Quick News Spot

TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit


TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit

This article reviews an incident where a threat actor unsuccessfully tried bypassing Cortex XDR. By digging further into the incident, the process instead provided us with insight into the threat actor's operations.

In a recent investigation involving an extortion attempt, we discovered a threat actor had purchased access to the client network via Atera RMM from an initial access broker. We discovered the threat actor used rogue systems to install the Cortex XDR agent onto a virtual system. They did this to test a new antivirus/endpoint detection and response (AV/EDR) bypass tool leveraging the bring your own vulnerable driver (BYOVD) technique.

Connectivity between this virtual system and the client's network inadvertently gave Unit 42 investigators a certain level of access to the rogue systems. This provided visibility into various tools and files held by the threat actor. While the threat actor intended to find a way to bypass Cortex, in actuality this activity helped Unit 42 protect other organizations by providing unique visibility into the threat actor's tooling, targeting and persona.

In this report, we provide an overview of the attack that occurred, details about the AV/EDR bypass tool, and its sale on cybercrime forums. Most importantly, we offer a walkthrough for how Unit 42 researchers managed to unmask one of the threat actors involved. We'll give a peek into all the discoveries related to the identification of the threat actor.

Palo Alto Networks customers are better protected from the threats discussed above through the following products:

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Unit 42 was called to assist with an extortion incident. Through the investigation process, we encountered two endpoints involved in the attack that were unknown to the client environment.

As a means to test an AV/EDR bypass tool, these endpoints had older versions of Cortex XDR agents installed. Unbeknownst to the threat actor, we were able to access these rogue endpoints.

We also discovered a series of toolkits and other files belonging to the threat actor on the system, which included the bypass tool. We successfully traced and identified posts related to the sale of this specific tool on cybercrime forums like XSS and Exploit.

Using files obtained from the rogue endpoints and subsequent investigation, we discovered the true identity of one of the threat actors involved in the incident. We also found additional information about the individual's personal and professional background.

Figure 1 presents a high-level chain of events in the attack investigated by Unit 42.

The particular tool, named disabler.exe, appears to use the publicly available source code from EDRSandBlast with small modifications and removal of the CLI features. This is evidenced by similarity in content in EDRSandBlast source code files shown in Figure 2 and referenced in the binary as shown in Figure 3. We have noted some of the similarities in red in both figures.

The tool's primary function is to target and remove EDR hooks in user-mode libraries and kernel-mode callbacks. It includes a companion file, wnbios.sys or WN_64.sys, which is a vulnerable driver that the tool attempts to load and gain access to.

Based on certain files and folders in one of the rogue endpoints, we searched cybercrime forums such as XSS and Exploit to identify the likely seller of this bypass tool.

The rogue system had a hostname of DESKTOP-J8AOTJS and contained several directories with interesting names under the file path Z:\freelance. This led us to the hypothesis that these were names or monikers of various other affiliates as shown below in Figure 4.

With that in mind, we searched cybercrime forums for usernames matching any of the directory names under Z:\freelance. While some of them were either too noisy or didn't return any result at all, the rest did return some interesting hits. The matching names consistently posted either in the Russian language, or they posted in Russian-based cybercrime forums, the most common being XSS and Exploit.

The username that piqued our interest the most was Marti71. This username posted in multiple places looking for tools to bypass AV/EDR. Figure 5 shows one such example, with the post translated to English as follows:

Greetings, everyone!

Does anyone have an out-of-the-box solution to kill antivirus software? I'm ready to purchase several solutions with regular support/subscription.

The final post on this thread was from a user account named KernelMode, suggesting an AV/EDR bypass tool.

Pivoting to the link in KernelMode's post in Figure 6, we found a thread that KernelMode initiated to sell subscriptions to an AV/EDR bypass tool as Figure 7 shows. However, the post contains nothing that would confirm that the person or people behind KernelMode are the developers of this bypass tool.

Marti71 also posted on this thread as shown in Figure 8, which seems to indicate a positive experience with the tool.

This Russian language post translates to In general, it will go, finishing some moments, trying to speed up. Bitdef/sentic fly off quickly.

Going back to KernelMode's post, the actor mentions at the end that they will provide a video demonstration. We were able to procure an archive of multiple recordings demonstrating the tool. Each recording shows a particular AV/EDR agent installed at that point that included the execution of the bypassing tool followed by a successful execution of Mimikatz. The intent of the demonstration is to illustrate that the AV/EDR agent has been bypassed to an extent.

