Researchers from Mandiant had identified UNC2465(an affiliate of DARKSIDE) which has victimized an organization via the trojanized software downloaded from the legitimate site.
On May 2021, Mandiant had observed that UNC2465 might have compromised the CCTV security camera vendor website and replaced with trojanized versions of Dahua Smartpss software packages . Mandiant has immediately reported about the possible compromise to the CCTV vendor.
“On May 18, 2021, a user in the affected organization browsed to the Trojanized link and downloaded the ZIP. Upon installing the software, a chain of downloads and scripts were executed, leading to SMOKEDHAM and later NGROK on the victim’s computer. Additional malware use such as BEACON, and lateral movement also occurred. Mandiant believes the Trojanized software was available from May 18, 2021, through June 8, 2021.” reads the analysis by Mandiant.
Mandiant researchers identified that once the backdoor is installed, the threat actor(UNC2465) setups the NGROK tunnel and conducts the lateral movement activity via RDP. Five days later, the threat actors seems to be installing additional tools like keyloggers , Cobalt strike payloads and launches credential dumping activities via LSASS process
“Ransomware groups continue to adapt and pursue opportunistic access to victims. UNC2465’s move from drive-by attacks on website visitors or phishing emails to this software supply chain attack shows a concerning shift that presents new challenges for detection.”
“While many organizations are now focusing more on perimeter defenses and two-factor authentication after recent public examples of password reuse or VPN appliance exploitation, monitoring on endpoints is often overlooked or left to traditional antivirus. A well-rounded security program is essential to mitigate risk from sophisticated groups such as UNC2465 as they continue to adapt to a changing security landscape.” reads the analysis.
Indicators of Compromise:
Supply Chain/Trojanized Nullsoft Installer/SmartPSS
Zip MD5: 54e0a0d398314f330dfab6cd55d95f38
Supply Chain/Trojanized Nullsoft Installer/SVStation
MD5: f075c2894ac84df4805e8ccf6491a4f4 (Gbdh7yghJgbj3bb.html)
MD5: 127bf1d43313736c52172f8dc6513f56 (in-memory from f075c2894ac84df4805e8ccf6491a4f4)
Host: max-ghoster1.azureedge[.]net (actual C2)
MD5: 9de326bf37270776b78e30d442bda48b (MEtNOcyfkXWe.html)
Host: atlant20.azureedge[.]net (actual C2)
MD5: b06319542cab55346776f0358a61b3b3 (in-memory from 05d38c7e957092f7d0ebfc7bf1eb5365)
Host: skolibri13.azureedge[.]net (actual C2)
MD5: e3bc4dd84f7a24f24d790cc289e0a10f (legitimate NGROK renamed to conhost.exe)
MD5: 84ed6012ec62b0bddcd18058a8ff7ddd (VirtualHost.vbs)
IP/Port: 81.91.177[.]54:7234 (using legitimate ULTRAVNC 23b89bf2c2b99fbc1e232b4f86af65f4)
MD5: a9fa3eba3f644ba352462b904dfbcc1a (shellcode)
-–For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1