Unravelling a Mimikatz campaign

 
This is a short blog analyzing some artifacts left over by a Mimikatz operator's campaign.

Background

While doing to some internet dumpster-diving (as I like to call it) I came across an open directory belonging to a threat actor's Mimikatz staging server (see Figure 1). The threat actor's server was hosted on DigitalOcean AS14061 (165[.]232[.]*.*) and a takedown request was submitted by myself to the DigitalOcean Abuse team.

Figure 1: Mimikatz opendir

The files on the server were not that interesting, most of it was default Mimikatz components from the GitHub and other resources online. The files are available on VirusTotal too if needed.

The reputation of the staging IPv4 address was clean (zero detections) across OSINT sources at the time of writing. This includes AbuseIPDB, VirusTotal, GreyNoise, and spam blocklists, among others. Therefore, it's likely this is a new campaign.

Pulling on the threads

Interestingly, the staging server (where they hosted the payloads) also contained a list of 78 files, at the time of writing, with the following naming convention: “<IPv4 address>_<date>_<time>.creds” (see Figure 2). Most of this blog will focus on analyzing this victim data to try to understand the scope of the campaign and learn more about the threat actor.

Figure 2: Empty ".creds" files on the opendir DigitalOcean host

By extracting and analyzing the data from the file names of the 78 ".creds" files it was possible to create a clearer picture and pattern of activity by this threat actor. The key findings were as follows:
  • The threat actor was active between 22 July and 7 August 2022 (see Figure 3)
  • There were 78 attacks in total, based on number of files created in the open directory
  • 54 unique IPs were targeted, the vast majority of which were located in Japan, followed by the US, Canada, Ireland, Ukraine, Russia, India, and Australia (see Figure 4)
  • 44 unique IPs were from fixed line IPs on Maxihost Japan (see Figure 5)
  • Several IPs from the same CIDR range were targeted multiple times on different days
  • Attacks began mostly around 4am (UTC) and ended most days around 7pm (UTC) (see Figure 6)
Figure 3: Period of Mimikatz activity

Figure 4: Regions targeted by Mimikatz operator

Figure 5: Hosting services targeted IP addresses belong to

Figure 6: Time of activities performed by the Mimikatz operator

Assessments based on analysis of the data available:
  • The threat actor potentially compromised multiple systems at one entity in Japan
  • The threat actor was potentially working in the UTC+4 time zone 
  • This means they are most likely based in Eastern Europe, Central Asia, or the Middle East
  • Popular posts from this blog

    Raspberry Robin: A global USB malware campaign providing access to ransomware operators

    Lessons from the iSOON Leaks

    The Ransomware Tool Matrix