Security researchers uncovered a complex ransomware attack that began with a fake Zoom installer and culminated in the deployment of BlackSuit ransomware.
The intrusion, which lasted nine days, showcased the threat actors’ use of multiple malware frameworks and sophisticated lateral movement techniques.
Initial Access and Execution
The attack commenced when a user downloaded a malicious Zoom installer from a cloned website, zoommanager[.]com.
This installer, created using Inno Setup, delivered a multi-stage malware known as “d3f@ckloader”.
The loader executed a batch script that added the root folder to Windows Defender’s exclusion list and set hidden attributes on files and folders.
The malware then connected to a Steam community profile to obtain the IP address hosting the second-stage payload.
Two ZIP files were downloaded, one containing a legitimate Zoom installer and the other housing malicious components, including the IDAT loader and an encrypted SectopRAT payload.
On the ninth day of the intrusion, the threat actors escalated their activities.
According to the DFIR Report, they deployed Brute Ratel and Cobalt Strike beacons, which were used for lateral movement and credential access.
The attackers leveraged Cobalt Strike’s pass-the-hash module to elevate privileges and attempted to dump credentials from the LSASS process.
The hackers moved laterally using Cobalt Strike’s psexec_psh feature, rapidly installing beacons on multiple hosts via PowerShell.
They also employed a proxy tool called QDoor, which facilitated RDP access to a file server and domain controller.
Exfiltration and Ransomware Deployment
For data exfiltration, the attackers used WinRAR to compress file share data and uploaded the archives to Bublup, a cloud storage service.
In preparation for the ransomware deployment, they downloaded and extracted a set of files, including the BlackSuit ransomware payload and batch scripts for distribution.
The threat actors used PsExec to distribute and execute the BlackSuit ransomware across multiple remote hosts.
The ransomware deleted Volume Shadow Copies to hinder data recovery efforts before encrypting files and dropping ransom notes.
This sophisticated attack underscores the evolving tactics of ransomware operators, who continue to leverage legitimate tools and multi-stage processes to evade detection and maximize impact.
Organizations are advised to implement robust security measures, including thorough vetting of software downloads and continuous monitoring for suspicious activities.
Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates
