To acquire administrative credentials the attackers deployed Mimikatz, an open-source software for extracting native credentials. They dumped the Home windows Safety Accounts Supervisor (SAM) and tried to guess SMB credentials by utilizing password spraying and different brute pressure methods. As soon as credentials had been obtained, the attackers used PuTTY Hyperlink (plink), a community connection software, to entry different methods.
Knowledge exfiltration and system wiping
Within the subsequent stage of the compromise, the attacker deployed the primary customized software referred to as sqlextractor. As its identify implies, the software is used to connect with databases and extract info, significantly information like nationwide ID numbers, passport scans, e-mail addresses, and full addresses. The info is saved in CSV format and is then archived and exfiltrated to a command-and-control server by utilizing public instruments equivalent to WinSCP or Pscp.exe (PuTTY Safe Copy Protocol). Course of reminiscence dumps saved as .dmp information had been additionally exfiltrated.
“Through the incident, the attackers tried to make use of three separate wipers as a part of the harmful assault,” the researchers mentioned. “Whereas a number of the wipers present code similarities to beforehand reported wipers the Agonizing Serpens group used, others are thought of model new and have been used for the primary time on this assault.”
The primary wiper known as MultiLayer and is written in .NET. It deploys two binaries referred to as MultiList and MultiWip. MultiList is used to enumerate all information on the system and construct an inventory of file paths with sure folders excluded, whereas MultiWip is the file wiping part which begins overwriting native information with random information.
To make information restoration makes an attempt more durable, the wiper adjustments the timestamps of the focused information and adjustments their authentic paths earlier than deleting them. MultiLayer additionally deletes all of the Home windows Occasion logs, the quantity shadow copies and the primary 512 bytes of the bodily disk which holds the boot sector to depart methods unbootable after restart. It then deletes itself and all scripts it created and used.
The Palo Alto researchers famous that MultiLayer shares the identical operate naming conventions and even whole code blocks with different customized instruments beforehand related to Agonizing Serpens, equivalent to Apostle, IPsec Helper, and Fantasy. This could possibly be the results of the instruments sharing the identical code base or being created by the identical developer.
