Multiple Mozilla Firefox for iOS Vulnerabilities
August 7, 2024SideWinder APT Group aka Rattlesnake Targeting Pakistan – Active IOCs
August 7, 2024Multiple Mozilla Firefox for iOS Vulnerabilities
August 7, 2024SideWinder APT Group aka Rattlesnake Targeting Pakistan – Active IOCs
August 7, 2024Summary
The threat actors leveraging Black Cat, often referred to as the “BlackCat gang” utilize numerous tactics that are becoming increasingly commonplace in the ransomware space. Notably, they use multiple extortion techniques in some cases, including the siphoning of victim data before ransomware deployment and threats to release data if the ransom is not paid.
- In 2024, the Rewterz IR team was engaged by a Victim organization to investigate suspicious activities in its network.
- To carry forward with the investigation, six images were taken to initiate DFIR activity.
- During analysis of images, it shows that a source ----------- was a common parameter, followed by events of psexecsvc “sysinternal tool” also known for its potential capability to move laterally in the network as well as allow a local administrator to escalate the NT/Authority privilege. In addition, an unknown file was also identified and installed as a service, named ”Etamzv5WZeNFQZMq4Esz.exe”
- During file analysis named “Etamzv5WZeNFQZMq4Esz.exe”, it shows that it has the capability to delete shadow copies, a key indicator associated with the ransomware behaviour.followed by events of psexecsvc “sysinternal tool” also known for its potential capability to move laterally in the network as well as allow a local administrator to escalate the NT/Authority privilege. In addition, an unknown file was also identified and installed as a service, named ”Etamzv5WZeNFQZMq4Esz.exe”
- To investigate further, Rewterz requested the victim organization to share the image of 10.100.0.128 and their details as well. The provided details reveal that this was an image of the Oracle People-Soft (FSCMSTAGE-APP) staging server. When carrying forward with the analysis, the image contains the artifacts under the share folder name $share with suspicious files with naming convention comp1.txt, comp2.txt and so on. This also contains artifacts of netscan.exe.
- The files were encrypted under the image -----------. Therefore details of the text files of the aforementioned naming convention comp1.txt are not readable. However, a couple of strings which resemble the syntax of the IP scheme of the mentioned subnet, indicates that these were the target machines, which were encrypted by the attacker.
- One point to note is that, for the psexecsvc and other file “Etamzv5WZeNFQZMq4Esz” event of installation as service preceded with NTLM logon success having user account sccm_admin UID. Since this behavior is common for the machine images across we taken, therefore it depicts the potential usage of user account sccm_admin for the activity.aforementioned naming convention comp1.txt are not readable. However, a couple of strings which resemble the syntax of the IP scheme of the mentioned subnet, indicates that these were the target machines, which were encrypted by the attacker.
- To continue how the files were present on the share folder present on the stage machine, we perform another iteration of the images including the Oracle People-Soft PSPFSCM-Wb01. During review of its security logs, an event of malware category BlackCat.F variant was observed dated to 30th December 2023.
- This evidence points that the potential exploitation of Oracle People-Soft portal as entry point.
- In our analysis we found that Oracle PeopleSoft was vulnerable and exploited which led to the exploitation of the environment.