Full Report
Key Takeaways Private Threat Briefs: Over 20 private DFIR reports annually. Threat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, etc. All Intel: Includes everything from … Read More
Analysis Summary
# Tool/Technique: more_eggs Malware
## Overview
more_eggs is a malware payload deployed by a threat actor attributed to TA4557/FIN6, utilized after initial access was achieved via a resume lure. It relied on Windows LOLbins for execution and established beacon activity to a command and control server.
## Technical Details
- Type: Malware family
- Platform: Windows
- Capabilities: Establishes command and control beacon, executed via abuse of Microsoft binaries.
- First Seen: Initial access noted in March 2024 (case investigation date).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1204.002 - Malicious File
- **TA0002 - Execution**
- T1218 - System Binary Proxy Execution (Implied via LOLbin abuse)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Implied via C2 beacon)
## Functionality
### Core Capabilities
- Delivered via execution chain involving chained abuse of legitimate Microsoft executables (`ie4uinit.exe`, `msxsl.exe`).
- Establishes a beacon connection to the Command and Control (C2) server.
### Advanced Features
- The execution chain involved side-loading a malicious `.inf` file using `ie4uinit.exe`, followed by execution of malicious JScript using `msxsl.exe`.
- Deployment was triggered after an initial execution flow involving a malicious `.lnk` file from a fake resume ZIP.
## Indicators of Compromise
- File Hashes: [Not explicitly listed in the provided text]
- File Names: Malicious DLL, Malicious JScript
- Registry Keys: [Not explicitly listed in the provided text]
- Network Indicators: C2 server addresses (not explicitly listed/defanged)
- Behavioral Indicators: Execution flow started by executing a malicious `.lnk` file inside a resume zip; use of `ie4uinit.exe` to side-load malicious `.inf`; subsequent use of WMI and `msxsl.exe` to load JScript.
## Associated Threat Actors
- TA4557 (Proofpoint designation)
- FIN6 (Historical overlap)
## Detection Methods
- Detection Rules: Eight new rules were created for this case and added to the Private Detection Ruleset.
- YARA Rules: Several YARA rules for Cobalt Strike are referenced, which may overlap or be relevant depending on the stage of the overall infection chain.
## Mitigation Strategies
- Awareness training regarding opening attachments/links from job application lures (Phishing awareness).
- Monitoring for unusual execution chains involving LOLbins like `ie4uinit.exe` and `msxsl.exe` loading non-standard files or scripts.
## Related Tools/Techniques
- Cobalt Strike (Used for post-exploitation shortly after more_eggs established beachhead)
- python-based C2 Pyramid (Attempted deployment post-exploitation)
- LOLbins abused: `ie4uinit.exe`, `msxsl.exe`
- Vulnerability exploitation: CVE-2023-27532 (Veeam)
***
# Tool/Technique: Cobalt Strike
## Overview
Cobalt Strike is a C2 framework used by the threat actor for post-exploitation activities after gaining an initial foothold via the more_eggs malware. It was deployed to the initial endpoint ("beachhead") approximately 1.5 days after initial compromise and subsequently deployed on an exploited Veeam server.
## Technical Details
- Type: Tool/Framework (C2)
- Platform: Windows (Inferred from environment)
- Capabilities: Post-exploitation execution, discovery, lateral movement, credential access.
- First Seen: Deployed on the beachhead approximately 1.5 days after initial compromise (March 2024 timeline).
## MITRE ATT&CK Mapping
- **TA0005 - Defense Evasion**
- T1562.001 - Impair Defenses (Implied by shadow copy creation)
- **TA0007 - Credential Access**
- T1003.001 - OS Credential Dumping (LSASS Memory access)
- **TA0008 - Lateral Movement**
- T1021.001 - Remote Desktop Protocol
- **TA0011 - Command and Control**
- Implied C2 communication
## Functionality
### Core Capabilities
- Command and Control beaconing.
- Execution of discovery tools like SharpShares and Seatbelt.
- Creation of shadow copies (`vssadmin`) potentially for credential harvesting.
- Creation of new local user accounts.
### Advanced Features
- Used for pivoting via Remote Desktop Protocol (RDP) after achieving privilege escalation on the secondary (Veeam) target.
- LSASS memory access performed on the backup server for credential harvesting.
## Indicators of Compromise
- File Hashes: [Not explicitly listed in the provided text]
- File Names: Cobalt Strike payload
- Registry Keys: [Not explicitly listed in the provided text]
- Network Indicators: C2 server addresses (Not explicitly listed/defanged)
- Behavioral Indicators: Use of `vssadmin` to create shadow copies; utilization of SharpShares and Seatbelt post-exploitation; access to LSASS memory.
