To acquire administrative credentials the attackers deployed Mimikatz, an open-source instrument for extracting native credentials. They dumped the Home windows Safety Accounts Supervisor (SAM) and tried to guess SMB credentials through the use of password spraying and different brute pressure strategies. As soon as credentials have been obtained, the attackers used PuTTY Hyperlink (plink), a community connection instrument, to entry different techniques.
Knowledge exfiltration and system wiping
Within the subsequent stage of the compromise, the attacker deployed the primary customized instrument referred to as sqlextractor. As its title implies, the instrument is used to connect with databases and extract data, notably information like nationwide ID numbers, passport scans, e-mail addresses, and full addresses. The info is saved in CSV format and is then archived and exfiltrated to a command-and-control server through the use of public instruments similar to WinSCP or Pscp.exe (PuTTY Safe Copy Protocol). Course of reminiscence dumps saved as .dmp information have been additionally exfiltrated.
“Throughout the incident, the attackers tried to make use of three separate wipers as a part of the harmful assault,” the researchers mentioned. “Whereas a number of the wipers present code similarities to beforehand reported wipers the Agonizing Serpens group used, others are thought-about model new and have been used for the primary time on this assault.”
The primary wiper is known as MultiLayer and is written in .NET. It deploys two binaries referred to as MultiList and MultiWip. MultiList is used to enumerate all information on the system and construct an inventory of file paths with sure folders excluded, whereas MultiWip is the file wiping part which begins overwriting native information with random information.
To make information restoration makes an attempt more durable, the wiper adjustments the timestamps of the focused information and adjustments their authentic paths earlier than deleting them. MultiLayer additionally deletes all of the Home windows Occasion logs, the quantity shadow copies and the primary 512 bytes of the bodily disk which holds the boot sector to go away techniques unbootable after restart. It then deletes itself and all scripts it created and used.
The Palo Alto researchers famous that MultiLayer shares the identical operate naming conventions and even total code blocks with different customized instruments beforehand related to Agonizing Serpens, similar to Apostle, IPsec Helper, and Fantasy. This may very well be the results of the instruments sharing the identical code base or being created by the identical developer.
