Unravelling a Mimikatz campaign

-

 
This is a short blog analyzing some artifacts left over by a Mimikatz operator's campaign.

Background

While doing to some internet dumpster-diving (as I like to call it) I came across an open directory belonging to a threat actor's Mimikatz staging server (see Figure 1). The threat actor's server was hosted on DigitalOcean AS14061 (165[.]232[.]*.*) and a takedown request was submitted by myself to the DigitalOcean Abuse team.

Figure 1: Mimikatz opendir

The files on the server were not that interesting, most of it was default Mimikatz components from the GitHub and other resources online. The files are available on VirusTotal too if needed.

The reputation of the staging IPv4 address was clean (zero detections) across OSINT sources at the time of writing. This includes AbuseIPDB, VirusTotal, GreyNoise, and spam blocklists, among others. Therefore, it's likely this is a new campaign.

Pulling on the threads

Interestingly, the staging server (where they hosted the payloads) also contained a list of 78 files, at the time of writing, with the following naming convention: “<IPv4 address>_<date>_<time>.creds” (see Figure 2). Most of this blog will focus on analyzing this victim data to try to understand the scope of the campaign and learn more about the threat actor.

Figure 2: Empty ".creds" files on the opendir DigitalOcean host

By extracting and analyzing the data from the file names of the 78 ".creds" files it was possible to create a clearer picture and pattern of activity by this threat actor. The key findings were as follows:
  • The threat actor was active between 22 July and 7 August 2022 (see Figure 3)
  • There were 78 attacks in total, based on number of files created in the open directory
  • 54 unique IPs were targeted, the vast majority of which were located in Japan, followed by the US, Canada, Ireland, Ukraine, Russia, India, and Australia (see Figure 4)
  • 44 unique IPs were from fixed line IPs on Maxihost Japan (see Figure 5)
  • Several IPs from the same CIDR range were targeted multiple times on different days
  • Attacks began mostly around 4am (UTC) and ended most days around 7pm (UTC) (see Figure 6)
Figure 3: Period of Mimikatz activity

Figure 4: Regions targeted by Mimikatz operator

Figure 5: Hosting services targeted IP addresses belong to

Figure 6: Time of activities performed by the Mimikatz operator

Assessments based on analysis of the data available:
  • The threat actor potentially compromised multiple systems at one entity in Japan
  • The threat actor was potentially working in the UTC+4 time zone 
  • This means they are most likely based in Eastern Europe, Central Asia, or the Middle East

    • Popular posts from this blog

    Raspberry Robin: A global USB malware campaign providing access to ransomware operators

    -
    Image
    Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
    Read more

    Tracking Adversaries: Scattered Spider, the BlackCat affiliate

    -
    Image
    After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor
    Read more

    Lessons from the iSOON Leaks

    -
    Image
      Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
    Read more