the incident further, ensuring the customer was well equipped to remediate.  

As Darktrace /NETWORK's autonomous response was not enabled in autonomous response mode, this ransomware attack was able to progress to the point of encryption and data exfiltration. Had autonomous response been properly configured to take autonomous action, Darktrace would have blocked all connections by affected devices to both internal and external endpoints, as well as enforcing a previously established “pattern of life” on the device to stop it from deviating from its expected behavior.

Conclusion

The threat actors in this Medusa ransomware attack attempted to utilize LotL techniques in order to bypass human security teams and traditional security tools. By exploiting trusted systems and tools, like Nmap and PDQ Deploy, attackers are able to carry out malicious activity under the guise of legitimate network traffic.

Darktrace’s Self-Learning AI, however, allows it to recognize the subtle deviations in a device’s behavior that tend to be indicative of compromise, regardless of whether it appears legitimate or benign on the surface.

Further to the detection of the individual events that made up this ransomware attack, Darktrace’s Cyber AI Analyst was able to correlate the activity and collate it under one wider incident. This allowed the customer to track the compromise and its attack phases from start to finish, ensuring they could obtain a holistic view of their digital environment and remediate effectively.

Credit to Maria Geronikolou, Cyber Analyst, Ryan Traill, Threat Content Lead

Appendices

Darktrace DETECT Model Detections

Anomalous Connection / SMB Enumeration

Device / Anomalous SMB Followed By Multiple Model Alerts

Device / Suspicious SMB Scanning Activity

Device / Attack and Recon Tools

Device / Suspicious File Writes to Multiple Hidden SMB Share

Compromise / Ransomware / Ransom or Offensive Words Written to SMB

Device / Internet Facing Device with High Priority Alert

Device / Network Scan

Anomalous Connection / Powershell to Rare External

Device / New PowerShell User Agent

Possible HTTP Command and Control

Extensive Suspicious DCE-RPC Activity

Possible SSL Command and Control to Multiple Endpoints

Suspicious Remote WMI Activity

Scanning of Multiple Devices

Possible Ransom Note Accessed over SMB

List of Indicators of Compromise (IoCs)

IoC – Type – Description + Confidence

207.188.6[.]17      -     IP address   -      C2 Endpoint

172.64.154[.]227 - IP address -        C2 Endpoint

wizarr.manate[.]ch  - Hostname -       C2 Endpoint

go-sw6-02.adventos[.]de.  Hostname  - C2 Endpoint

.MEDUSA             -        File extension     - Extension to encrypted files

.s3db               -             File extension    -  Created file extension

SQLite3-64.dll    -        File           -               Used tool

!!!Read_me_Medusa!!!.txt - File -   Ransom note

Svc-ndscans         -         Credential     -     Possible compromised credential

Svc-NinjaRMM      -       Credential      -     Possible compromised credential

MITRE ATT&CK Mapping

Discovery  - File and Directory Discovery - T1083

Reconnaissance    -  Scanning IP            -          T1595.001

Reconnaissance -  Vulnerability Scanning -  T1595.002

Lateral Movement -Exploitation of Remote Service -  T1210

Lateral Movement - Exploitation of Remote Service -   T1210

Lateral Movement  -  SMB/Windows Admin Shares     -    T1021.002

Lateral Movement   -  Taint Shared Content          -            T1080

Execution   - PowerShell     - T1059.001

Execution  -   Service Execution   -    T1059.002

Impact   -    Data Encrypted for Impact  -  T1486

References

[1] https://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/

[2] https://thehackernews.com/2024/01/medusa-ransomware-on-rise-from-data.html

[3] https://www.trustwave.com/en-us/resources/blogs/trustwave-blog/unveiling-the-latest-ransomware-threats-targeting-the-casino-and-entertainment-industry/

[4] https://www.sangfor.com/farsight-labs-threat-intelligence/cybersecurity/security-advisory-for-medusa-ransomware

[5] https://thehackernews.com/2024/01/medusa-ransomware-on-rise-from-data.html

[6]https://any.run/report/8be3304fec9d41d44012213ddbb28980d2570edeef3523b909af2f97768a8d85/e4c54c9d-12fd-477f-8cbb-a20f8fb98912

Continue reading
About the author
Maria Geronikolou
Cyber Analyst
Our ai. Your data.

Elevate your cyber defenses with Darktrace AI

Start your free trial
Darktrace AI protecting a business from cyber threats.