In a recent cyberattack, malicious actors utilized a counterfeit Zoom installer to infiltrate an enterprise network, culminating in the deployment of BlackSuit ransomware. The attack commenced when an unsuspecting user accessed a deceptive website designed to mimic Zoom’s official download page, specifically zoommanager[.]com. Believing it to be legitimate, the user downloaded what appeared to be the Zoom application installer.
Initial Compromise:
The downloaded installer was crafted using Inno Setup and contained a malicious downloader referred to as d3f@ckloader, developed with the Pascal scripting language. Upon execution, this downloader established persistence by adding its installation directory to Windows Defender exclusions and marking its files as hidden. Subsequently, it connected to a Steam Community profile page to retrieve the IP address hosting the next stage of the malware.
Execution of Malicious Payloads:
Researchers from The DFIR Report observed that the malware downloaded two ZIP archives from the command-and-control server. It then executed both the genuine Zoom installer—to maintain the facade of legitimacy—and the malicious payload. This led to the injection of SectopRAT into MSBuild.exe, thereby establishing initial persistence through a startup entry.
Escalation and Lateral Movement:
After a dwell time of nine days, the attack intensified. SectopRAT deployed Brute Ratel (referred to as Badgers) and Cobalt Strike beacons across the network. These tools enabled the attackers to harvest credentials from LSASS memory and facilitate lateral movement by creating Windows remote services.
RDP Tunneling for Network Traversal:
A notable aspect of this intrusion was the use of a proxy tool named QDoor to establish Remote Desktop Protocol (RDP) access throughout the environment. The malware was deployed on domain controllers and configured to proxy traffic to an attacker-controlled server at 143.244.146[.]183. This tunneling technique allowed the threat actors to establish remote desktop connections through the compromised domain controller to access file servers. On these servers, they utilized WinRAR to archive sensitive data.
Data Exfiltration and Ransomware Deployment:
The attackers exfiltrated approximately 934 MB of data using the cloud storage service Bublup. Following the data theft, they deployed BlackSuit ransomware using PsExec for remote execution. This sophisticated, multi-stage attack chain, combined with the nine-day dwell time, underscores the attackers’ patience and methodical approach to maximizing both data theft and encryption impact.
Recommendations:
To mitigate such threats, organizations should consider the following measures:
– Download Software from Official Sources: Always obtain software from official websites or trusted sources to avoid malicious versions.
– Regular Software Updates: Ensure that all software, including security tools, are up-to-date to protect against known vulnerabilities.
– Employee Training: Educate employees about phishing attacks and the importance of verifying the authenticity of download sources.
– Network Monitoring: Implement robust network monitoring to detect unusual activities, such as unauthorized remote desktop connections.
– Endpoint Protection: Deploy comprehensive endpoint protection solutions to detect and prevent malware execution.
By adhering to these practices, organizations can enhance their defenses against sophisticated cyberattacks that exploit commonly used applications.
