Unravelling a Mimikatz campaign
While doing to some internet dumpster-diving (as I like to call it) I came across an open directory belonging to a threat actor's Mimikatz staging server (see Figure 1). The threat actor's server was hosted on DigitalOcean AS14061 (165[.]232[.]*.*) and a takedown request was submitted by myself to the DigitalOcean Abuse team.
The files on the server were not that interesting, most of it was default Mimikatz components from the GitHub and other resources online. The files are available on VirusTotal too if needed.
- im.ps1 (Invoke-Mimikatz PowerShell script)
- mimidrv.sys (signed Windows Driver Model (WDM) kernel mode software driver)
- mimikatz.exe and mmktz.exe (default OS credential dumping tool that targets LSASS.exe in Windows)
- mimilib.dll (DLL for Injecting into Windows Security Support Providers)
- Unavailable - potentially Reactive Extensions for PHP
- zero byte file
Pulling on the threads
- The threat actor was active between 22 July and 7 August 2022 (see Figure 3)
- There were 78 attacks in total, based on number of files created in the open directory
- 54 unique IPs were targeted, the vast majority of which were located in Japan, followed by the US, Canada, Ireland, Ukraine, Russia, India, and Australia (see Figure 4)
- 44 unique IPs were from fixed line IPs on Maxihost Japan (see Figure 5)
- Several IPs from the same CIDR range were targeted multiple times on different days
- Attacks began mostly around 4am (UTC) and ended most days around 7pm (UTC) (see Figure 6)