Full Report
Cybersecurity researchers have detailed an attack that involved a threat actor utilizing a Python-based backdoor to maintain persistent access to compromised endpoints and then leveraged this access to deploy the RansomHub ransomware throughout the target network. According to GuidePoint Security, initial access is said to have been facilitated by means of a JavaScript malware downloaded named
Analysis Summary
# Tool/Technique: Python-based Backdoor (SOCKS5 Proxy)
## Overview
A Python-based backdoor utilized by a threat actor to establish persistent access to compromised endpoints and facilitate lateral movement within the victim network. It functions as a reverse proxy using the SOCKS5 protocol after an initial C2 handshake. This backdoor was seen deployed after initial infection via SocGholish malware.
## Technical Details
- Type: Malware (Backdoor)
- Platform: Unknown (Likely Windows/Linux given Python context and RDP usage)
- Capabilities: Reverse proxy functionality, SOCKS5 tunneling, command and control communication, error handling, verbose debugging.
- First Seen: Detected in the wild since early December 2023, with an earlier version documented in February 2024.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1090 - Proxy
- T1090.003 - Multi-hop Proxy
- TA0008 - Lateral Movement
- T1021 - Remote Services
- T1021.001 - Remote Desktop Protocol
- TA0003 - Persistence
- T1547 - Boot or Logon Autostart Execution (Inferred, as persistence is a goal)
## Functionality
### Core Capabilities
- Establishes a reverse proxy connection to a hard-coded IP address.
- Establishes a tunnel heavily based on the SOCKS5 protocol after a successful Command-and-Control (C2) handshake.
- Allows the threat actor to move laterally within the network using the victim system as a proxy.
### Advanced Features
- The script code is noted as being polished and well-written, featuring distinct classes, descriptive method names, high degrees of error handling, and verbose debug messages, suggesting meticulous development practices or AI assistance.
- Undergoing "surface-level changes" aimed at improving obfuscation methods to evade detection.
## Indicators of Compromise
- File Hashes: [Not provided]
- File Names: [Not provided]
- Registry Keys: [Not provided]
- Network Indicators: Connects to a hard-coded IP address for C2 communication. (IP address defanged: *hard-coded_IP*)
- Behavioral Indicators: Establishes reverse tunnels using SOCKS5 for network proxying; used for lateral movement via RDP sessions.
## Associated Threat Actors
- Unnamed threat actor leveraging SocGholish for initial access, subsequently deploying this backdoor.
## Detection Methods
- Signature-based detection: Evasion techniques suggest signature-based detection is challenged.
- Behavioral detection: Monitoring for processes initiating outbound SOCKS5 connections to external or unexpected internal IPs that act as proxies. Monitoring for unusual RDP usage patterns concurrent with backdoor execution.
- YARA rules if available: [Not provided]
## Mitigation Strategies
- Network segmentation to limit the impact of lateral movement via proxying.
- Strict egress filtering to block unauthorized SOCKS5 or unusual C2 traffic.
- Monitoring RDP sessions, especially when they are used in conjunction with new, suspicious file execution.
## Related Tools/Techniques
- SocGholish (FakeUpdates): Precursor malware used for initial access.
- EDRElimination Tools (EDRSilencer, Backstab): Used later in the kill chain by similar campaigns.
- LaZagne, MailBruter: Credential theft/email compromise tools mentioned in parallel campaigns.
***
# Tool/Technique: SocGholish (FakeUpdates)
## Overview
A malware family utilized for initial access, typically distributed via drive-by download campaigns that trick users into installing bogus web browser updates. It downloads secondary payloads from attacker-controlled servers.
## Technical Details
- Type: Malware (Downloader/Dropper)
- Platform: Desktop Operating Systems (Implicitly Windows, common for drive-by downloads)
- Capabilities: Initial access, downloading secondary payloads (like the Python backdoor), leveraging deceptive web content.
- First Seen: Campaigns active as recently as last year (2023/2024).
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1189 - Drive-by Compromise
- T1189.001 - Drive-by Compromise: Drive-by Download
- TA0002 - Execution
- T1204 - User Execution
- T1204.002 - User Execution: Malicious File
## Functionality
### Core Capabilities
- Distribution via drive-by campaigns using legitimate-but-infected websites.
- Redirection from search engine results using Black Hat SEO techniques.
- Downloads secondary payloads from C2 servers upon execution.
### Advanced Features
- Historically targets WordPress sites running vulnerable, outdated SEO plugins (e.g., Yoast CVE-2024-4984, Rank Math PRO CVE-2024-3665).
