C0018
C0018 was a month-long ransomware intrusion that successfully deployed AvosLocker onto a compromised network. The unidentified actors gained initial access to the victim network through an exposed server and used a variety of open-source tools prior to executing AvosLocker.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
During C0018, the threat actors used WMIC to modify administrative settings on both a local and a remote host, likely as part of the first stages for their lateral movement; they also used WMI Provider Host ( |
|
| Enterprise | T1036 | 伪装 |
During C0018, AvosLocker was disguised using the victim company name as the filename.[2] |
|
| .005 | Match Legitimate Name or Location |
For C0018, the threat actors renamed a Sliver payload to |
||
| Enterprise | T1190 | 利用公开应用程序漏洞 |
During C0018, the threat actors exploited VMWare Horizon Unified Access Gateways that were vulnerable to several Log4Shell vulnerabilities, including CVE-2021-44228, CVE-2021-45046, CVE-2021-45105, and CVE-2021-44832.[2] |
|
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
During C0018, the threat actors used encoded PowerShell scripts for execution.[2][1] |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
During C0018, the threat actors used HTTP for C2 communications.[1] |
| Enterprise | T1486 | 数据加密以实现影响 |
During C0018, the threat actors used AvosLocker ransomware to encrypt files on the compromised network.[2][1] |
|
| Enterprise | T1570 | 横向工具传输 |
During C0018, the threat actors transferred the SoftPerfect Network Scanner and other tools to machines in the network using AnyDesk and PDQ Deploy.[2][1] |
|
| Enterprise | T1027 | .010 | 混淆文件或信息: Command Obfuscation |
During C0018, the threat actors used Base64 to encode their PowerShell scripts.[2][1] |
| Enterprise | T1218 | .011 | 系统二进制代理执行: Rundll32 |
During C0018, the threat actors used |
| Enterprise | T1033 | 系统所有者/用户发现 |
During C0018, the threat actors collected |
|
| Enterprise | T1016 | 系统网络配置发现 |
During C0018, the threat actors ran |
|
| Enterprise | T1046 | 网络服务发现 |
During C0018, the threat actors used the SoftPerfect Network Scanner for network scanning.[2] |
|
| Enterprise | T1588 | .002 | 获取能力: Tool |
For C0018, the threat actors acquired a variety of open source tools, including Mimikatz, Sliver, SoftPerfect Network Scanner, AnyDesk, and PDQ Deploy.[2][1] |
| Enterprise | T1072 | 软件部署工具 |
During C0018, the threat actors used PDQ Deploy to move AvosLocker and tools across the network.[2] |
|
| Enterprise | T1105 | 输入工具传输 |
During C0018, the threat actors downloaded additional tools, such as Mimikatz and Sliver, as well as Cobalt Strike and AvosLocker ransomware onto the victim network.[2][1] |
|
| Enterprise | T1021 | .001 | 远程服务: Remote Desktop Protocol |
During C0018, the threat actors opened a variety of ports to establish RDP connections, including ports 28035, 32467, 41578, and 46892.[1] |
| Enterprise | T1219 | 远程访问软件 |
During C0018, the threat actors used AnyDesk to transfer tools between systems.[2][1] |
|
| Enterprise | T1571 | 非标准端口 |
During C0018, the threat actors opened a variety of ports, including ports 28035, 32467, 41578, and 46892, to establish RDP connections.[1] |
|
Software
| ID | Name | Description |
|---|---|---|
| S1053 | AvosLocker |
During C0018, the threat actors used AvosLocker ransomware to encrypt the compromised network.[1][2] |
| S0154 | Cobalt Strike | |
| S0002 | Mimikatz | |
| S0108 | netsh |
During C0018, the threat actors used netsh on a domain controller to ensure there was no existing firewall or to disable one.[1] |
| S0097 | Ping |
During C0018, the threat actors used a PowerShell script to execute Ping commands once every minute against a domain controller.[1] |
| S0633 | Sliver |