Full Report
Key Takeaways Case Summary This case from May 2024 started with a malicious download from a website mimicking the teleconferencing application Zoom. When visiting the website and downloading a file … Read More
Analysis Summary
# Incident Report: BlackSuit Ransomware Deployment via Fake Zoom Installer
## Executive Summary
This incident, which occurred in May 2024, involved a sophisticated, multi-stage intrusion beginning with a fake Zoom installer that delivered the d3f@ck loader and subsequently installed the SectopRAT backdoor. Over nine days, the attackers leveraged multiple C2 frameworks (SectopRAT, Brute Ratel, Cobalt Strike) for reconnaissance and lateral movement, including using the QDoor proxy tool to facilitate RDP access. The attack culminated in the exfiltration of targeted data archived with WinRAR to Bublup, followed by the deployment of BlackSuit ransomware across all Windows systems using PsExec.
## Incident Details
- **Discovery Date:** Unknown (Timeline implies discovery occurred sometime after the March 31, 2025 report date, but the incident itself occurred in May 2024)
- **Incident Date:** May 2024
- **Affected Organization:** Not explicitly disclosed in summary
- **Sector:** Not explicitly disclosed in summary
- **Geography:** Not explicitly disclosed in summary
## Timeline of Events
### Initial Access
- **Date/Time:** May 2024
- **Vector:** Malicious download from a website mimicking the Zoom teleconferencing application.
- **Details:** User downloaded a malicious Inno Setup installer. This installed a d3f@ck loader (Pascal scripting language). The loader executed a batch script to exclude its payload folder from Windows Defender and hide it. It then fetched two archive files via HTTP from a Steam Community page IP address.
### Execution & Persistence
- **Date/Time:** Immediately following Initial Access (Day 0)
- **Vector:** IDAT loader and SectopRAT injection.
- **Details:** One archive contained the legitimate Zoom installer (for deception); the other contained the IDAT loader, which deployed an encrypted payload, resulting in the injection of **SectopRAT** into `MSBuild.exe`. C2 communication was established via an IP address obtained from **Pastebin**. Activity ceased for eight days.
### Internal Reconnaissance & Tool Deployment
- **Date/Time:** Day 9
- **Details:** SectopRAT spawned a command shell executing a **Brute Ratel** ("Badger") payload. This payload performed extensive discovery before deploying a **Cobalt Strike beacon**, which injected into `dllhost.exe` and accessed LSASS memory.
### Lateral Movement
- **Date/Time:** Following internal tool deployment (Days 9+)
- **Vector:** Cobalt Strike `psexec_psh` and RDP facilitated by QDoor.
- **Details:** Attackers used Cobalt Strike to move to a domain controller via remote service execution (PowerShell beacon). They continued discovery using native utilities. On a DC and a backup server, they deployed **QDoor**, a proxy tool, executed via WMIC, tunneling RDP traffic back to the adversary's server through the compromised domain controller.
### Data Exfiltration/Impact
- **Date/Time:** Post-Lateral Movement
- **Details:** Utilizing the proxied RDP session on a file share server, the attacker used the Edge browser to download WinRAR. They used WinRAR to archive targeted file shares. The archives were then exfiltrated using the cloud SaaS application **Bublup** via the Edge browser. Critical files for ransomware deployment were obtained from a RAR archive downloaded from `temp.sh` onto a domain controller.
### Detection & Response
- **Date/Time:** During or after data collection/ransom deployment. Detection details are integrated within the response section, primarily based on endpoint forensics (KAPE/Dissect logs).
- **Response actions taken:** Response focused on identifying C2 channels, decoding shellcode, analyzing RDP activity (Event ID 4624/4779), and using network logs (Zeek, Suricata) to spot unencrypted QDoor C2 traffic and Cobalt Strike service creation.
## Attack Methodology
- **Initial Access:** Malicious fake Zoom installer leading to d3f@ck loader.
- **Persistence:** SectopRAT established, followed by subsequent loading/dropping of Brute Ratel and Cobalt Strike.
- **Privilege Escalation:** Not explicitly detailed, but LSASS memory access by Cobalt Strike suggests credential harvesting capabilities.
