Full Report
Key Takeaways Private Threat Briefs: 20+ private DFIR reports annually. Contact us today for pricing or a demo! Table of Contents: Case Summary Analysts Initial Access Execution Persistence Privilege Escalation Defense … Read More
Analysis Summary
# Incident Report: Correlation of Intrusion Activity with Multiple Ransomware Groups
## Executive Summary
This security incident involved an intrusion initiated by a user executing malware disguised as a legitimate application, leading to the deployment of the SectopRAT backdoor. The threat actor performed extensive reconnaissance and lateral movement, using tools associated with ransomware operations like Play and potentially DragonForce groups. The ultimate objective appeared to be ransomware deployment, evidenced by the collection and staging of sensitive data for exfiltration.
## Incident Details
- Discovery Date: March 2025 (Original brief published) / September 8, 2025 (Public report date)
- Incident Date: October 14, 2025 (Reported intrusion date mentioned within context, though likely historical)
- Affected Organization: Undisclosed
- Sector: Undisclosed
- Geography: Undisclosed
## Timeline of Events
### Initial Access
- Date/Time: Prior to October 14, 2025
- Vector: User Execution (Spearphishing/Malicious Download)
- Details: A user downloaded and executed a malicious file impersonating the DeskSoft EarthTime application, which deployed the **SectopRAT** malware.
### Lateral Movement
- Progression: The actor deployed **SystemBC** for proxy tunneling and **Betruger** backdoor. They utilized tools like AdFind, SharpHound, SoftPerfect NetScan, and GT\_NET.exe (Grixba) for network mapping and reconnaissance. Lateral movement was primarily achieved via **RDP connections** and using Impacket’s **wmiexec**. Movement reached Domain Controllers, backup servers, and file servers.
### Data Exfiltration/Impact
- Details: The actor used **WinRAR** to compress targeted files, specifically sensitive business documents gathered from file shares (including those found via a custom tool, S64.exe\_, targeting a remotely mounted share). Staged data was exfiltrated using **WinSCP** to an FTP server hosted by a cloud provider in clear text.
### Detection & Response
- Discovery: The summary focuses on post-incident analysis (DFIR report analysis).
- Response Actions: Containment, eradication, and recovery steps are inferred based on standard response procedures for ransomware preparation incidents (see Response Actions section).
## Attack Methodology
- Initial Access: Execution of malicious file disguised as EarthTime application (User Execution).
- Persistence: Local account creation and startup folder shortcuts.
- Privilege Escalation: Not explicitly detailed, but movement to Domain Controllers implies escalation success.
- Defense Evasion: Use of established backdoors (SectopRAT, Betruger) and proxy tunneling (SystemBC).
- Credential Access: Not explicitly detailed, but network discovery suggests attempts were made.
- Discovery: Used AdFind, SharpHound, SoftPerfect NetScan, and GT\_NET.exe (Grixba) to map environment.
- Lateral Movement: RDP connections and Impacket’s wmiexec.
- Collection: Targeted collection of files (.xls, .xlsx, .doc, .pdf, web content, configuration files, source code) using custom scripts (S64.exe\_) and WinRAR compression.
- Exfiltration: Transfer of compressed data via **WinSCP** to an external, clear-text FTP server.
- Impact: Intended ransomware deployment; sensitive business data staged for theft.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Sensitive business documents, configuration files, web content, and source code were collected and staged for exfiltration.
- Operational: Potential for full operational shutdown pending ransomware deployment (implied).
- Reputational: High potential reputational damage due to data exfiltration linked to multiple known ransomware affiliates (DragonForce, Play, RansomHub).
## Indicators of Compromise
- Network indicators (Defanged):
- C2 IP address associated with SectopRAT: 45.141.87[.]55 (Port 15647/TCP).
- File indicators:
- SectopRAT malware.
- SystemBC malware.
- Betruger backdoor.
- WinSCP.rar, WinSCP.ini.
- Behavioral indicators:
- Execution of SectopRAT injected into `MSBuild.exe`.
- Use of **GT\_NET.exe (Grixba)** for reconnaissance.
- Data staging using custom tool S64.exe\_.
- Exfiltration to external FTP via WinSCP using specific file masks.
## Response Actions
- Containment measures: (Inferred) Isolation of compromised systems, particularly Domain Controllers and identified persistence points.
- Eradication steps: (Inferred) Removal of SectopRAT, SystemBC, and Betruger; disabling newly created local accounts.
- Recovery actions: (Inferred) Reviewing and hardening RDP configurations; potential remediation following potential ransomware execution.
## Lessons Learned
- The intrusion demonstrates an affiliate possibly linked to **three major ransomware groups** (DragonForce, Play, RansomHub), blurring lines between threat actors.
- Initial compromise relied on successful user execution of application impersonation malware.
- The actor employed a multi-stage approach using multiple backdoors (SectopRAT, Betruger) and specialized tunnelers (SystemBC).
- Data collection was highly targeted based on file extension (code, configs, documents), indicating a focused pre-ransomware phase.
## Recommendations
- Implement stringent application control policies to prevent execution of unauthorized downloaded files.
- Enhance endpoint detection to monitor for TTPs across multiple established frameworks (SectopRAT, Betruger).
- Review and restrict RDP access; enforce Multi-Factor Authentication (MFA) on all remote access vectors.
- Review file transfer logs, specifically targeting outbound clear-text FTP transfers involving compressed archives destined for cloud storage providers.