## Indicators of Compromise
- File Hashes: [Not provided]
- File Names: [Not provided]
- Registry Keys: [Not provided]
- Network Indicators: Communication with attacker-controlled C2 servers for payload retrieval.
- Behavioral Indicators: Execution resulting from downloading fake browser updates; exploitation of vulnerable SEO plugins on web servers.
## Associated Threat Actors
- Threat actors operating sophisticated drive-by and SEO poisoning campaigns.
## Detection Methods
- Detection focusing on the indicators leveraged by the distribution chain (e.g., traffic to known compromised sites delivering update prompts).
- Monitoring for known vulnerabilities in WordPress SEO plugins (CVE-2024-4984, CVE-2024-3665).
## Mitigation Strategies
- Utilizing up-to-date security software (EDR/Anti-virus).
- Ensuring prompt patching of web server software and plugins (WordPress, SEO plugins).
- User education regarding software update authenticity.
## Related Tools/Techniques
- Python-based Backdoor (Subsequent payload).
***
# Tool/Technique: RansomHub Ransomware
## Overview
A ransomware family deployed by a threat actor after establishing persistent network access using a Python-based backdoor. Its ultimate purpose is data encryption and demanding a ransom.
## Technical Details
- Type: Malware (Ransomware)
- Platform: Network-wide deployment (Implicitly targeting endpoint operating systems)
- Capabilities: Encrypting files across the compromised network.
- First Seen: Incident reported in September 2024 targeting 210 organizations.
## MITRE ATT&CK Mapping
- TA0012 - Impact
- T1486 - Data Encrypted for Impact
## Functionality
### Core Capabilities
- Encrypting data within the target environment.
### Advanced Features
- [Not detailed in the context for this specific variant/deployment.]
## Indicators of Compromise
- File Hashes: [Not provided]
- File Names: [Not provided]
- Network Indicators: [Not provided (C2 likely shut down after deployment)]
## Associated Threat Actors
- RansomHub affiliate group.
## Detection Methods
- Signature detection for ransomware payload files.
- Monitoring for mass file modification/encryption activities.
## Mitigation Strategies
- Robust backup and recovery strategies (immutable backups).
- Network monitoring to detect the initial stages (backdoor activity leading up to encryption).
## Related Tools/Techniques
- Python-based Backdoor (Enabler).
***
# Tool/Technique: Codefinger S3 Encryption Attack
## Overview
A distinct ransomware activity attributed to the threat actor Codefinger, which targets Amazon S3 buckets. It abuses AWS native services, specifically Server-Side Encryption with Customer Provided Keys (SSE-C), to encrypt data, preventing recovery without the attacker's key.
## Technical Details
- Type: Technique/Ransomware Activity
- Platform: Amazon Web Services (AWS) S3
- Capabilities: Encryption of S3 objects utilizing SSE-C, high-pressure tactics via data deletion scheduling.
- First Seen: Mentioned in recent threat insights (January 2025 context).
## MITRE ATT&CK Mapping
- TA0012 - Impact
- T1486 - Data Encrypted for Impact
- TA0006 - Credential Access (Implicitly needed to utilize keys)
- T1649 - Steal or Forge Authentication Certificates (Relevant to abusing leaked keys)
## Functionality
### Core Capabilities
- Abuses publicly disclosed AWS access keys that have read/write permissions for S3 objects.
- Uses AWS's Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data, making it unrecoverable by the victim without the provided key.
- Sets an urgent ransom demand by using S3 Object Lifecycle Management API to schedule file deletion within seven days.
### Advanced Features
- Encryption method leverages native AWS functions, making the attack both secure (for the attacker) and potentially difficult to trace or recover outside of AWS logs.
## Indicators of Compromise
- File Hashes: [Not applicable for cloud service abuse]
- File Names: [Not applicable]
- Registry Keys: [Not applicable]
- Network Indicators: Use of legitimate AWS API endpoints for encryption/lifecycle management.
- Behavioral Indicators: Sudden appearance of SSE-C encrypted objects in S3 buckets associated with leaked/compromised credentials.
## Associated Threat Actors
- Codefinger
## Detection Methods
- Auditing AWS IAM activity for key usage patterns involving API calls for encryption (PutObject with SSE-C headers) following unknown credential use.
- Monitoring for creation of S3 Lifecycle rules that schedule object deletion within short timeframes (e.g., 7 days).
## Mitigation Strategies
- Strict key management and access control for AWS API keys. Restrict write/read permissions to the minimum necessary.
- Review and audit publicly disclosed keys regularly.
- Implement strong data protection policies that do not rely solely on customer-provided encryption keys for critical data recovery paths.
## Related Tools/Techniques
- AWS native services abuse.
