The PacketWatch Intelligence Team
Overview
During a recent incident involving LockBit ransomware, we discovered a persistent credential harvester that was hidden as a scheduled task/process. We did a significant amount of investigation before unraveling the clues of what was creating alerts and attempting to beacon-out to certain IP addresses in Latvia.
During this investigation, we uncovered a heavy reliance on inherent functions built into Windows that were abused in order to masquerade as other processes, steal passwords, and exfiltrate them out of the organization.
This behavior is often referred to as “Living Off the Land.” In other words, no malware was used–just clever use of what is already available within the operating system.
Key Findings
Latvian Connection
The use of a Latvian VPN provider was a central part of the attacker’s infrastructure. It was also referred to throughout the scripts in decimal format. The IP address in question, 1484238829, translated to 88[.]119[.]175[.]237 when converted.
Renaming Powershell
In all cases when Powershell was being used, it was renamed to “modpro.exe.”
Picking a Name
The scripts would also create a scheduled task, and name it from one of 9 templates:
Choosing a Birthdate
The newly created tasks would also change their modified dates to be 485 days in the past. This is a process known as “time stomping” and would frustrate any attempts to look for newly created scheduled tasks.
Conclusion
This malware-less attack was quite sophisticated and complex to unravel. The multiple layers involved and numerous steps associated are all included in our full report. This report also includes references to the different techniques employed and the ATT&CK framework.
IOCs
88.119.175[.]237
88.119.175[.]81
More Information
Request to see the full report for in-depth details.