- **Defense Evasion:** Payload folder excluded from Windows Defender via a batch script; execution of legitimate Zoom installer to hide malicious activity.
- **Credential Access:** Observation of Cobalt Strike beacon accessing LSASS memory.
- **Discovery:** Native Windows utilities (`nltest`, `net`, `systeminfo`) used after gaining domain controller access.
- **Lateral Movement:** Cobalt Strike `psexec_psh` for rapid deployment and RDP leveraged via the QDoor proxy tunnel.
- **Collection:** File shares aggregated using **WinRAR**.
- **Exfiltration:** Data uploaded to the **Bublup** cloud SaaS application via the Edge browser.
- **Impact:** Deployment and execution of **BlackSuit ransomware** across all Windows systems using PsExec for remote execution.
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Targeted file shares were archived and exfiltrated.
- **Operational:** Full disruption expected due to the deployment of BlackSuit ransomware across the entire Windows estate.
- **Reputational:** Not disclosed.
## Indicators of Compromise
- **Network indicators (Defanged):**
- C2 IP Address observed accessing Pastebin for initial configuration.
- Traffic destined for port 15647 associated with **SectopRAT** C2 (ET MALWARE Arechclient2 Backdoor/SecTopRAT CnC Init).
- Unencrypted C2 communication from the **QDoor** proxy tool.
- **File indicators:**
- Artifacts related to the false Zoom installer package (Inno Setup).
- Payloads consistent with **d3f@ck loader**, **IDAT loader**.
- **SectopRAT, Brute Ratel, Cobalt Strike** executables/beacons.
- **QDoor** proxy binary (`svhost.exe` observed on DC/backup server).
- **BlackSuit ransomware** executable staged via files from `temp.sh`.
- **Behavioral indicators:**
- Batch script modifying Windows Defender exclusions.
- Process injection of unknown payload into `MSBuild.exe`.
- Use of `psexec_psh` via Cobalt Strike for remote service creation over RPC.
- WMIC used to launch the QDoor proxy tool.
- **WinRAR** activity compressing large file share directories.
- Outbound data uploads via the **Bublup** application via Edge browser.
## Response Actions
- **Containment:** (Implied) Focus on isolating compromised hosts from the network where possible, specifically those running QDoor/Cobalt Strike beacons.
- **Eradication:** (Implied) Complete removal of all malware stages (SectopRAT, Brute Ratel C2 implants, QDoor, Cobalt Strike beacons) and the ransomware payload.
- **Recovery:** Restoration from backups following the ransomware encryption event.
## Lessons Learned
- **Initial Access Robustness:** A single, convincing social engineering vector (fake software installer) provided deep initial access, highlighting the need for strict application control/whitelisting and browser filtering.
- **Chained Tooling:** The attackers effectively chained four separate C2 frameworks (SectopRAT, Brute Ratel, Cobalt Strike, QDoor) to maintain flexibility and potentially evade signature-based detection per stage.
- **Proxy Tunnelling:** The use of QDoor to proxy RDP traffic masked internal lateral movement, as RDP connections appeared to originate from a known attacker-controlled ingress/egress point.
- **Exfiltration Channel:** The use of a legitimate SaaS application (Bublup) for large-scale data exfiltration bypassed traditional egress monitoring focused on known suspicious domains.
## Recommendations
- **Application Control:** Implement strict application allow-listing, specifically targeting untrusted installers (like those generated by Inno Setup) attempting to execute code or alter security settings immediately upon execution.
- **C2 Detection:** Enhance network monitoring (e.g., Suricata rules) to specifically identify signatures associated with QDoor to detect proxy tunnels where C2 traffic may be unencrypted.
- **RDP Monitoring:** Correlate RDP connection logs (Event ID 4624, LogonType 10) with process creation logs to identify unusual parent processes (like WMIC launching tools) or unexpected RDP connections originating from internal assets acting as proxies.
- **Egress Filtering:** Implement behavioral analysis on web traffic to flag mass archival (*e.g., WinRAR operations*) followed immediately by large uploads via legitimate cloud collaboration tools like Bublup.
- **Endpoint Hardening:** Review protection mechanisms to ensure batch scripts cannot easily disable or exclude security monitoring folders.