A sophisticated intrusion campaign beginning in September 2024 leveraged a vulnerability in DeskSoft’s EarthTime installer to seed multiple malware families and orchestrate comprehensive network reconnaissance, credential theft, and data exfiltration via tunneled RDP sessions.
Initial Access and Multi-Stage Payload Delivery
The attack initiated when a user executed a tampered EarthTime.exe installer signed with a revoked “Brave Pragmatic Network Technology Co., Ltd.” certificate.
Upon launch from the Downloads folder, the binary spawned cmd.exe, which in turn launched MSBuild.exe with no arguments an anomalous execution chain that injected the SectopRAT .NET RAT into MSBuild’s process space.
SectopRAT fetched its C2 configuration from a Pastebin URL, then communicated with 45.141.87.55 over TCP ports 9000 and 15647.
Persistence was established by copying the payload to the Startup folder under AppData\Roaming\QuickAgent2 as ChromeAlt_dbg.exe and creating a corresponding shortcut.
A new local administrator account “Admon” with password “Qwerty12345!” was added to facilitate ongoing access. Within hours, the attackers deployed SystemBC by writing WakeWordEngine.dll (later renamed conhost.dll) to C:\Users\Public\Music.
Executed via rundll32.exe, SystemBC opened an encrypted proxy tunnel over port 443 to 149.28.101.219, enabling outbound RDP connections through nonstandard channels.
On day six, a second MSBuild.exe invocation dropped ccs.exe, the Betruger backdoor masquerading as Avast Antivirus.
Betruger was injected into 172 processes to capture credentials, perform screenshotting, keylogging, and network reconnaissance, consolidating pre-ransomware tooling into a single binary.
Reconnaissance, Lateral Movement, and Data Exfiltration
Post-compromise discovery spanned Active Directory and network environments. On domain controllers, renamed SharpHound (sh.exe) and AdFind (Adfind.exe) enumerated AD topology, generating over 1,200 DNS queries and harvesting subnet mappings.
Custom Grixba binaries (GT_NET.exe and GRB_NET.exe) produced thousands of RPC and LDAP connections to inventory hosts, while SoftPerfect NetScan scanned 46 IP addresses across RPC, SMB, and RDP ports.
The threat actor tempered forensic timelines by timestomping ExportData.db and netscan.xml outputs to a future date (2037).
Lateral movement relied primarily on RDP logon patterns (Type 3 followed by Type 10 events) tunneled via SystemBC, supplemented by Impacket’s wmiexec for WMI-based command execution.
A DCSync attack retrieved domain credentials from the replication service, and a PowerShell script on a backup server dumped VeeamBackup database credentials, which were later decrypted using Veeam.Backup.Common.ProtectedStorage.
For collection, WinRAR and a custom FS64.exe utility compressed six high-value file shares and enumerated targeted directories.
Archives were exfiltrated over clear-text FTP via WinSCP to 144.202.61.209, exposing credentials in transit. Although no encryption stage was observed before eviction, indicators link the actor to Play, RansomHub, and DragonForce ransomware families, suggesting a multi-affiliate operator conducting pre-ransomware operations.
This campaign underscores the critical need for robust certificate validation, anomalous process chain detection (especially MSBuild.exe and rundll32.exe), and monitoring of nonstandard RDP tunneling to defend against supply-chain masquerading and multi-stage malware deployments.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