We found files for such tool demonstration recordings on the rogue system as well. Comparing the recordings on the rogue system with recordings from KernelMode revealed they were exactly the same. Figure 9 shows a screenshot from one of the recordings.

One file from the rogue system that caught our attention was Р-1 (акт выполненных работ) № <redacted> от <redacted>.xls, which translates to "act of completed work." The spreadsheet contains a "P-1 form" for a transaction between two limited liability companies based in Kazakhstan, as shown in Figure 12.

According to a post on the government procurement site for the Republic of Kazakhstan, the P-1 form is used to document completed work, services rendered, invoices (as in this case), and other related items. The name of one of the companies exposed in this document reveals a piece of information that is vital when it comes to threat actor profiling.

We previously mentioned the presence of multiple video files demonstrating the AV/EDR bypass tool against various endpoint protection products. These files are identical to the ones provided by a user account named KernelMode on various cybercrime forums.

We found the video recording shown in Figure 13, and noted a few relevant details on an AV/EDR agent panel and the taskbar of the host machine.

Our observations based on the video noted in Figure 13 include:

Figure 14. Snippet of Windows taskbar from one of the demonstration videos.

Through Cortex XDR we got a peek into Edge browser activity on DESKTOP-J8AOTJS as shown below in Figure 15. We observed the adversary's operations included visiting the following websites to search for and download certain tools such as Process Hacker and Double Commander.

As noted in the previous section, the rogue system contained ContiTraining.rar, but we found no indication that the attackers downloaded material from the Conti playbook on the rogue system. However, we observed some overlaps between the Conti playbook and tactics, techniques and procedures (TTPs) captured during this incident attack chain, such as:

We extracted configuration data from Cobalt Strike beacons used during the attack, and the watermark ID across all the extracted configuration data was 1357776117. Threatfox has so far identified around 160 unique IPv4 and domain names associated with this particular Cobalt Strike watermark ID.

Cobalt Strike activity has frequently been noted in ransomware attacks, and a small portion of the identified Cobalt Strike IPv4 and domain names have also been associated with Dark Scorpius (aka Black Basta) ransomware. Despite the association of Cobalt Strike with ransomware, we did not observe any attempts to deploy ransomware during our investigation. We speculate this might be because the threat actor lost access to the network before attempting further actions.

Files on the rogue system, like the AV/EDR bypass tool demonstration videos and the P-1 form, constitute an operational security (OpSec) failure by the threat actor that exposed information we believe helps us identify them.

We identified the LinkedIn profile of the individual whose name ("Andry") we captured from the video. The individual is employed at the company based in Kazakhstan listed in the P-1 form. Furthermore, we found a matching profile on the Russian social networking platform VKontakte, which reveals more details about the individual.

We also gathered additional details on the organization employing this individual, including its website, legal address and registration details. According to its website, the company currently has five employees, including the individual in question. The website also provides a personal and professional description for each of its employees, providing further insight on the individual we believe to be involved in this attack.

Revisiting some of the points we covered so far:

With these points in mind, we assess with moderate confidence that the individual in question is one of the people, if not the only person, behind KernelMode. Moreover, based on the individual's background and relevant information we gathered, this individual is likely one of the developers, if not the only developer, of the AV/EDR bypass tool.

However, we cannot ascertain if this particular individual is the owner of the rogue virtual machine DESKTOP-J8AOTJS, and by extension, the person behind this whole attack. This is primarily due to the following reasons:

Recently, there has been a growing trend in the use of AV/EDR bypass tools, extending beyond the incident discussed here. These tools will likely continue to evolve in their attempts to exploit various security platforms.

Ongoing monitoring of underground forums provides valuable insights into the latest developments and techniques of these tools. Threat actors and developers monetize such platforms on a subscription basis, regularly releasing updates as part of their affiliate payment plans.

This incident allowed us to expose a rogue system and, by extension, the toolkit and files owned by the threat actor. Using all the information gathered, Unit 42 unveiled what we believe to be the true identity of one of the threat actors and assessed their involvement in this incident.

Organizations should consider blocking the indicators of compromise provided in this report, as they are associated with the arsenal observed in the incident, as well as the toolkit present in the rogue system. More broadly, we recommend reviewing your security tool policies and configurations to ensure that agent tampering protection is enabled, preventing malicious activities targeting the endpoint protection agents on your systems.

For Palo Alto Networks customers, our products and services provide the following coverage associated with this group:

If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Previous articleNext article

POPULAR CATEGORY

corporate

3398

tech

3676

entertainment

4127

research

1783

misc

4382

wellness

3255

athletics

4276