## Associated Threat Actors
- TA4557/FIN6 (Actor using this campaign)
- Tooling overlap noted with Cobalt Group and Evilnum.
## Detection Methods
- YARA Rules: Multiple external YARA rule sets targeting Cobalt Strike resources are referenced (e.g., `CobaltStrike__Resources_Httpsstager64_Bin_v3_2_through_v4_x.yara`).
- Detection Rule Focus: Threat Feed focuses on tracking C2 frameworks like Cobalt Strike.
## Mitigation Strategies
- Strict auditing and monitoring of C2 framework communications.
- Monitoring for unusual access to LSASS memory space.
- Hardening RDP usage, especially across trust boundaries.
## Related Tools/Techniques
- more_eggs (Predecessor delivery tool)
- Pyramid (Attempted secondary payload)
- SharpShares, Seatbelt (Post-exploitation tools leveraged by Cobalt Strike sessions)
***
# Tool/Technique: Exploitation of CVE-2023-27532 (Veeam)
## Overview
The threat actor exploited a vulnerability tracked as CVE-2023-27532 in Veeam software running on a backup server to facilitate lateral movement and achieve privilege escalation, as part of their post-exploitation activities.
## Technical Details
- Type: Technique (Vulnerability Exploitation)
- Platform: Veeam server (Used for lateral movement target)
- Capabilities: Lateral Movement, Privilege Escalation.
- First Seen: Used in the post-exploitation phase of the March 2024 intrusion.
## MITRE ATT&CK Mapping
- **TA0004 - Privilege Escalation**
- T1068 - Exploitation for Privilege Escalation
- **TA0008 - Lateral Movement**
- Implied movement to the backup server.
## Functionality
### Core Capabilities
- Gaining administrative access on the targeted Veeam server.
- Establishing a persistent foothold on the backup infrastructure.
### Advanced Features
- This exploitation success enabled the threat actor to pivot from the initial endpoint to the critical backup server.
- Used to create a new local administrator account on the target server.
## Indicators of Compromise
- File Hashes: [N/A]
- File Names: [N/A]
- Registry Keys: [N/A]
- Network Indicators: RDP connections used from the beachhead to the compromised Veeam server.
- Behavioral Indicators: Successful exploitation leading to creation of a new local administrator account on the Veeam server.
## Associated Threat Actors
- TA4557/FIN6
## Detection Methods
- Patch management monitoring for systems running vulnerable Veeam versions.
- Monitoring for exploitation attempts targeting CVE-2023-27532 signatures.
## Mitigation Strategies
- Immediately patch all affected Veeam software to eliminate the vector for CVE-2023-27532.
- Restrict network access to backup infrastructure management interfaces.
## Related Tools/Techniques
- Cobalt Strike (Payload deployed after successful exploitation)
- Cloudflared (Used later for RDP tunneling)
***
# Tool/Technique: Cloudflared Tunneling
## Overview
Cloudflared was installed by the threat actor to assist in tunneling Remote Desktop Protocol (RDP) traffic, likely to maintain covert command and control or facilitate external access to internal resources during pivoting.
## Technical Details
- Type: Tool (External Service Client/Tunneling Utility)
- Platform: Windows (Inferred from environment)
- Capabilities: Protocol Tunneling, obscuring RDP traffic channels.
- First Seen: Used during the later stages of the investigation/post-exploitation.
## MITRE ATT&CK Mapping
- **TA0011 - Command and Control**
- T1572 - Protocol Tunneling
- T1090 - Proxy (Implied function)
## Functionality
### Core Capabilities
- Establishing a tunnel for RDP traffic.
### Advanced Features
- Used to tunnel RDP activity, likely to bypass network segmentation or security controls observing standard RDP ports.
## Indicators of Compromise
- File Hashes: [Not explicitly listed in the provided text]
- File Names: Cloudflared executable/configuration
- Registry Keys: [Not explicitly listed in the provided text]
- Network Indicators: Traffic flowing over Cloudflare-associated infrastructure associated with RDP streams.
- Behavioral Indicators: Installation and execution of Cloudflared binary on compromised hosts.
## Associated Threat Actors
- TA4557/FIN6
## Detection Methods
- Monitoring for the installation and execution of the Cloudflared utility on non-standard hosts.
- Network anomaly detection for RDP traffic traversing unintended paths or destined for Cloudflare IPs repurposed for tunneling.
## Mitigation Strategies
- Implement egress filtering to restrict communication to known necessary external services.
- Monitor for the installation of tunneling software on critical or pivot servers.
## Related Tools/Techniques
- Remote Desktop Protocol (T1021.001)