Summary:
In early November 2024, Huntress SOC uncovered a threat actor’s use of brute force attacks on an RD-Web instance to gain initial access to a network. The actor employed common tools like PsExec for lateral movement and installed a renamed malicious MeshAgent for persistence. The investigation highlighted the importance of continuous monitoring and hardening of network defenses against such tactics.
#ThreatHunting #RemoteAccess #CyberDefense
In early November 2024, Huntress SOC uncovered a threat actor’s use of brute force attacks on an RD-Web instance to gain initial access to a network. The actor employed common tools like PsExec for lateral movement and installed a renamed malicious MeshAgent for persistence. The investigation highlighted the importance of continuous monitoring and hardening of network defenses against such tactics.
#ThreatHunting #RemoteAccess #CyberDefense
Keypoints:
Threat actors often reuse tactics and tools, making them predictable.
Initial access was gained through brute force attacks on a public RD-Web instance.
PsExec was used for lateral movement and executing commands across multiple machines.
The threat actor installed a renamed MeshAgent to evade detection.
Continuous monitoring and threat hunting are crucial for identifying and mitigating threats.
Recommendations include hardening external perimeters and enforcing MFA.
MITRE Techniques
Brute Force (T1110): Multiple public IPv4s were used for brute forcing an RD-Web instance to gain network access.
PsExec (T1569.002): Used PsExec to execute batch files (openrdp.bat and mimon.bat) for enabling RDP and installing malicious components.
Batch Scripts (T1059.003): Batch files modified registry keys and firewall rules, and enabled plaintext credential storage.
Renaming Malicious Binaries (T1036.005): Renamed MeshAgent binary to mimic a legitimate virtual adapter binary (nvspbind.exe) and a server-side adapter name.
WDigest Credential Exposure (T1003.001): Modified registry settings to enable WDigest and store credentials in plaintext.
Remote Access Tool (MeshAgent) (T1219): MeshAgent was configured for communication with a malicious domain and masqueraded as legitimate software.
IoC:
[File Name] ARestore.exe
[File Hash] SHA256: fcea81909388611359bbaf41871300075e192a3246b9e1bebc5f3f0aaa2b2c9a
[File Name] ARest1.exe
[File Hash] SHA256: b629fe2363a23f7c0a6f40235ca25098321ba49bc397b36e2856a1ae76055c56
[File Name] nvspbind.exe
[File Hash] SHA256: fdf51eba1b48ed4180dfbb66d8e299794998252517597aff4a44162183f7dcd9
[IP Address] 193.46.255.73
[IP Address] 146.70.36.132
[IP Address] 217.138.216.60
[Others] WIN-O5926T00T93
Full Research: https://www.huntress.com/blog/know-thy-enemy-a-novel-november-case-on-persistent-remote-access