***
# Tool/Technique: EDRSilencer and Backstab
## Overview
Tools observed in pre-ransomware deployment phases used to disable or interfere with Endpoint Detection and Response (EDR) solutions, facilitating stealthier subsequent actions.
## Technical Details
- Type: Tool/Utility
- Platform: Endpoint Operating Systems
- Capabilities: Disabling EDR solutions.
- First Seen: Mentioned in recent threat reports (January 2025 context).
## MITRE ATT&CK Mapping
- TA0005 - Defense Evasion
- T1562 - Impair Defenses
- T1562.001 - Impair Defenses: Disable or Modify Tools
## Functionality
### Core Capabilities
- Disabling EDR security solutions (EDRSilencer, Backstab).
## Indicators of Compromise
- File Hashes: [Not provided]
- File Names: EDRSilencer, Backstab
- Network Indicators: [Not provided]
## Associated Threat Actors
- Threat actors deploying modern ransomware strains.
## Mitigation Strategies
- Deploying EDR solutions with tamper-proofing features.
- Implementing robust application control to restrict the execution of known defense evasion tools.
## Related Tools/Techniques
- Followed by ransomware deployment.
***
# Tool/Technique: LaZagne and MailBruter
## Overview
Tools deployed prior to ransomware to steal credentials and compromise email accounts, essential for expanding access and persistence.
## Technical Details
- Type: Tool/Malware
- Platform: Endpoint Operating Systems
- Capabilities: Credential theft (LaZagne), Brute-forcing email credentials (MailBruter).
## MITRE ATT&CK Mapping
- TA0006 - Credential Access
- T1003 - OS Credential Dumping (LaZagne)
- T1110 - Brute Force (MailBruter)
## Functionality
### Core Capabilities
- LaZagne: Steals stored credentials from the system.
- MailBruter: Attempts to gain access to email accounts via brute-force attacks on credentials.
## Associated Threat Actors
- Threat actors delivering modern ransomware.
## Related Tools/Techniques
- Precursors to ransomware deployment.
***
# Tool/Technique: Sirefef and Mediyes
## Overview
Tools used to maintain stealthy access and deliver additional payloads during the reconnaissance/pre-ransomware phase. Mediyes is noted as a dropper using a valid signature.
## Technical Details
- Type: Tool/Dropper
- Platform: Endpoint Operating Systems
- Capabilities: Maintaining stealthy access, dropping secondary payloads.
## MITRE ATT&CK Mapping
- TA0003 - Persistence
- TA0005 - Defense Evasion
## Associated Threat Actors
- Threat actors delivering modern ransomware.
## Related Tools/Techniques
- Precursors to ransomware deployment.
***
# Tool/Technique: Black Basta Email Bombing/Phishing
## Overview
A social engineering technique associated with the Black Basta ransomware crew, involving flooding victims' inboxes with massive volumes of legitimate-looking emails (newsletters, payment notices) to overwhelm the recipient, followed by a direct social engineering approach (phone/Teams) recommending the installation of remote access software.
## Technical Details
- Type: Technique (Social Engineering/Phishing)
- Platform: Email Systems/User Endpoints
- Capabilities: Creating message saturation, gaining trust via tech support pretext, tricking users into installing remote access tools.
- First Seen: Observed recently (December 2024 context) alongside rapid-fire MFA bypass techniques.
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.002 - Phishing: Spearphishing Link (Implied delivery mechanism for the final step)
- TA0008 - Lateral Movement
- T1078 - Valid Accounts (Implied use of compromised legitimate accounts for communication)
## Functionality
### Core Capabilities
- Flooding inboxes with over 1,100 legitimate-looking, irrelevant messages to cause distraction/overwhelm.
- Following up via phone or Microsoft Teams posing as IT support offering a "simple fix."
- Directing victims to install remote access software (TeamViewer, AnyDesk).
### Advanced Features
- Highly coordinated multi-vector approach transitioning from overwhelming email volume to direct, trusted human interaction via phone/Teams.
## Indicators of Compromise
- High volume of unrelated, low-relevance emails hitting a single target simultaneously.
- Spikes in inbound calls/Teams messages from unknown numbers offering unsolicited technical support or fixes related to a recent technical inconvenience (implied by the email flood).
## Associated Threat Actors
- Black Basta Ransomware Crew
## Mitigation Strategies
- Training users to be extremely cautious of unsolicited technical support contact, even following an unusual email event.
- Implementing strict controls or monitoring for remote access tool installations (TeamViewer, AnyDesk) on endpoints outside of regular IT deployment channels.
## Related Tools/Techniques
- Use of legitimate RATs like TeamViewer or AnyDesk for final payload delivery/access.