Interesting Stuff

“How Trend Micro’s Managed Detection and Response Stopped a Ransomware Attack”

TrendMicro

Short Summary:

The Trend Micro Managed Detection and Response (MDR) team successfully identified and contained a Play ransomware intrusion attempt using the Trend Micro Vision One platform. The attack involved sophisticated techniques, including the use of SYSTEMBC and GRIXBA malware, as well as legitimate tools like PsExec and RDP to evade detection. The incident highlights the importance of robust cybersecurity measures in defending against complex cyber threats.

Key Points:

  • Trend Micro MDR identified a Play ransomware intrusion attempt.
  • The attack utilized SYSTEMBC and GRIXBA malware tools.
  • Legitimate tools like PsExec and RDP were weaponized in the attack.
  • The incident underscores the importance of proactive cybersecurity measures.
  • Swift response prevented data loss and operational impact.
  • Recommendations include regular updates, network segmentation, and multi-factor authentication.

MITRE ATT&CK TTPs – created by AI

  • Initial Access (T1071)
    • Use of VPN to access the victim’s network.
  • Execution (T1059)
    • Deployment of PsExec for remote command execution.
  • Persistence (T1543)
    • Modification of RDP settings in the Windows Registry.
  • Privilege Escalation (T1068)
    • Attempt to dump LSASS process memory.
  • Defense Evasion (T1027)
    • Use of custom tools to avoid signature-based detections.
  • Credential Access (T1003)
    • Use of valid logon credentials for access.
  • Discovery (T1083)
    • Network reconnaissance using GRIXBA tool.

Using the Trend Micro Vision One platform, our MDR team was able to quickly identify and contain a Play ransomware intrusion attempt.

Report highlights

  • We show how a Play ransomware infection was quickly identified and contained via a swift and coordinated response by Trend Micro Managed Detection and Response (MDR).
  • The Play ransomware group used the following malware tools: SYSTEMBC, a proxy malware that can deliver other payloads like ransomware, and GRIXBA, a custom tool meant to circumvent signature-based detections.
  • In this particular attack, the ransomware group was also found weaponizing legitimate tools like PsExec and Remote Desktop Protocol (RDP). This is another example of the common cybercriminal technique called “living-off-the-land,” which enables threat actors to conduct stealthy attacks to avoid security detection.

Introduction

Ransomware threats have existed for some time now as one of the most pernicious forms of cybercrime. One particular ransomware group that has gained notoriety is the Play ransomware group, which has become known for its aggressive strategies and significant impact on various organizations since June 2022.

Earlier this year, Trend Micro Managed Detection and Response (MDR) identified a highly sophisticated and well-coordinated intrusion attempt that was related to the notorious Play ransomware group. Using the Trend Micro Vision One platform, the MDR team was able to quickly identify and respond to the threat. The swift and decisive actions effectively thwarted the attack, thereby preventing any potential data loss or operational impact. This incident underscores the critical importance of having robust cybersecurity measures in place to defend against increasingly complex cyberthreats.

Incident overview

Trend Micro MDR was first alerted to the breach via the triggering of Vision One Workbench alerts following the detection via the Apex One Endpoint Protection Platform (EPP) agent of a command-and-control tool identified as SYSTEMBC. The tool, which was dropped in the “C:UsersPublicMusic” directory of a Windows server, is a proxy malware that uses SOCKS5 and can deliver other payloads, such as ransomware. Despite the backdoor being quarantined by the EPP agent, the threat actor still had access to the endpoint using valid logon credentials. The source host was identified as being from an IP address belonging to the victim’s virtual private network (VPN) subnet.

SYSTEMBC Detection Event (Vision One)

Figure 1. SYSTEMBC Detection Event (Vision One)

The threat actor transferred a legitimate administration tool, PsExec, from their attacking machine via the VPN. PsExec, which is designed to run programs and execute commands on remote systems, was deployed to the same directory used to stage the previously detected SYSTEMBC binary.

PSEXEC Detection (Vision One)

Figure 2. PSEXEC Detection (Vision One)

The threat actor also altered Remote Desktop Protocol (RDP) settings through modifications made in the Windows Registry. This involved changing a specific registry value, “fdenyTSConnections”, as highlighted in the observed attack technique (OAT). This modification enabled RDP access on the host.

RDP Registry Modification (Vision One)

Figure 3. RDP Registry Modification (Vision One)

An additional tool, GT_NET.exe, was introduced on the host and executed, resulting in a series of network reconnaissance tasks to identify accessible hosts on the network. The resulting list of endpoints was placed into a file and archived to data.zip. This file was identified as GRIXBA after malware analysis was performed post its execution. GRIXBA is a custom tool that the Play ransomware group uses and provides. While the use of custom tools is not new, using them provide advantages for both an attacker and defender:

  • Advantages for Attackers
    • Stealth and Evasion: Custom tooling is often tailored to the intrusion, or packaged with obfuscation wrappers to avoid signature-based detections. Rapid development can be performed to avoid newly developed defensive techniques.
    • Modular Functionality: Customs tools are often designed to be modular, deploying only necessary functionality dependent on the breached environment.

    • Advantages for Defenders
    • Attribution: The detection of custom tooling can aid defenders applying early attribution back to the threat actor. This allows defenders to better understand the unique tactics, techniques and procedures employed and remain a step ahead of the adversary.
    • Behavioural Analysis: With signature-based detections being a weaker method of detecting custom tooling, behaviour-based detections, such as behavior monitoring (BM) or predictive machine learning (PML) help identify potential changes to the tooling by focusing on the intended goal and methods employed by the tooling.

Following this, an attempt was made to dump the running LSASS process memory via Task Manager. However, this action was successfully blocked by the Apex One EPP agent’s Behaviour Monitoring (BM) module. The BM module effectively detected the suspicious activity and intervened to prevent the sensitive LSASS process artifacts from being breached.

LSASS Process Memory Dump (Vision One)

Figure 4. LSASS Process Memory Dump (Vision One)

Timeline of Events

Through diligent and continuous monitoring of the victim organization’s environment, the Trend Micro MDR team was able to meticulously piece together the threat actor’s activity. This comprehensive monitoring allowed the team to perform timely and effective response actions aimed at containing the threat. Additionally, they were able to notify the victim organization promptly, ensuring that immediate measures could be taken. This swift and coordinated response ultimately prevented the Play ransomware group from achieving further objectives, such as data collection, exfiltration, and encryption, which could have resulted in severe data breaches and significant operational disruptions for the victim organization.

Attack Timeline of Events

Figure 5. Attack Timeline of Events

Mitigation Strategies

The FBI, CISA, and ASD’s ACSC recommend organizations implement several key mitigations to limit potential adversarial use of common system and network discovery techniques. These measures are essential to reducing the risk of compromise by Play ransomware. Below is an overview of some of the recommended strategies:

  1. Regularly Update and Patch Systems: Ensure that all systems and software are up to date with the latest patches and updates. This helps close vulnerabilities that attackers could exploit.
  2. Implement Network Segmentation: Divide your network into segments to limit the spread of ransomware and other malicious activities. This can help contain the damage in case of an intrusion.
  3. Use Multi-Factor Authentication (MFA): Enforce the use of MFA for accessing critical systems and sensitive data. MFA adds an extra layer of security, making it harder for attackers to gain unauthorized access.
  4. Monitor Network Traffic: Continuously monitor network traffic for unusual activity that could indicate an intrusion. Use advanced threat detection tools to identify and respond to potential threats in real-time.
  5. Backup Data Regularly: Maintain regular backups of critical data and store them in a secure, offsite location. Ensure that backups are not connected to the main network to prevent ransomware from encrypting them as well.
  6. Deploy Endpoint Protection: Use robust endpoint protection solutions to detect and block malicious activities on individual devices. This includes utilizing anti-malware and anti-ransomware tools.

Applying these mitigations can help organizations significantly reduce the risk of compromise by Play ransomware and other similar threats. For a comprehensive guide and detailed recommendations, refer to the #STOPRANSOMWARE Play Ransomware guide.

Conclusion

The successful detection and containment of the Play Ransomware intrusion highlight the vital importance of proactive security measures in today’s digital landscape. This incident underscores the need for organizations to be vigilant and adopt comprehensive strategies, including Managed Detection and Response (MDR) services. By leveraging the Trend Micro MDR service, organizations benefit from continuous monitoring and expert analysis 24/7/365. Additionally, layered defences, using a range of security tools and practices as referenced in the #STOPRANSOMWARE guide, are essential to create a robust barrier against sophisticated and evolving cyber threats.

For further information on the Play ransomware group, read Trend Micro’s Ransomware Spotlight post to learn some interesting facts about the group.

Indicators of Compromise (IoC)

Name/Detail

Indicator

Trend Micro Detection/OAT

SYSTEMBC

File Name: Socks32.dll
File Path: C:UsersPublicMusic
SHA1: 2b7e28442bc7ef5e7b37afde5423b29e897a59ca

Backdoor.Win32.COROXY.SMRTI

GRIXBA

File Name: GT_NET.exe
File Path: C:UsersPublicMusiclist (2)
SHA1: 3890272563cd044761a9a5c0ab049a2117b38884

Trojan.MSIL.GRIXBA.A

PsExec

File Name: PsExec.exe
File Path: C:UsersPublicMusicPsExec.exe
SHA1: a0ee0761602470e24bcea5f403e8d1e8bfa29832

OAT: Suspicious File Creation in Uncommon Folder

Registry Modification

Process Command: “C:Windowssystem32reg.exe” add “<IP ADDRESS>HKLMSYSTEMCurrentControlSetControlTerminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f

OAT: RDP Setting Modification Via Reg.exe

LSASS Process Memory Dump

Process File Path: C:WindowsSystem32Taskmgr.exe
Object File Path: C:Users<USERNAME>AppDataLocalTemplsass.DMP

OAT: Dump LSASS Process Memory via Taskmgr

Source: Original Post

Tags: EXFILTRATION, VPN, PROXY, BREACH, TOOL, TROJAN, RECONNAISSANCE, CREDENTIAL