( T1036.005 Masquerading: Match Legitimate Name or Location)Īs observed in the above telemetry, msinfo32.exe is executing without a corresponding command line, which gives us our first detection opportunity. From there, msinfo32.exe loads a malicious DLL from the appdata\roaming directory that masquerades as a legitimate DLL ( mfc42u.dll). The following image represents a timeline of events on a single endpoint that illustrates what this behavior looks like in telemetry: Figure 1Īs you can see, the Task Scheduler Engine ( taskeng.exe) spawns the relocated version of msinfo32.exe in the appdata\roaming directory. In cases where Dridex preceded Grief, we’ve seen adversaries relocate the system information binary ( msinfo32.exe) to the appdata\roaming directory in order to load a malicious dynamic link library (DLL) into memory. In general, this technique involves adversaries relocating native system binaries and executing them from a non-standard directory such as appdata\roaming. We’ve observed adversaries leveraging DLL Search Order Hijacking ( T1574.001 Hijack Execution Flow: DLL Search Order Hijacking) when deploying Dridex in the leadup to a Grief infection. Those detection strategies continue to hold up, and, as you’ll see below, many of them helped us detect and respond to Grief incidents with our incident response partners. We published numerous strategies for detecting Dridex and Cobalt Strike in the 2021 Threat Detection Report. This is important because DoppelPaymer has been a second-stage payload delivered after Dridex many times in the past, which further supports the idea that the Dridex activity we saw is related to Grief. Just a few days ago, Zscaler published a report compellingly arguing that Grief is a rebranded version of the now inactive DoppelPaymer ransomware. This assessment is at least partially validated by Dell SecureWorks, which has also observed a relationship between Dridex, Cobalt Strike, and Grief. Though we were unable to definitively determine that Grief originated from Dridex and Cobalt Strike in the environments we examined, we assess it’s likely that these environments were initially compromised via a Dridex infection and that the adversaries, in turn, leveraged Cobalt Strike and subsequently deployed Grief. Grief often turns up in environments where there’s been a Dridex infection and in which there’s evidence of the post-exploitation tool Cobalt Strike. In this report, we’re going to share technical intelligence on how we’ve detected precursor activity and helped customers respond to Grief outbreaks over the last couple months. We also performed dynamic analysis on a Grief sample in order to get a better idea of what happens during the encryption process. However, we’ve seen the aftermath of the encryption and many of the behaviors that come before it. We haven’t seen the initial infection vectors nor-importantly-the actual process of files getting encrypted. Red Canary’s visibility into this threat has been limited, but-through a series of short-term incident response engagements-we’ve noticed certain conspicuous patterns in the malicious activities leading right up to the point of encryption. Despite the handful of attacks publicly attributed to Grief, there’s been very little technical intelligence published about the ransomware and the precursor behaviors that precede it. The group behind Grief maintains a public leak site where it posts stolen victim data. Grief is a combination ransomware-extortion threat that first emerged in May 2021.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |