Tuesday, November 12, 2024
HomeCyber Security NewsALPHV Ransomware Deployment Started With RDP Access And ScreenConnect Installations

ALPHV Ransomware Deployment Started With RDP Access And ScreenConnect Installations

Published on

Malware protection

Ransomware is used by hackers to abuse victims’ data, locking it until a ransom is paid.

This method of cyber attack is profitable as it takes advantage of data’s proximity and vitality to individuals and companies, so they have no choice but to pay for quick returns.

An invasion started with an email containing a forked IcedID variant that emphasized payload delivery.

- Advertisement - SIEM as a Service

After gaining initial access, the intruder installed ScreenConnect on the computer for remote control, abusively utilized Cobalt Strike beacons, and deployed CSharp Streamer RAT to gain credentials and move laterally within domain controllers and servers.

During the identification phase, sensitive information was placed in ‘confucius_cpp,’ a special program of which rclone showed the extraction.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

For eight days, they performed a systematic deployment of ScreenConnect installers across hosts using WMI before finally delivering ALPHV ransomware payloads after deleting backups.

ALPHV Ransomware Deployment

The malicious spam electronic mail, which tricked the prey into downloading and unzipping a folder with a readme and Visual Basic Script (VBS), served as the initial access vector.

Activating VBS executed an embedded, obfuscated IcedID loader DLL that dropped and ran another IcedID DLL payload, completing the infection chain, reads the DFIR report.

This is consistent with a known malicious activity where the same technique was employed to distribute an IcedID fork that deals with payload deployment instead of banking activities.

The threat actor deployed ScreenConnect remote access tools using disguised installation programs that operated through wmiexec and RDP sessions.

Several techniques were employed to extract Cobalt Strike beacons, including bitsadmin, certutil, and PowerShell.

CSharp Streamer RAT kept persistence via scheduled tasks in LSASS credential dumping, lateral movement, and C2 communications.

IcedID ensured its persistence by using scheduled tasks, while ScreenConnect was made persistent across reboots.

During lateral movement into winlogon.exe and rundll32.exe, process injection was observed. Renamed installers were deleted by the actor.

Lateral movement (Source – The Fire Report)

Key activities involved LSASS credential dumping, which was validated through memory analysis, and dcsync was performed from the beachhead to a domain controller for credential harvesting.

This was followed by the threat actor conducting initial recognition using native Windows utilities launched through IcedID and subsequently exploiting ScreenConnect for more reconnaissance commands.

SoftPerfect netscan for network scanning took place on different days, targeting IP ranges plus ports of RPC, SMB, RDP, and Veeam backups.

ScreenConnect installers were then laterally copied via SMB and became deployed with wmiexec.py to get remote control. The attacker extensively used RDP for lateral movement including proxying through CSharp Streamer.

Before exfiltration, a custom tool called confucius_cpp enumerated systems by LDAP query, accessed shares based on keywords, and compressed sensitive information. The attacker also opened documents using the Firefox installation.

C&C (Source – The Fire Report)

The threat actor leveraged multiple tools during the intrusion:- 

  • IcedID for initial access communicating with modalefastnow[.]com
  • Cobalt Strike beacons across hosts connecting to tracked C2 infrastructure
  • CSharp Streamer RAT at 109.236.80.191 using WebSockets over rotating ports
  • ScreenConnect remote access tools deployed via renamed binaries executed through wmiexec.py

While Firefox was used for document preview and downloading rclone, which was executed through a VBS script for data exfiltration. 

The final payload was ALPHV ransomware, staged on the backup server then deployed across hosts via xcopy and WMI-initiated execution after deleting backups. 

Note (Source – The Fire Report)

A ransom note referencing the group’s Twitter was left post-encryption.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...