Summary:
The SMOKEDHAM backdoor, active since 2019, is linked to the cyber threat group UNC2465, known for complex extortion operations and ransomware deployments. This group has recently shifted from DARKSIDE to LOCKBIT ransomware, utilizing malicious installers disguised as legitimate software to deliver the SMOKEDHAM payload. The backdoor facilitates initial access and persistence in targeted networks, with ongoing activity observed in 2023 and 2024.
#SMOKEDHAM #UNC2465 #MaliciousInstallers
The SMOKEDHAM backdoor, active since 2019, is linked to the cyber threat group UNC2465, known for complex extortion operations and ransomware deployments. This group has recently shifted from DARKSIDE to LOCKBIT ransomware, utilizing malicious installers disguised as legitimate software to deliver the SMOKEDHAM payload. The backdoor facilitates initial access and persistence in targeted networks, with ongoing activity observed in 2023 and 2024.
#SMOKEDHAM #UNC2465 #MaliciousInstallers
Keypoints:
SMOKEDHAM backdoor has been active since 2019 and linked to UNC2465.
UNC2465 is financially motivated and conducts complex extortion operations.
Malicious installers are often disguised as legitimate software to distribute SMOKEDHAM.
Historically associated with DARKSIDE ransomware, UNC2465 now utilizes LOCKBIT ransomware.
Recent activity includes phishing emails and compromised legitimate websites for payload distribution.
Tools like Advanced IP Scanner and BloodHound are used for reconnaissance post-compromise.
UNC2465 employs Remote Desktop Protocol (RDP) for lateral movement and Mimikatz for credential harvesting.
Significant incidents include a supply chain attack on a CCTV vendor in May 2021.
Recent samples of SMOKEDHAM were found signed with EV certificates.
MITRE Techniques
Initial Access (T1193): UNC2465 delivers SMOKEDHAM via phishing emails.
Execution (T1203): Utilizes trojanized installers masquerading as legitimate software.
Persistence (T1547): Modifies registry to ensure persistence through startup.
Privilege Escalation (T1068): Uses high-privileged accounts for service configuration.
Defense Evasion (T1070): Employs techniques to hide malicious activity from detection.
Credential Access (T1003): Uses Mimikatz for credential harvesting.
Discovery (T1083): Conducts reconnaissance using tools like Advanced IP Scanner.
Command and Control (T1071): Communicates with C2 servers for further instructions.
IoC:
[domain] cdn-server-1.xiren77418.workers[.]dev
[domain] ec2–52–14–160–176.us-east-2.compute.amazonaws.com
[domain] ec2–18–220–58–90.us-east-2.compute.amazonaws.com
[file name] oleview.exe
[file name] aclui-2.dll
[file name] aclui.dll
[file name] winlogon.exe
[file name] UltraVNC.ini
[file hash] 90F010D6448D06CBF218D61ADFA1C3A0657A0E3B
[file hash] 437D41974148291A70F6A8E51F08CF789C44DFAF
Full Research: https://medium.com/trac-labs/who-ordered-the-smokedham-backdoor-delicacies-in-the-wild-87f51e2e5bd2